Your Rights Under the
California Consumer Privacy Act of 2018

Notice of Collection of Personal Information.
This Notice is being provided under the California Consumer Privacy Act of 2018 (the “CCPA”). It is provided in addition to the privacy policy notice provided under federal law. Please see the ECG Privacy Policy, a link to which is provided on the ECG Homepage.

Expansion Capital Group (“ECG”, “Us” or “We”) collects certain non-public personal information about individuals in connection with providing the financial services applied for by the business entities with whom those individuals are associated. The categories of the information that We collect, together with the business purpose for which they will be used, are as follows:

1. Identifiers, such as your real name, your postal address, your Internet Protocol address, email address, social security number, driver’s license number or similar identifiers. Identifiers are used for the following business purposes:

a. To complete the transaction for which you applied;
b. To detect against identity theft, fraud or other illegal activity, and to prosecute those responsible for such activity;
c. To identify and repair errors that impair intended functionality in ECG systems;
d. To exercise a right provided by law;
e. To comply with the California Electronic Communications Privacy Act;
f. To engage in public or peer-reviewed statistical research;
g. To enable solely internal uses related to the financial services that ECG provides;
h. To comply with the legal and regulatory obligations of ECG;
i. To use your information, internally, in a lawful manner compatible with the context in which you provided the information;
j. To refer your request for financial services to a referral partner of ECG that may be able to provide the desired services when ECG cannot;
k. To develop analytical models, both internally and using third-party service providers, to improve ECG’s underwriting, fraud prevention, retention, sales or marketing practices;
l. To pursue legal remedies on defaulted financing agreements;
m. To comply with internal and regulatory customer identification requirements aimed, among other things, at the prevention of identity theft, terrorism, money laundering, and other criminal activities;
n. To remain in contact with you throughout the term of any financial services agreement that you may enter with ECG or a referral partner of ECG;
o. To offer additional financial services to you;
p. To assess the market for financial services and initiate marketing of those services to you and/or others;
q. To comply with requirements of internal and external audits of ECG;
r. To enable collection efforts by third parties on behalf of ECG on defaulted financing agreements;
s. To engage representation in legal matters, including litigation, bankruptcy proceedings and other matters related to the financial services offered by ECG;
t. To update information in the records of ECG and its referral partners;
u. To allow vendors to provide additional related customer data or analysis;
v. To allow funding partners of ECG to initiate the service of financing transactions should ECG be unable to do so;
w. To allow funding partners of ECG to assess portfolio performance; and
x. To assess the methods in which financial services are provided to the customers of ECG.

2. Geolocation data, such as your address and zip code . Geolocation data is used for the same purposes as those listed above for identifiers.

3. Categories of personal information described in subdivision (e) of Section 1798.80 of the California Civil Code, such as your social security number, telephone number or other financial information, medical information or insurance information. This type of personal information is used for the same purposes as those listed above for identifiers.

4. Professional or employment-related information, such as the name of the business on behalf of which you have applied for financial services, your capacity in or for that business and your affiliation with a trade or professional association. Professional or employment-related information is used for the same purposes as those listed above for identifiers.

5. Characteristics of protected classifications under California or federal law which is contained on your driver’s license and in other background reports that ECG may receive. Characteristics of protected classifications are not used as such. The identified sources are used for the same purposes as those listed above for identifiers.

6. Audio, electronic, visual or similar information, such as information contained in recorded telephone conversations. Audio, electronic, visual or similar information is used for the same purposes as those listed above for identifiers.

7. Education information, such as the last grade that you completed. Education information is used for the same purposes as those listed above for identifiers.

8. Internet or other electronic network activity information, such as search history or interaction with Internet Websites, including ours. Internet or other electronic network activity information is used for the same purposes as those listed above for identifiers.

9. Inferences drawn from the information about you to create a profile about your preferences or behavior. Profiles based on inferences drawn from the information about you are used for the same purposes as those listed above for identifiers.

Certain Rights of California Residents.
If you are an individual who is in the State of California for other than a temporary or transitory purpose or an individual domiciled in California but outside the state for a temporary or transitory purpose, you have certain rights under the CCPA:

1. You have the right to request the types and specific non-public personal information of yours that ECG collects, discloses or sells. “Personal information” that ECG collects, discloses or sells includes the categories of information identified above under “Notice of Collection of Personal Information.” You have the right to request that ECG disclose certain information about the business use of the non-public personal information that ECG collects, including, (a) the categories of information that has been collected about you in the 12 months preceding your request, (b) the categories of sources from which such information has been collected, (c) the business purpose for collecting or selling such non-public personal information, (d) the categories of third parties with whom non-public personal information is shared or disclosed, (e) the specific pieces of personal information that ECG has collected about you in the 12 months preceding your request , (f) the categories of information disclosed or sold in the 12 months preceding your request, (g) the categories of information that has been sold to third parties in the 12 months preceding your request, and (h) the categories of third parties to whom information about you was sold to third parties in the 12 months preceding your request. You may exercise this right no more than twice in a 12-month period. You will not be charged for the exercise of this right.

