Hawaii Merchant Funding

California Privacy Policy

Aloha and Welcome

This Privacy Policy ("Policy") discloses the privacy practices for Hawaii Merchant Funding, LLC ("HMF," "we," "us," or "our") and applies to information collected through our website www.hmfhawaii.com, our mobile applications, and all related services (collectively, the "Platform"). This Policy complies with Hawaii Revised Statutes Chapter 487N (Security Breach of Personal Information Act), the Hawaii Consumer Data Protection Act, and all applicable federal and state privacy laws.

We respect your privacy and are committed to protecting your personal information with the same care and Aloha spirit that guides all our business relationships. This Policy is subject to and incorporates by reference our Terms of Use. Your use of our Platform and provision of Personal Information constitutes acceptance of this Policy.

Table of Contents

1. Definitions

2. Types of Information We Collect

3. Legal Basis and Purpose of Collection

4. Information Sharing and Disclosure

5. Data Security

6. Your Privacy Rights

7. Cookies and Tracking

8. Data Retention

9. Children's Privacy

10. Marketing and Communications

11. California Privacy Rights

12. Hawaii-Specific Provisions

13. Third-Party Links

14. International Users

15. Changes to This Policy

16. Contact Information

17. Accessibility

18. Severability

19. Governing Law

20. Mahalo

1. Definitions

For purposes of this Policy:

• "Personal Information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

(1) Social security number;

(2) Driver's license number or Hawaii identification card number;

(3) Account number, routing number, credit or debit card number, access code, or password that would permit access to an individual's financial account;

(4) Unique biometric data; or

(5) Other information as defined under Hawaii law.

• "Sensitive Data" means data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.

• "Processing" means any operation performed on personal information.

2. Types of Information We Collect
2.1 Information You Provide Directly

Business Application Information:

• Business name, DBA, EIN, and business license numbers

• Owner/principal information (name, SSN, DOB, driver's license)

• Business physical and mailing addresses

• Business bank account and routing numbers

• Monthly revenue, time in business, industry type

• Business tax returns and financial statements

Account Registration:

• Name, email address, phone numbers

• Username and secure password

• Business role and authorization documentation

• Communication preferences

• Security questions and answers

Service Enrollment:

• Merchant cash advance preferences

• AI-powered analytics selections

• Virtual CFO service requirements

• Business consulting needs

• Technology integration preferences

2.2 Information Collected Automatically

Technical Information:

• IP address and device identifiers

• Browser type, operating system, device type

• Access dates, times, and duration

• Pages visited and features used

• Referral sources and exit pages

• Geolocation data (only with explicit consent)

Business Intelligence Data (via AI Systems):

• Daily transaction volumes and patterns

• Seasonal business trends and cycles

• Cash flow patterns and projections

• Industry-specific performance metrics

• Merchant category code (MCC) data

2.3 Information from Third Parties

We may receive information from:

• Financial Institutions: Via Plaid for bank account verification and transaction data

• Credit Bureaus: Experian, Equifax, TransUnion for credit reports

• Public Records: Hawaii DCCA, tax records, UCC filings

• Payment Processors: Transaction and sales data

• AI Systems Provider: Processed insights and risk assessments

• Referral Partners: Basic business contact information

3. Legal Basis and Purpose of Collection
3.1 Legal Basis for Processing

We process your information based on:

• Consent: For marketing communications and optional services

• Contract Performance: To provide funding and related services

• Legal Obligations: To comply with BSA/AML requirements, tax laws

• Legitimate Interests: For fraud prevention, security, and service improvement

3.2 How We Use Your Information

• Core Business Purposes:

• Evaluate merchant cash advance applications

• Perform underwriting and risk assessment

• Process funding disbursements

• Monitor and collect daily remittances via ACH

• Provide customer support and account management

• Comply with legal and regulatory requirements

Technology Services:

• Generate AI-powered business insights

• Create automated financial reports

• Provide predictive analytics and alerts

• Deliver virtual CFO recommendations

• Optimize cash flow management strategies

Security and Compliance:

• Verify identity and prevent fraud

• Conduct BSA/AML screening (OFAC checks)

• Monitor for suspicious activities

• Maintain transaction records (7 years per federal law)

• Respond to legal process and regulatory inquiries

Communications:

• Send funding decisions and account updates

• Provide service notifications and alerts

• Share educational content and best practices

• Deliver security alerts and breach notifications

• Respond to customer inquiries

4. Information Sharing and Disclosure
4.1 No mobile opt-in or text message consent will be shared with third parties or affiliates.

