This Privacy Policy (“Web Policy“) applies to all access or use of MainStreet Bank digital properties, including the MainStreet Bank website at mstreetbank.com (the “Website“), any MainStreet Bank iOS or Android mobile application (the “Application“), and the digital services, vendor sites, content, products, and features offered from time to time by MainStreet Bank in connection therewith (collectively, the “Digital Services“). This includes digital services for divisions of MainStreet Bank such as Avenu (avenu.bank), Venu (venu.bank), and MainStreet Community Capital (mstreetbankcc.com).

This Web Policy explains how MainStreet Bank collects and uses the information you provide to us to help you make informed decisions when using the Digital Services. It also explains your rights in relation to your Personal Information and how to contact us in the event you have a question, comment, or complaint. Please be sure to read this entire Web Policy before using the Digital Services. If you do not agree with this Web Policy, then you should not use the Digital Services. For further information on policies governing the use of the Digital Services, please visit the Website Agreement.

This Web Policy is subject to change and MainStreet Bank may update it at any time. We will notify you of material changes to our Web Policy by posting any updated policies on this page and revising the April 2024 date.

1. WEB POLICY SCOPE
 
This Web Policy is specific to the Digital Services and does not supersede the General Privacy Policy. Furthermore, this Web Policy does not apply to consumer financial information subject to state or federal laws, rules, or regulations.

Please see our General Privacy Policy for more information concerning consumer financial information.

2. KEY TERMS
 
The following key terms used in this Web Policy have the meanings set out below.

3. COLLECTION OF PERSONAL INFORMATION
 
Personal Information We Collect

Although some portions of the Digital Services do not require the collection of Personal Information, we generally collect the following categories and specific types of Personal Information about our Users:

How Your Personal Information is Collected

When you use the Digital Services, we collect the Personal Information you give us directly as well as usage information we collect automatically. The Personal Information we collect falls within the following groups of sources:

• Directly from you. For example: If you create an Account with a Digital Service and provide us with your Personal Information or allow us to collect your Personal Information;
• From public records. For example: Federal, state, or local government public record sources;
• From third parties. For example: Our third party service providers and data analytics providers;
• From third parties with your consent. For example: Credit bureaus; or Your bank;
• From automated information collecting. For example: The cookies and tracking technologies on the Digital Services—for more information on our use of cookies and tracking technologies, please see the Section “Cookies and Tracking Technology” below;
  Advertising networks.

4. USE OF PERSONAL INFORMATION
 

Why We Use Your Personal Information

We may collect your Personal Information for the following purposes:

• To provide, operate, and maintain the Digital Services and to foster a positive User experience by:
  Verifying your identity (e.g., when you access your Account information);
  Processing User payment transactions;
  Providing User service support; and
  Finding nearby MainStreet Bank physical branch locations and ATMs.
• To personalize, customize, measure, and improve the Services, and the content, layout, and operation of the Digital Services;
• To detect and prevent fraud, and identify theft and other risks to you or Mainstreet Bank;
• To provide advertising and marketing services through our Digital Services;
• To comply with applicable laws and regulations or otherwise seek to prevent potentially prohibited or illegal activities;
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our Users is among the assets transferred; or
• For other purposes about which we notify you.

How and Why We Use Your Sensitive Personal Information

Special forms of Personal Information, if collected, are considered sensitive and receive heightened protection. We may collect and process the following specific types of Sensitive Personal Information when you voluntarily provide them for necessary Business Purposes:

• Account information;
• Log-in information;
• Financial information;
• Biometric information; and
• Government Identification Information.

We may collect and process the following special categories of Sensitive Personal Information for necessary Business Purposes with your prior consent:

• Precise Geolocation Information.
  Our collection of your Precise Geolocation Information is not mandatory and is controlled by you through the Digital Services or through your device settings. You may consent to, or opt out of, Precise Geolocation Information tracking at any time. Please note that opting out of Precise Geolocation Information tracking may affect the extent to which MainStreet Bank can offer you certain location services.

Sometimes, we may also need to collect Sensitive Personal Information for the sole purpose of verifying your identity (e.g., your privacy right request; your request to remove your child’s Personal Information). For these purposes, we collect the following Sensitive Personal Information when it is given to us directly by you:

• Account information;
• Financial information;
• Biometric information; and
• Government Identification Information.

When we use your Sensitive Personal Information, we will only use it as permitted under applicable data protection laws. For example:

• We have your explicit consent; or
• The use of Sensitive Personal Information is necessary to carry out the Digital Services.

