Exchange Bank Privacy Policy

1. Information We Collect

Exchange Bank collects several categories of personal information in the course of providing banking and financial services. We collect this information when you open an account, apply for a loan, use online or mobile banking, contact customer service, or visit our website.

Categories of information we collect include:

• Identifying information: Full legal name, date of birth, Social Security Number or Tax Identification Number, government-issued identification number, and mother's maiden name used for identity verification.
• Contact information: Home address, mailing address, telephone numbers, and email address.
• Account information: Account numbers, routing numbers, account balances, transaction history, payment history, and account ownership type.
• Financial information: Income, employment information, assets, liabilities, credit history, and credit scores collected during loan underwriting and account applications.
• Transaction data: Details of every debit, credit, wire transfer, bill payment, and electronic transaction on your Exchange Bank accounts, including merchant name, amount, date, and location.
• Device and technical information: IP address, browser type, device identifiers, operating system, referring URLs, and session data collected automatically when you use our website or mobile app.
• Communications: Records of phone calls with customer service, secure messages sent through online banking, and correspondence related to account servicing or disputes.

We collect information directly from you, from joint account holders, from consumer reporting agencies, from government records, and through automated means when you interact with our digital platforms.

2. How We Use Your Information

Exchange Bank uses the personal information we collect to operate and improve our services, fulfill our legal obligations, and communicate with you about your accounts. Specific uses include:

• Account servicing: Processing transactions, maintaining account records, issuing statements, responding to disputes, and fulfilling requests you make through online banking or customer service.
• Loan processing and underwriting: Evaluating creditworthiness, verifying income and assets, making lending decisions, and servicing outstanding loans.
• Fraud prevention and security: Detecting and investigating unauthorized transactions, suspicious activity, identity theft, and cybersecurity threats. Certain fraud prevention activities are mandatory and cannot be opted out of.
• Legal and regulatory compliance: Meeting obligations under the Bank Secrecy Act, USA PATRIOT Act, GLBA, FDIC regulations, OFAC requirements, and all other applicable federal and state laws. This includes reporting required by the IRS and responding to lawful government requests.
• Marketing and product recommendations: We may use your account information and transaction patterns to identify Exchange Bank products or services that may be relevant to you and send promotional communications by mail, email, or phone. You may opt out of marketing communications at any time — see Section 4.
• Product improvement: Aggregated, anonymized data may be used to analyze trends, improve website performance, and develop new banking features.

3. Information Sharing

Exchange Bank does not sell your personal information to third parties. We share your information only in limited, defined circumstances:

• Within Exchange Bank affiliates: We may share information among Exchange Bank subsidiaries and affiliates to provide integrated financial services and for joint marketing purposes, subject to your opt-out rights described in Section 4.
• Service providers: We share information with vendors and service providers who perform functions on our behalf, including core banking technology providers, credit bureaus, payment processors, statement printing services, fraud detection vendors, and IT infrastructure providers. These parties are contractually obligated to use your information only as directed by Exchange Bank and to maintain appropriate security standards.
• Legal and regulatory requirements: We disclose information when required by law, court order, subpoena, regulatory examination, or to respond to a government agency request. We may also disclose information to protect the rights, property, or safety of Exchange Bank, our customers, or the public.
• Business transactions: In the event of a merger, acquisition, or sale of Exchange Bank or its assets, customer information may be transferred as part of that transaction. We will notify affected customers as required by applicable law.
• With your consent: We share your information with third parties when you expressly authorize us to do so — for example, when you connect a third-party financial app to your Exchange Bank account through an authorized data sharing arrangement.

We do not share your personal financial information with non-affiliated third parties for their independent marketing purposes without your explicit consent.

4. Your Privacy Choices

You have meaningful choices about how Exchange Bank uses and shares certain categories of your information.

Marketing opt-out: You may opt out of receiving marketing communications from Exchange Bank at any time by calling (800) 397-3962 or emailing privacy@exchangebank.co.com. You may also click the unsubscribe link in any marketing email we send. Opting out of marketing does not affect your receipt of transactional or account-related communications, which are necessary for account servicing.

Affiliate sharing opt-out: You may limit Exchange Bank's sharing of your personal financial information with affiliated companies for marketing purposes. To exercise this right, contact us at (800) 397-3962 or write to Exchange Bank Privacy Office, 123 Exchange Plaza, Santa Rosa, CA 95401.

California CCPA rights: California residents have expanded rights described in Section 8 of this policy.

Note: Some information sharing cannot be limited because it is required by law or is necessary to process your transactions, maintain your accounts, or report to government agencies. These required activities will continue regardless of your opt-out preferences.

