California Privacy Notice

Effective Date: October 2025

Last Updated: October 2025

Aloha and Welcome

This California Privacy Notice (the “CA Notice”) is provided by Hawaii Merchant Funding, LLC (“HMF,” “we,” “us,” or “our”) pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”). It supplements the information contained in our general Privacy Policy and applies solely to California residents (“consumers” or “you”). This CA Notice explains how we collect, use, disclose, and retain personal information, and describes the rights California residents may have regarding their personal information.

1. Notice at Collection

The CCPA/CPRA requires businesses to inform consumers, at or before the point of collection, of the categories of personal information collected and the purposes for which the information will be used. HMF collects personal information primarily to provide alternative funding services (including reviewing applications, underwriting, servicing funding agreements, and communicating with merchants). We also collect personal information to comply with legal obligations, to protect against fraud, and to operate our website. Below we describe the categories of personal information we may collect, the purposes for which we use them, the categories of sources, the categories of third parties to whom the information is disclosed, and the expected retention period.

Identifiers

• Examples: Name, postal address, email address, phone number, mobile number, account username, IP address, unique device identifiers.

• Purpose of collection and use: To evaluate funding applications, open and administer accounts, communicate with applicants, authenticate users, provide customer service and send account notifications.

• Categories of sources: Directly from consumers (applications and forms), from business partners, from cookies or analytics tools.

• Categories of third parties to whom PI is disclosed: Service providers such as customer relationship management and communication platforms (e.g., RingCentral), data analytics providers, identity‑verification services.

• Retention period: Generally retained as long as needed to provide services and meet legal obligations; financial application records may be retained for at least 10 years for regulatory compliance.

Sensitive personal information

• Examples: Social Security number, driver’s license or state ID number, taxpayer identification (EIN), bank account and routing number, financial account information, username/password for our funding portal, precise bank transaction data.

• Purpose of collection and use: To verify identity, assess creditworthiness and underwriting, process funding transactions, and comply with anti‑fraud and “know your customer” obligations.

• Categories of sources: Directly from consumers or their authorized agents; from financial data aggregators (e.g., Plaid) at the consumer’s direction.

• Categories of third parties to whom PI is disclosed: Service providers that facilitate identity verification (e.g., Plaid), payment processors, electronic‑signature providers; legal or regulatory authorities if required.

• Retention period: Retained for as long as necessary to satisfy statutory or contractual record‑keeping requirements (e.g., tax and financial laws) and to defend against potential legal claims.

Commercial information

• Examples: Records of funding agreements, payment histories, account balances and transaction histories.

• Purpose of collection and use: To process and service funding agreements, manage billing, and evaluate future funding requests.

• Categories of sources: Directly from consumers; from our funding platform; from financial partners.

• Categories of third parties to whom PI is disclosed: Service providers such as payment processors; collections agencies (if necessary); financial partners, auditors and regulators.

• Retention period: Generally retained for the duration of the funding relationship and a minimum of 10 years thereafter to comply with record‑keeping requirements.

Internet or network activity information

• Examples: Browsing history, device information, log files, pages viewed, time spent on pages, and click‑stream data.

• Purpose of collection and use: To operate and secure our website, improve user experience, analyze site traffic, detect security incidents and prevent fraud.

• Categories of sources: Automatically collected when you visit our website via cookies, pixel tags and similar technologies; from analytics providers.

• Categories of third parties to whom PI is disclosed: Service providers that host our website or provide analytics and security services; advertising or social media partners (for site analytics, not for targeted advertising).

• Retention period: Retained for varying periods (typically 1–3 years) depending on the purpose and our legal obligations.

Professional or employment‑related information

• Examples: Business name, job title, business phone number and business email address.

• Purpose of collection and use: To assess business funding eligibility, communicate with business contacts and comply with regulatory requirements.

• Categories of sources: Directly from consumers (funding applications and business contracts); from publicly available sources.

• Categories of third parties to whom PI is disclosed: Service providers that help us evaluate funding applications, legal counsel and auditors.