5. SELLING, SHARING, AND DISCLOSING OF PERSONAL INFORMATION
 

Who We Share Your Personal Information With
In the preceding twelve (12) months, we have not Sold or Shared your Personal Information for money or other valuable consideration—or Shared your Personal Information for targeted advertisement or profiling purposes.

Categories of Personal Information We Sold or Shared
In the preceding (12) months, we have not Sold or Shared any category of your Personal Information for money or other valuable consideration—or Shared your Personal Information for targeted advertisement or profiling purposes.

Who We Disclose Your Personal Information to for Business Purposes
In the preceding twelve (12) months, we have disclosed your Personal Information to the following parties for necessary Business Purposes:

• Certain third party companies, service providers, and their employees and representatives that help us run, maintain, and secure the Digital Services (collectively, the “Authorized Third Parties”);
• Third parties approved by you, including third party banks and payment providers;
• Credit bureaus and reporting agencies;
• Government agencies as required by laws and regulations;
• Our insurers and brokers; and
• Our affiliates.

Categories of Personal Information We Disclosed for a Business Purpose
In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for a Business Purpose:

• Identifiers;
• Information That Identifies, Relates to, Describes, or Is Capable of Being Associated with, a Particular Individual;
• Commercial Information;
• Internet or Other Electronic Network Activity Information;
• Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information; and
• Sensitive Personal Information.

Our Business Purposes for Disclosing Personal Information

In the preceding twelve (12) months, we have disclosed your Personal Information for the following Business Purposes:

• To maintain the necessary operations of the Digital Services;
• To provide Digital Services to you including payment transactions, payment authorizations, payment processes, and similar payment actions;
• To verify your identity, prevent fraud and authenticate documentation;
• To fulfill or meet the reason you provided the information;
• To provide you with support and to respond to your inquiries;
• To verify the existence and condition of your Account for a third party, such as a credit bureau or merchant;
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations; and
• For other reasons as we will relate them to you before we collect your Personal Information.

6. COMMUNICATIONS
 
The communications between you and MainStreet Bank may take place via electronic means, whether you visit the Digital Services or send us emails, or whether we post notices on the Digital Services or communicate with you via email, phone call, text message, mobile push notification, or through the Digital Services (collectively the “Communications”). Message and data rates may apply.

You have the right to opt out of receiving promotional Communications at any time. If you would like to discontinue receiving promotional Communications, you may opt out by using the “Unsubscribe” link found in our emails, replying “STOP” to our text messages, or disabling push notifications through your mobile device’s settings. You acknowledge that opting out of receiving all Communications may impact your use of the Digital Services. Notwithstanding the foregoing, if we suspect fraud or unlawful activity on your Account, MainStreet Bank may contact you using any of the contact information you provided in connection with your Account.

7. COOKIES AND TRACKING TECHNOLOGIES
 
We, as well as the Authorized Third Parties that provide functionality on the Digital Services, may use cookies, web beacons, or similar technologies to automatically collect or receive Personal Information and anonymized information throughout the Digital Services. This information is used for analytics, advertising, and troubleshooting purposes. As a User of our Digital Services, you can opt-out of the collection and use of your Personal Information for advertisement targeting by visiting Your Ad Choices.

Cookies and Similar Tracking Technologies

A cookie is a small data file that we transfer to your device’s system when you access the Digital Services. We use cookies and similar tracking technology to collect additional service usage information and to improve the Digital Services. and to evaluate the success of our marketing efforts.

Analytics

We use Google Analytics to better understand how Users interact with our Digital Services. Google Analytics provides non-personally identifiable information including but not limited to information concerning where Users came from and what actions they took on the Digital Services. We use this information to improve your experience. You can learn more about Google Analytics and how to opt out of its information collection by visiting Google Analytics.

Likewise, we may use Appsflyer or other third parties to analyze the success of our marketing campaigns. These sites generally do not have access to personal information. Nevertheless, you can learn more about Appsflyer by visiting their website.

What Types of Cookies Do We Use?