5. Data Security

Exchange Bank maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of your personal and financial information. Our security measures include:

• 256-bit SSL/TLS encryption: All data transmitted between your browser or mobile app and Exchange Bank's systems is encrypted using industry-standard Transport Layer Security. Look for the padlock icon and "https" in your browser address bar when using our website.
• Multi-factor authentication: Exchange Bank online banking requires multi-factor authentication, which adds a second verification step beyond your password to prevent unauthorized access even if your password is compromised.
• Access controls: Employee access to customer information is restricted based on job function and enforced through role-based access control systems. Employees are granted access only to the information necessary to perform their specific duties.
• Employee training: All Exchange Bank employees who handle customer information receive mandatory annual training on data privacy, information security, and phishing awareness. Employees are subject to a code of conduct that prohibits unauthorized access to or disclosure of customer information.
• Monitoring and intrusion detection: Exchange Bank employs continuous network monitoring, intrusion detection systems, and vulnerability scanning to identify and respond to threats in real time.
• Incident response: Exchange Bank maintains a documented incident response plan. In the event of a data breach affecting your personal information, we will notify you as required by applicable federal and state data breach notification laws, including the California Consumer Privacy Act and applicable federal banking regulations.

No data transmission over the internet or electronic storage method is guaranteed to be completely secure. Exchange Bank implements reasonable and appropriate measures but cannot guarantee absolute security. If you suspect unauthorized activity on your account, contact us immediately at (800) 397-3962.

6. Data Retention

Exchange Bank retains personal and account information for as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.

For closed accounts, Exchange Bank retains account records for a minimum of 7 years post-closure in accordance with federal banking regulations, including requirements under the Bank Secrecy Act, Federal Deposit Insurance Act, and IRS recordkeeping rules. Some categories of information — such as mortgage loan files, BSA/AML records, and litigation-related documents — may be retained for longer periods as required by specific regulations or legal holds.

Transaction records stored in your online banking portal are accessible for up to 7 years from the date of each transaction. After the applicable retention period, records are destroyed using secure methods that prevent reconstruction.

7. Cookies and Tracking

Exchange Bank uses cookies and similar tracking technologies on our website and mobile app to improve your experience, maintain session security, and analyze aggregate usage patterns.

Session cookies: These temporary cookies are required for online banking to function. They maintain your authenticated session, remember your preferences within a visit, and expire automatically when you close your browser or log out. Session cookies cannot be disabled without preventing access to online banking.

Analytics cookies: We use analytics tools that set persistent cookies to collect anonymized data about how visitors use our website — which pages are visited most, how long sessions last, and which features are used. This data is aggregated and does not identify individual users. It is used solely to improve our website and services.

Functional cookies: Some cookies remember your preferences — such as your selected language or whether you have dismissed a notice — to make your next visit more convenient.

Opt-out: You can control cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, or receive a warning before a cookie is stored. Disabling certain cookies may impair website functionality. Exchange Bank does not respond to browser "Do Not Track" signals at this time, as no industry standard for such signals has been established.

Exchange Bank does not use cookies to serve behavioral advertising on third-party websites.

8. California Resident Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. As a financial institution subject to the Gramm-Leach-Bliley Act, some Exchange Bank data practices are exempt from certain CCPA requirements. However, we extend the following rights to California residents to the extent applicable:

• Right to Know: You have the right to request that Exchange Bank disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to exceptions required by law — including retention obligations under federal banking regulations.
• Right to Correct: You have the right to request correction of inaccurate personal information that Exchange Bank holds about you.
• Right to Opt Out of Sale or Sharing: Exchange Bank does not sell your personal information and does not share it for cross-context behavioral advertising purposes. No action is needed to exercise this right.
• Right to Non-Discrimination: Exchange Bank will not discriminate against you for exercising any of your CCPA rights. You will not receive a different level of service, higher prices, or reduced benefits as a result of making a CCPA request.

To submit a CCPA request, contact us at privacy@exchangebank.co.com or call (800) 397-3962. We will verify your identity before processing the request. We respond to verifiable requests within 45 days; complex requests may require an additional 45-day extension, which we will communicate to you in writing.

9. Children's Privacy

Exchange Bank does not knowingly provide banking or financial services directed at individuals under 13 years of age, and we do not knowingly collect personal information from children under 13. Our website and mobile app are intended for adults and for minors aged 13 and older who are opening accounts jointly with a parent or guardian.

Custodial accounts for minors are managed by the custodian of record. If you believe a child under 13 has provided personal information to Exchange Bank without appropriate parental consent, contact us immediately at privacy@exchangebank.co.com and we will take appropriate steps to remove such information.

10. Contact for Privacy Inquiries

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to report a potential privacy concern, contact Exchange Bank through the following channels:

• Email: privacy@exchangebank.co.com
• Phone: (800) 397-3962 — Monday through Friday, 8 AM – 6 PM ET
• Mail: Exchange Bank Privacy Office, 123 Exchange Plaza, Santa Rosa, CA 95401

We take privacy inquiries seriously and will respond within the timeframes required by applicable law. For general consumer financial privacy information, the Consumer Financial Protection Bureau provides educational resources at consumerfinance.gov.

Last Updated: April 3, 2026. Exchange Bank reserves the right to update this Privacy Policy at any time. Material changes will be communicated by posting the revised policy on our website and, where required by law, by direct notice to affected customers. Continued use of Exchange Bank services after the effective date of any update constitutes acceptance of the revised policy.