• Retention period: Retained for the duration of the business relationship and as required by law.

Geolocation data

• Examples: General location derived from IP address.

• Purpose of collection and use: To detect suspicious activity (fraud prevention) and customize content based on region.

• Categories of sources: Automatically collected from your device or browser.

• Categories of third parties to whom PI is disclosed: Service providers providing analytics and security services.

• Retention period: Retained for up to 3 years or as necessary for fraud monitoring.

Inferences and profiles

• Examples: Our internal assessment of funding risk, eligibility scores and customer segmentation.

• Purpose of collection and use: To determine funding eligibility and tailor product offerings.

• Categories of sources: Generated internally based on other collected information; from third‑party data providers with your consent.

• Categories of third parties to whom PI is disclosed: Shared with service providers engaged to assist with underwriting and risk analysis; not sold or shared for cross‑context behavioral advertising.

• Retention period: Retained as long as necessary for underwriting decisions and regulatory record‑keeping.

Retention periods are approximate and may vary depending on legal requirements, contractual obligations and operational needs.

Do We Sell or Share Personal Information?

HMF does not sell personal information (as “sale” is defined under the CCPA/CPRA). We also do not share personal information for cross‑context behavioral advertising. When we disclose personal information to our service providers (e.g., Plaid, RingCentral and other identity‑verification, payment‑processing and electronic‑signature providers) and contractors, we do so for business purposes described above, pursuant to written agreements that restrict them from using the information for any purpose other than providing services to us.

In particular, we do not share or transfer any mobile opt‑in information or text‑message consent that you provide for SMS communications with any third parties or affiliates. Mobile opt‑in data is used solely for sending the types of SMS messages you have requested (such as account notifications, customer care or marketing messages) and is not sold, rented or disclosed for other purposes.

Notice Regarding Sensitive Personal Information

HMF may collect and process sensitive personal information (such as Social Security numbers or driver’s license numbers) strictly for business purposes such as identity verification, underwriting, fraud prevention and compliance with legal obligations. We do not use or disclose sensitive personal information to infer characteristics about you or for cross‑context advertising. Under the CPRA, California residents have the right to limit the use and disclosure of their sensitive personal information. If you wish to exercise this right, please follow the instructions in Section 4 below.

2. Use of Personal Information

We use the personal information we collect for the following purposes:

• To process funding applications. We evaluate your eligibility, verify your identity and perform underwriting to provide you with alternative funding solutions.

• To service funding agreements. We administer your account, process payments, provide account statements and communicate with you about your funding relationship.

• To communicate with you. We send account notifications (e.g., application confirmation, decision status, payment reminders) and customer‑care messages as described in our SMS registration materials. We only send marketing messages to recipients who have provided written consent, and each marketing message includes instructions to opt out.

• To comply with legal obligations. We maintain records, conduct audits and meet regulatory requirements (including anti‑money‑laundering and anti‑fraud measures).

• To improve and secure our services. We analyze website usage, maintain security, prevent fraud and ensure the integrity of our systems.

• To protect our rights and property. We enforce agreements, collect debts, resolve disputes and prevent misuse of our services.

3. Disclosure of Personal Information

We disclose personal information only for the purposes and to the categories of third parties described below:

• Service Providers and Contractors. We share personal information with vendors that provide services on our behalf, such as data analysis, customer relationship management, identity verification, payment processing, electronic signatures, communications (e.g., RingCentral), and IT support. These service providers are restricted by contract from using your information for any purpose other than to provide services to us.

• Affiliates and Financial Partners. We may disclose information to our affiliate entities and funding partners when necessary to underwrite and fund transactions or to comply with regulatory requirements.

• Professional Advisors. We may share personal information with our auditors, legal counsel, accounting firms and other professional advisors when necessary for the provision of professional services.

• Regulatory and Legal Authorities. We may disclose personal information to government authorities or law enforcement in response to legal requests, to comply with legal requirements, to protect our rights and to prevent fraud or illegal activity.