4.2 Service Providers

We share information with carefully selected service providers who assist us:

Technology Partners:

• AI and automation systems provider

• Plaid (bank verification) - SOC 2 certified

• DocuSign (e-signatures) - ISO 27001 certified

• Cloud hosting provider - FedRAMP authorized

• Communication services provider

Financial Partners:

• Central Pacific Bank, First Hawaiian Bank, Bank of Hawaii (ACH processing)

• Payment processing services - PCI DSS Level 1

• Credit bureaus for underwriting

Professional Services:

• Legal counsel

• Independent auditors

• Marketing partners (anonymized data only)

4.3 Legal Disclosures

We may disclose information when:

• Required by subpoena, court order, or legal process

• Necessary to comply with Hawaii state or federal law

• Required to investigate or prevent fraud

• Needed to protect rights, property, or safety

• Necessary for law enforcement cooperation

4.4 Business Transfers

In the event of merger, acquisition, reorganization, or asset sale:

• We will notify you before your information is transferred

• The acquiring entity must honor this Privacy Policy

• You may opt out of the transfer where legally permitted

4.5 No Sale of Personal Information

We do not and will not sell your personal information to third parties. We do not share your information for cross-context behavioral advertising.

5. Data Security

5.1 Technical Safeguards

We implement industry-standard security measures:

• Encryption: 256-bit SSL for transmission, AES-256 for storage

• Access Controls: Role-based permissions, multi-factor authentication

• Monitoring: 24/7 security monitoring, intrusion detection

• Infrastructure: SOC 2 Type II compliant data centers

• Backups: Daily encrypted backups, geographic redundancy

5.2 Administrative Safeguards

• Background checks for all employees

• Annual security training requirements

• Confidentiality agreements for all staff

• Principle of least privilege access

• Regular security audits and assessments

5.3 Breach Response

In accordance with HRS §487N-2, if a security breach occurs:

• We will notify you without unreasonable delay

• Notice will include nature of breach and steps to take

• We will provide credit monitoring if SSN compromised

• We will notify Hawaii Office of Consumer Protection

• We maintain cyber liability insurance coverage

6. Your Privacy Rights
6.1 Rights Under Hawaii Law

Hawaii residents have the right to:

• Access: Obtain copies of your personal information

• Correction: Request correction of inaccurate information

• Deletion: Request deletion (subject to legal retention requirements)

• Opt-Out: Opt out of sale/sharing (we don't sell data)

• Portability: Receive data in portable format

• Non-Discrimination: Not face retaliation for exercising rights

6.2 Exercising Your Rights

To exercise your rights:

• Online: Privacy portal at www.hmfhawaii.com/privacy-rights

• Email: privacy@hmfhawaii.com

• Phone: (808) 555-FUND (3863)

• Mail: Privacy Office, 1388 Bishop Street, Suite 1010, Honolulu, HI 96813

Verification Process:

• We will verify your identity before processing requests

• May require government ID and account information

• Authorized agents must provide written authorization

• We will respond within 30 days (45 days for complex requests)

6.3 Appeal Process

If we deny your request:

• We will explain the reason for denial

• You may appeal to our Data Protection Officer

• Appeals resolved within 30 days

• You may file complaint with Hawaii OCP

7. Cookies and Tracking
7.1 Types of Cookies We Use

Essential Cookies:

• Session management and security

• User authentication

• Feature functionality

• Cannot be disabled

Analytics Cookies:

• Google Analytics (anonymized IP)

• Usage patterns and performance

• User experience optimization

• Can be disabled via browser

Marketing Cookies:

• Used only with explicit consent

• Preference remembering

• Relevant content delivery

• Full opt-out available

7.2 Managing Cookies

• Browser settings control most cookies

• "Do Not Track" signals honored

• Cookie-free access available on request

See www.hmfhawaii.com/cookie-policy for details

8. Data Retention
We retain information according to legal and business requirements:

Funding Records

• Retention Period: 7 years

• Legal Basis: IRS requirements

Transaction Data

• Retention Period: 7 years

• Legal Basis: BSA/AML regulations

Account Information

• Retention Period: Duration of relationship + 7 years

• Legal Basis: Business Records

Marketing Data

• Retention Period: Until opt-out or 3 years inactive

• Legal Basis: Legitimate interest

Security Logs

• Retention Period: 1 year

• Legal Basis: Security Purposes

• Retention Period: Session or up to 1 year

• Legal Basis: Per cookie policy

Deletion performed securely using DoD 5220.22-M standards.

9. Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect information from minors. If we discover collection from someone under 18, we will promptly delete the information and terminate any account.

10. Marketing and Communications
10.1 Marketing Preferences

We only send marketing communications only with a user’s consent;

• Opt‑in is required for marketing emails

• SMS marketing requires explicit consent

• Recorded calls still require prior consent

10.2 Opt‑Out Methods.

• Click “unsubscribe” on marketing emails

• reply “STOP” to any SMS message

• Call (808) 848-3403

• email optout@hmfhawaii.com

• update preferences at www.hmfhawaii.com/preferences

10.3 Essential Communications.

You cannot opt out of essential communications (funding agreements, security alerts, payment confirmations, legal notices, and account verification).
10.4 SMS Messaging Terms

Purpose of SMS Messages.

We send SMS messages to provide funding application updates, account notifications, reminders and occasional promotional offers. We do not use SMS for any loan or mortgage advertisements, credit‑repair services, debt collection or other prohibited content.

No mobile opt-in data will be shared with third parties or affiliate

Consent and Non‑Condition

• SMS messages are sent only when you have explicitly opted in. Consent to receive texts is not required to apply for funding or purchase products.

Message Frequency and Cost

• Message frequency may vary; message and data rates may apply.

Opt‑Out and Help

• To stop receiving SMS messages, reply “STOP.” Reply “HELP” for help or contact us at privacy@hmfhawaii.com.
Data Use and Sharing

• We log your consent and opt‑out status for compliance, and do not sell or share your phone number or consent information with unaffiliated third parties.

Carrier Liability Disclaimer

• Carriers are not liable for delayed or undelivered messages.

Policy Compliance

• We adhere to RingCentral’s SMS/MMS content policies; violating those policies may result in suspension of our SMS program.

Cross‑Reference to Terms. See Section 11.1 of our Terms of Service for additional SMS terms.

11. California Privacy Rights
California residents have additional rights under CCPA/CPRA:

• Right to know categories and specific pieces of information

• Right to delete (with exceptions)

• Right to opt-out of sale (we don't sell)

• Right to non-discrimination

• Right to limit use of sensitive information

See our California Privacy Notice at www.hmfhawaii.com/privacy-ca

12. Hawaii-Specific Provisions

12.1 Compliance with Hawaii Law

We comply with:

• HRS Chapter 487N (Security Breach Act)

• Hawaii Consumer Data Protection Act

• Hawaii Consumer Protection Act (HRS §480)

• Hawaii Electronic Communications Privacy Act (HRS §803)

• Office of Consumer Protection regulations

12.2 Special Protections

• Social Security numbers encrypted and access restricted

• Biometric data requires explicit written consent

• Native Hawaiian cultural values respected in all practices

• Local data residency available upon request

13. Third-Party Links
Our Platform may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to read their privacy policies before providing information.

14. International Users
Our Platform operates from Hawaii, USA. By using our services from outside the United States, you consent to transfer and processing of your information in the United States, which may have different privacy protections than your jurisdiction.

15. Changes to this Policy
We may update this Policy to reflect changes in law or our practices:

• Material changes notified 30 days in advance

• Email notice to registered users

• Banner notification on Platform

• Continued use constitutes acceptance

16. Contact Information

Hawaii Merchant Funding, LLC

Privacy Office

1388 Bishop Street, Suite 1010

Honolulu, HI 96813

General Privacy Inquiries:

• Phone: (808) 555-FUND (3863)

• Email: privacy@hmfhawaii.com

• Hours: Monday-Friday, 8:00 AM - 8:00 PM HST

Data Protection Officer:

• Email: dpo@hmfhawaii.com

• Phone: (808) 555-3864

Regulatory Complaints:

• Hawaii Office of Consumer Protection

• Phone: (808) 586-2630

• Website: cca.hawaii.gov/ocp

17. Accessibility

This Policy is available in alternative formats:

• Large print version

• Audio version

• Hawaiian language version (upon request)

• Screen reader compatible HTML

Contact accessibility@hmfhawaii.com for assistance.

18. Severability

If any provision of this Policy is found unenforceable, the remaining provisions will continue in full force and effect.

19. Governing Law

This Policy is governed by Hawaii law without regard to conflict of law principles. Any disputes will be resolved in Hawaii state courts in Honolulu.

20. Mahalo

Thank you for trusting Hawaii Merchant Funding with your information. We are committed to maintaining that trust through transparent practices, robust security, and full compliance with all applicable privacy laws.

E mālama pono - Take good care,

The Hawaii Merchant Funding Team