2. To request the disclosure of information as provided above, call 833-837-5779, toll free, or email ccpa@ecg.com.
For purposes of your protection against identity theft, ECG must be able to verify that the person making the request is the person about whom the information has been collected or another authorized by such person to act on their behalf. This will be done in accordance with the procedures set forth below under “Verification of Requests”.

3. You have the right to request that the non-public personal information that ECG has collected about you be deleted.
To request the deletion of information, call 833-837-5779, toll free, or email ccpa@ecg.com.

ECG is not required to delete your information under certain circumstances, including, among others, if it is needed (a) to complete the transaction for which it was collected, (b) to detect security incidents or prevent illegal activity, (c) to comply with legal obligations or (d) to enable certain internal uses. See Section 1798.105 of the CCPA for more details. If a request for deletion is denied, in whole or in part, you will be notified of the basis for such denial.

For purposes of your protection against identity theft, ECG must be able to verify that the person making the request is the person about whom the information has been collected or another authorized by such person to act on their behalf. This will be done in accordance with the procedures set forth below under “Verification of Requests”

4. You have the right to direct ECG not to sell your non-public personal information to third parties (“opt out”).

To opt out of the sale of your non-public personal information (valid for 12 months after you have exercised this right) call 833-837-5779, toll free, email ccpa@ecg.com or click on the button below:

Do Not Sell My Personal Information

For purposes of your protection against identity theft, ECG must be able to verify that, if a person other than yourself is making the request, the person making the request is a person authorized by you to act on your behalf. This will be done in accordance with the procedures set forth below under “Verification of Requests”.
NOTE: If you exercise your right to opt out, ECG will not be able to refer your application to one of our referral partners for possible financing should ECG be unable to provide the financing requested.

Verification of Requests
For purposes of your protection against identity theft, ECG must be able to verify that the person making one of the requests identified above is the person about whom the information has been collected or another authorized by such person to act on their behalf.

1. If you make a request to know the non-public personal information of yours that ECG collects, discloses or sells, we will Confirm receipt of that request within 10 calendar days of its receipt. In that confirmation, we will describe the verification process and will identify those pieces of data that you must provide in order for us to match them to data already in our possession. If that request is to know specific pieces of information, you will also need to provide a signed declaration, under penalty of perjury, that you are the consumer whose personal information is the subject of the request. Once you have provided the required data and, as applicable, signed declaration, we will process your request. Normally, assuming that you are prompt in sending the required data in, you should receive a response from us within 45 calendar days of receipt of your request. If we are unable to verify your identity to the levels specified at law, you will be referred to our general business practices regarding the collection, maintenance, and sale of personal information. If we determine that disclosure of your personal information would create a substantial, articulable, and unreasonable risk to the security of that personal information, your account with us, or the security of our systems or networks, we will not provide specific pieces of personal information.

2. If you make a request to delete the non-public personal information of yours that ECG collects, discloses or sells, we will Confirm receipt of that request within 10 calendar days of its receipt. In that confirmation, we will describe the verification process and will identify those pieces of data that you must provide in order for us to match them to data already in our possession. Once you have provided the required data, we will process your request. We will comply with your request to delete by deleting that information from our existing systems, as provided by law, by de-identifying that information or by aggregating that information. Normally, assuming that you are prompt in sending the required verification data in, you should receive a response from us within 45 calendar days of receipt of your request. In that response we will specify the manner in which we have deleted your information. If we are unable to verify your identity to the levels specified at law, your request will be treated as a request to opt-out of sale of your non-public personal information. ECG is not required to delete your information under certain circumstances, including, among others, if it is needed (a) to complete the transaction for which it was collected, (b) to detect security incidents or prevent illegal activity, (c) to comply with legal obligations or (d) to enable certain internal uses. If a request for deletion is denied, in whole or in part, you will be notified of the basis for such denial.

3. If you use an authorized agent to submit a request to know or a request to delete, you will both be required to provide written permission for the person submitting the request to do so and be required to submit information verifying your own identity, as though you were making the request yourself.

Other Important Related Matters
You will not be discriminated against as a result of your exercise of any of the rights provided by the CCPA. See Section 1798.125 of the CCPA for more details.

ECG does not collect, maintain, disclose or sell the non-public personal information of minors under 16 years of age.

The rights provided to California consumers under the CCPA are in addition to those provided under federal law. Please see the ECG Privacy Policy, a link to which is provided on the ECG Homepage.