CALIFORNIA CONSUMER PRIVACY ACT POLICY
Effective/Last Updated: October 1, 2024
Heritage Commerce Corp. (the “HCC”, “we”, “our”, or “us”) and all applicable subsidiaries comply with all requirements of the California Consumer Privacy Act of 2018, including as how that law is amended by the California Privacy Rights Act of 2020 (collectively the “CCPA”).
Your Right to Know About Personal Information Collected
Under the CCPA a consumer (which means a California resident) has the right to know what personal information the business has collected about them, including the categories of personal information, the categories of sources from which the personal information was collected, the business or commercial purpose for collecting, selling or sharing the personal information, the categories of third parties to whom the business discloses personal information and the specific pieces of personal information the business has collected. Thus, you may request that we disclose what personal information we collect, use, and disclose about you (a “Request to Know” or “RTK”).
If you wish to submit a verifiable RTK to HCC you should do one of the following: Call 1 (800) 742-8142, send an e-mail to CCPAHCC@herbank.com, or submit a request here: Information Requests. When you submit a RTK, HCC will verify your identity. To verify your identity, we will ask you for your name, address, and other pieces of information pertinent to your request that we can use to match with the information we have on file. The amount and type of information we request may vary depending on the sensitivity of personal information covered by the request.
Collection of Personal Information (“PI”)
Below is a list of categories of PI and categories of sensitive PI we have collected about consumers in the preceding 12 months. We have also provided the categories of sources from which we collected the personal information, and the business or commercial purpose for collecting the information
Categories of PI We Collect |
- Identity Data, such as name and government-issued identifier (e.g., First Name, Maiden Name, Last Name, username or similar identifier, or date of birth);
- Personal Data, as defined in the California safeguards law (California Civil Code Section 1798.80(e)), such as contact information and financial information (e.g., postal address, email address and telephone numbers);
- Characteristic Data, means information related to characteristics protected under California or federal law, such as gender or marital status;
- Biometric Data means information related to an individual’s physiological, biological or behavioral characteristics, such as an image of a person’s fingerprint or voice recording; · Financial Data including bank account and payment card details (e.g., debit card numbers, deposit account numbers, or loan numbers).
- Transaction Data means information and records regarding transactions completed using products or services consumers have obtained from us, including details about payments to and from your bank accounts with us or other details of products and services you have purchased from us.
- Usage Data means information regarding a consumers activity on the internet or another electronic network, including information about how you use our website, or other online products and services.
- Geolocation Data, means information derived from a device that can be used or is intended to be used to locate a user or individual, such as device location or an Internet Protocol (IP) location;
- Sensory Data, includes information obtained from audio, electronic, visual and similar recording devices, such as call and video recordings;
- Employment-Related Data, is information related to an individual’s professional experiences or other employment-related information, such as work history and experience with prior employer.
- Education Data, is information related to an individual’s education history, such as student records and directory information.
|
Categories of Sensitive PI We Collect
|
- Identification Numbers means any information that reveals an individual’s social security number, driver’s license number, state identification card number, or passport number.
- Financial Account Credentials means any information that reveals an individual’s account log-in number, financial account number (such as a loan number or deposit account number), debit card number, or credit card number in combination with any required security or access code, password, or credentials which would allow someone to gain access to their account.
- Background Information is any information that reveals an individual’s racial or ethnic origin or immigration or citizenship status.
- Personal Messages are the contents of an individual's mail, email and text messages, where HCC is not the intended recipient of the communication.
- Health Information is any personal information collected and analyzed concerning an individual’s health. · Processed Biometric Data, is any Biometric Data which the Bank performs an operation, set of operations or other procedure on, whether or not by automated means, for the purpose of uniquely identifying an individual.
- Precise Geolocation Data is any data that is derived from a device and that is used or intended to be used to locate an individual within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.
|
Categories of Sources from Which We Collect the PI
|
- Directly from a California resident or the individual’s authorized representatives · Service Providers, consumer data resellers and other third parties;
- Public Record Sources (Federal, State or Local Government Sources);
- Information from our Affiliates;
- From our website, services, and social media;
- Information from business entities that we transact with who may provide information regarding individuals associated with them such as, an employee, officer, or board member.
|
Our Business or Commercial Purpose for Collecting the PI
|
- Performing services, including providing customer service, processing or fulfilling orders and transactions, verifying customer information, providing advertising or marketing services (except we will never use any of the categories of sensitive personal information for marketing or advertising), providing analytic services, or providing similar services;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
- Activities to verify or maintain the quality or safety of a service controlled by us, and to improve, upgrade, or enhance the service controlled by the business;
- Debugging to identify and repair errors that impair the existing intended functionality of our products and services.
- Undertaking internal research for technological development and demonstration (except we will never use any of the categories of sensitive personal information for general research and development purposes);
- Complying with laws and regulations and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions).