• Business Transfers. In the event of a merger, acquisition or sale of some or all of our assets, your personal information may be transferred to the acquiring entity, subject to the terms of this CA Notice.

HMF does not knowingly disclose personal information of individuals under 16 years of age. We also do not use or disclose sensitive personal information to infer characteristics about you or for any purpose unrelated to our services.

4. California Consumer Rights

California residents have several rights under the CCPA/CPRA. These rights are subject to certain exceptions and limitations.

4.1. Right to Know

You have the right to request that we disclose certain information about our collection and use of your personal information over the past 12 months, including:

1. The categories of personal information we collected about you.

2. The sources from which we collected personal information.

3. The business or commercial purposes for collecting, using or disclosing personal information.

4. The categories of third parties with whom we disclose personal information.

5. The specific pieces of personal information we collected about you.

4.2. Right to Delete

You have the right to request that we delete personal information we collected from you, subject to certain exceptions such as fulfilling funding agreements, meeting legal obligations, detecting security incidents and protecting against fraud.

4.3. Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you.

4.4. Right to Opt Out of Sale or Sharing

We do not sell or share your personal information for cross‑context behavioral advertising. If we ever change our practices to engage in such activities, we will provide a clear “Do Not Sell or Share My Personal Information” link and update this CA Notice accordingly.

4.5. Right to Limit Use and Disclosure of Sensitive Personal Information

If we use or disclose sensitive personal information for purposes beyond those allowed under the CPRA (identity verification, fraud prevention, etc.), California residents have the right to request that we limit our use and disclosure of their sensitive personal information. At this time, HMF only uses sensitive personal information for permitted business purposes and does not use it for cross‑context advertising.

4.6. Right to Non‑Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. This means that we will not deny you services, charge you different prices, provide you with a different level or quality of service, or suggest that you will receive different prices or quality of service solely because you exercised your privacy rights.

4.7. Shine the Light Disclosure

California Civil Code § 1798.83 (the “Shine the Light” law) allows California residents to request certain information regarding the disclosure of personal information to third parties for their direct marketing purposes. HMF does not disclose personal information to third parties for their own direct marketing. If this policy changes, we will notify you and provide instructions for submitting a request.

5. Exercising Your Rights

5.1. Submitting Requests

To exercise your rights described in Section 4, you may submit a verifiable consumer request through one of the following methods:

• Online Request Form: Visit our Privacy Request Portal and complete the form.

• Email: Send an email to privacy@hmfhawaii.com with the subject line “California Privacy Request.”

• Toll‑Free Phone: Call us at (800) 555‑1234 (available Monday – Friday, 9 AM – 5 PM HST).

You may submit a request on your own behalf or authorize an agent to act on your behalf. If you use an authorized agent, we may require proof of authorization and verification of your identity before responding.

5.2. Verification Process

For your protection, we will verify your identity before processing any privacy request. The verification process may include asking you to provide information that matches information we already have on file (e.g., your email address, phone number or recent transaction details). We will only use information provided in a verifiable consumer request to verify your identity and/or authority to make the request.

5.3. Response Timing and Format

We strive to respond to a verifiable consumer request within 45 days of receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Our response will explain our actions and the reasons for any denial. For requests to know or access, we will provide your information in a readily usable format.

6. Changes to This CA Notice

We may update this California Privacy Notice from time to time to reflect changes in our practices, the law or for operational reasons. When we post changes, we will revise the “Last Updated” date at the top of this CA Notice and provide additional notice as required by law.

7. Contact Us

If you have any questions, comments or concerns about this CA Notice or our privacy practices, please contact us at:

• Email: privacy@hmfhawaii.com

• Mail: Hawaii Merchant Funding, LLC, 

1001 Bishop Street Suite 2685A Honolulu, HI 96813

• Toll‑Free: (808) 848‑3403

________________________________________

This CA Notice incorporates the rights under the CCPA, including the CPRA amendments effective January 1, 2023, which give California residents the right to limit the use of sensitive personal information and correct inaccurate data. It also complies with the requirement that a business’s privacy policy must inform consumers about their privacy rights and how to exercise them.