We, as well as the Authorized Third Parties that provide functionality on the Digital Services, make use of the following types of cookies:
 

• Strictly Necessary Cookies: We use these cookies to maintain our Digital Services. Without them, our Services would not work properly.
• Performance or Analytical Cookies: We use these cookies to measure the performance of the Digital Services. This information is then used to improve our Digital Services and improve your experience.
• Security and Authentication Cookies: We use these cookies to help keep our Digital Services secure by managing User sessions and preventing fraud. They ensure that your information is delivered to you by linking your information with a unique cookie identifier string.
• Personalization Cookies: We use these cookies to remember your preset features and preferences for our Digital Services.
• Advertising Cookies: Advertising cookies and technologies are used to deliver advertisements that may be relevant to you and your interests.
• Software Development Kits: A software development kit (“SDK”) is a mobile specific set of tools that provides a developer with the ability to build a custom application which can be added on, or connected, to another program. We use SDK packages to deliver similar technologies like cookies within our Applications.

Cookie Duration Period

Cookies have a duration period; some cookies are temporary (session cookies), while others may stay on your browser until you delete them manually or until your browser or device deletes them based on the duration set within the cookie (persistent cookies). We and our Authorized Third Parties make use of both session and persistent cookies.

How to Manage Cookies

If you do not want cookies from us, our Authorized Third Parties, or other third parties, you can change your browser or device settings to stop accepting cookies or to prompt you before accepting a cookie from the websites or applications you visit. However, please note that the Digital Services may not function properly if you disable cookies.

8. THIRD PARTY WEBSITES, APPLICATIONS, AND WIDGETS
 
The Digital Services may contain links to non-affiliated third party websites, applications, or social media widgets (such as credit bureaus, service providers, or merchants). Mainstreet Bank does not endorse, authorize, represent, or exercise control over any third party website, application, or social media widget. These other websites, applications, or widgets may place their own cookies or other files on your device, collect information, or solicit Personal Information from you. Third party websites, applications, and social media widgets may follow different rules regarding the use or disclosure of the Personal Information you submit to them. We encourage you to read the privacy notices or policies of the other websites, applications, or widgets you visit or click.

By visiting a non-affiliated third party website or application or interacting with a social media widget, you acknowledge that you understand and assume these risks.

9. OPT OUT INFORMATION
 
The Right to Opt Out: State Specific
Some states provide their residents with the right to opt out of the Sale or Sharing of Personal Information, targeted advertising and/or profiling, and automated decision-making. If you wish to exercise your state right, please complete our Opt Out form and send it to us.

Do Not Sell or Share My Personal Information

The state of California provides their residents with the right to opt out of:

• The Sale or Sharing of Personal Information for money and other value; and/or
• The Sale or Sharing of Personal Information for the purpose of cross-context behavioral advertising (targeted advertising) or profiling.

MainStreet Bank does not Sell or Share your Personal Information for money or other valuable consideration—or Share your Personal Information for targeted advertisement or profiling purposes.

Limit the Use and Disclosure of My Sensitive Personal Information
The state of California also provides their residents with the right to limit the use and disclosure of their Sensitive Personal Information to necessary Business Purposes. MainStreet Bank only uses your Sensitive Personal Information for necessary Business Purposes.

Do Not Track
Our Digital Services do not respond to “Do Not Track” or “DNT” signals or similar mechanisms.

10. CHILDREN’S INFORMATION
 
Eligibility for Digital Services
The Digital Services are not intended for persons under the age of eighteen (18). We do not knowingly collect information from children under eighteen (18) without parental consent and we specifically prohibit children under eighteen (18) from entering any parts of the Digital Services. You can learn more about the Children’s Online Privacy Protection Act by visiting the Federal Trade Commission.

Privacy Rights for California Minors in the Digital World Act
If you are a California resident under the age of eighteen (18) and are a User of the Digital Services, you may request that we remove the Personal Information you have posted on the Digital Services. Please contact us (see the Section “How to Contact Us” below) so we may delete the information collected. Keep in mind, however, that certain California or federal laws may stop us from deleting specific categories of your Personal Information if applicable.

11. DATA TRANSFER
 
The Personal Information of Users may be transferred or processed in any jurisdiction where we have facilities or jurisdictions in which we engage service providers or other third parties, including the United States. Any such transfer will be in accordance with applicable laws and regulations.

12. SECURING YOUR INFORMATION
 
The security of your Personal Information is extremely important to us. To protect Personal Information from unauthorized access and use, we use security measures that comply with applicable federal and state laws.

However, due to the inherent nature of the Internet as an open global communications vehicle, we make no guarantee as to the security of your information or that your information, during transmission through the Internet or while stored on our system or otherwise in our care, will be absolutely safe from intrusion by others, such as hackers. In the event of a data breach relating to your Personal Information, we will provide timely notification in accordance with applicable laws and regulations.