- To carry out our responsibilities as an employer, such as processing job applications, administering benefits and managing pay and compensation.
|
Sale or Sharing of Personal Information
We have not sold or shared any personal information about consumers in the preceding 12 months.
We DO NOT have actual knowledge that we sell or share the personal information of minors under 16 years of age.
Disclosure of Personal Information for Business Purposes
We have disclosed personal information about consumers to third parties for a business or commercial purpose in the preceding 12 months. Below is a list of the categories of personal information we have disclosed to third parties in the preceding 12 months for a business or commercial purpose. For each category identified we have also disclosed the category of third party to whom the PI was disclosed
Categories of PI Disclosed to Third Parties |
Categories of Third Parties With Whom the PI Was Disclosed |
Identity Data |
- Affiliates of HCC (“Affiliates”);
- Vendors and other service providers who provide services to HCC, such as those that provide website hosting, data analysis, information technology and related infrastructure, customer service, email delivery, auditing, marketing and marketing research services, (collectively “Service Providers”);
- Partners and third parties who provide consulting services to HCC on topics including but not limited to payment, banking and communication infrastructure, storage, legal expertise, tax expertise, notaries and auditors (collectively “Consultants”). · Government Agencies as required by laws and regulations.
- Credit Reporting Agencies.
|
Personal Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies;
- Credit Reporting Agencies
|
Characteristic Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies
- Credit Reporting Agencies
|
Transaction Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies
- Credit Reporting Agencies
|
Financial Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies;
- Credit Reporting Agencies
|
Usage Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies;
- Credit Reporting Agencies
|
Geolocation Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies;
- Credit Reporting Agencies
|
Biometric Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies
- Credit Reporting Agencies
|
Sensory Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies;
- Credit Reporting Agencies
|
Employment-Related Data
|
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies
- Credit Reporting Agencies
|
Education Data |
- Affiliates;
- Service Providers;
- Consultants;
- Government Agencies
- Credit Reporting Agencies
|
Personal Messages |
- Service Providers
- Government Agencies
|
Business Purposes
We have disclosed personal information to third parties for the following business or commercial purposes:
- Auditing of HCC records for compliance with state and federal regulations;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
- Performing services on behalf of HCC, including providing customer service, verifying customer information, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider; and
- Undertaking internal research for technological development and demonstration
USE OF SENSITIVE PERSONAL INFORMATION
We have not used or disclosed any of the categories of sensitive PI for purposes other than those specified as permissible uses as set forth in the CCPA and the implementing regulations adopted by the California Privacy Protection Agency (including how the CCPA and its regulations may be amended from time to time) that do not trigger a consumer’s right to limit use.
RIGHTS UNDER THE CCPA
Right to Request Deletion or Corrections of Personal Information
You have the right to request the deletion of any personal information about you which we have collected or maintained, subject to certain exceptions. You also have the right to request that we correct inaccurate personal information we may maintain about you.
If you wish to submit a request to delete or request to correct the personal information we collected or maintain about you, you may call us at 1 (800) 742-8142, e-mail us at CCPAHCC@herbank.com, or submit a request here: Information Requests.
In order to respond to a request to delete or request to correct we will need to verify your identity. HCC may contact you to confirm your identity and comply with your request. To verify your identity, we will ask you for your name, address, and other pieces of information pertinent to your request that we can use to match with the information we have on file. The amount and type of information we request may vary depending on the sensitivity of personal information covered by the request. We will endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
Right to Opt-Out of the Sale or Sharing of Personal Information
You have the right to opt out of the sale or sharing of your personal information, if a business sells or shares your personal information.
HCC does not sell or share your personal information.
Right to Non-Discrimination for the Exercise of Your Privacy Rights
You have a right not to receive discriminatory treatment by us for the exercise of any privacy rights conferred by the CCPA, including an employee’s, applicant’s or independent contractor’s right not to be retaliated against for the exercise of their rights under the CCPA.
Right to Limit Use of Sensitive Personal Information
You have the right to limit the use or disclosure of your sensitive personal information if a business uses or discloses your sensitive personal information for certain reasons not expressly permitted by the CCPA or its implementing regulations.
Opt Out Preference Signals
We do not sell or share personal information so the receipt of an opt-out preference signal will not impact how we collect, use or disclose your personal information.
Authorized Agent
You may designate an authorized agent to make a request under the CCPA on your behalf by providing the agent written permission to make the request and sending that written authorization to: Heritage Commerce Corp Attn: CCPA HCC, 224 Airport Parkway, San Jose, CA 95110. We will verify your identity with the authorized agent.
Contact for More Information
For more information, please call us at 1 (800) 742-8142, e-mail us at CCPAHCC@herbank.com, or submit a request here: Information Requests.