13. DATA RETENTION
 
In general, we will retain Personal Information and other data we collect, obtain, hold, and/or process on behalf of our Users for as long as needed to provide the Digital Services to such Users, and we retain and use this Personal Information and other data as necessary to comply with our legal obligations, resolve disputes, and enforce this Web Policy.

We may delete or anonymize Personal Information and other data at any time in accordance with applicable laws and agreements. However, we will keep your Personal Information for as long as necessary to:

• • Respond to any questions, complaints, or claims made by you or on your behalf;
  • Show that we treated you fairly; or
  • Keep records required by law.

14. PRIVACY RIGHTS
 
U.S. State Applicable Privacy Rights
Residents of certain U.S. states may have specific privacy rights, including but not limited to the rights listed below, that they may exercise free of charge:

We respect your control over your Personal Information. You can exercise your privacy rights by:

• Sending us a privacy request – we will respond within thirty (30) days (see “How to Contact Us” below);
• Completing our Opt Out Form – we will respond within fifteen (15) business days (see “Opt Out Information” above); or
• Completing our Privacy Rights Appeal Form – we will respond within forty-five (45) days (see “Appeal Information” below).

Depending on where you live, you may have a right to lodge a complaint with a supervisory authority or other regulatory agency if you believe that we have violated any of the rights concerning Personal Information. We encourage you to first reach out to us, so we have an opportunity to address your concerns directly. Please see “How to Contact Us” below for our contact information.

15. APPEAL INFORMATION
 
Some states provide their residents with the right to appeal if we refuse to complete a privacy request.

The appeal must be sent within a reasonable time after our refusal. If you submit a privacy right request and we refuse to act on it, we will let you know, within thirty days (30) of receipt of your request, of our reason for declining to act. We will also provide you with a link to our Privacy Rights Appeal Form.

Within forty-five (45) days of receipt of your appeal, we will inform you of any actions we took (or did not take) in response to your appeal, along with a written explanation of the reasons for our decision. If your appeal is denied, you may have the right to submit a complaint to the Attorney General of your state, if applicable.

16. STATEMENT REGARDING BIOMETRIC INFORMATION
 
When we refer to “biometric information,” we mean information about your physical or biological characteristics (sometimes called biometric identifiers” that identify you. Information like eye, hand, or face scans; fingerprints; and voiceprints may be considered biometric information if they are being used to identify you by technical means.
 
We collect and use biometric information, including facial recognition data, solely for the purpose of protecting against identity theft, preventing fraud, and verifying your identity. We may also collect voiceprints for the same purposes. We only use biometric information for these purposes. All biometric information is not collected or stored by us directly. Instead, it is collected and stored by our third-party vendors, such as IDology, at our direction. We do not share biometric information with any other third parties (other than our aforementioned service providers or as required by law) and will not sell, lease, trade, or otherwise profit from your biometric information.
 
This biometric information is only stored so long as needed. Our Vendors will store facial recognition biometric information for no more than thirty (30) days, and voiceprints, if collected, will be stored and used for the duration of our customer relationship with you or as otherwise permitted by law. In any event, we will only cause our vendors to use and store biometric information until (i) the purpose for collecting the information has been satisfied, or (ii) you no longer utilize our products and services, unless we are legally required to keep information for a different period.
 
In addition, we have contractually required all vendors who handle or store biometric information to comply with all applicable laws and regulations, and we and our vendors have taken reasonable measures to ensure the safety and security of your biometric information, consistent with how we protect and safeguard other personal or sensitive information. We seek to comply with all applicable laws, including those that require us to obtain your consent with respect to biometric information. To that end, to access certain products or services, you may be required to fill out additional forms or otherwise indicate your consent to the collection of biometric information.

17. HOW TO CONTACT US
 
Privacy Requests

To send a request about privacy rights, please:

• Contact us via email;
• Provide enough information to identify you (e.g., your full name, physical address, email address);
• Provide proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill); and
• Provide a description of what right you want to exercise and the information to which your request relates.

We will respond within thirty (30) days. Please note, we will not make any information disclosures to you if we cannot verify your identity and verify that the information requested belongs to you or someone that you are authorized to act for. Any Personal Information we collect from you to verify your identity, in connection with your request, will be used solely for the purposes of verification.

Contact Details

If you have any questions, concerns, or requests about our use of your Personal Information, please contact us using our contact details below.