Last Updated: January 1, 2023

This California Privacy Policy applies to the processing of California residents’ personal information (“consumer” or “you”) by Efinancial, LLC (“we,” “us,” or “our”). This California Privacy Policy supplements and does not replace our website Privacy Policy and Terms of Use, and only applies to the extent the personal information is subject to California’s privacy laws.

Collection and Use

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”).

When you provide us information on the contact us form, we use that information to reach out to you and offer products we think you may be interested in. We do not sell that information. Below we describe what personal information we collect, how we use it, and when (and to whom) we may disclose that information.

Types

During the last 12 months, we may have collected the following categories of personal information:

Identifiers

• Examples: Name, postal address, email address, IP address, Social Security number, driver’s license number

Customer Records

• Examples: Name, signature, Social Security number, postal address, telephone number, driver’s license or state identification card number, insurance policy number, employment, bank account number, credit card number, or debit card number

Protected Characteristics

• Examples: Age, citizenship, marital status, medical condition, physical or mental disability, sex (including pregnancy)

Internet or Network Activity

• Examples: Browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement

Employment Information

• Examples: Current employment-related information

We may also collect the following categories of sensitive personal information: medical information, demographics (such as citizenship and ethnic origin).

Sources

We collect personal information from the categories listed above from one or more of the following sources:

• You, such as when you request a quote, fill out an application, file a claim, use our online services;
• Your transactions with us;
• Service providers who interact with us in connection with the products and/or services we provide;
• Digital resources, such as cookies, web beacons, embedded scripts, and other recognition or tracking technologies.

Purposes

We may collect and use the personal information we collect for one or more of the following purposes:

• Help maintain the safety, security, and integrity of our website, information systems, databases and other technology assets;
• Personalize the website experience and to deliver content and product and service offerings relevant to your interests;
• Respond to legal requests;
• Provide you with the services that you request, such as by completing transactions, processing registration, providing quotes, or processing your application for one of our products;
• Communicate with you, such as responding to inquiries or providing you with information about products that may be of interest;
• Maintain or improve the security of our website and information systems;
• Support, personalize, and improve our website, products, and services.

We do not use sensitive personal information for any purpose other than those referenced in 1798.121(a).

We will not collect additional categories of personal information or use the personal information collected for materially different, unrelated, or incompatible purposes without providing notice.

Retention

We keep your personal information for a period of time consistent with our retention policy. Unless you agree, we will not keep your personal information for any longer than necessary for the disclosed purpose related to why we collected your information.

Disclosures

In the last 12 months, we have disclosed the following categories of personal information to the following categories of entities:

• Financial institutions: Identifiers and customer records information
• Payment processors: Identifiers and customer records information
• Data storage providers: Identifiers; customer records information; protected classifications; biometric information; professional or employment related information; audio, electronic, visual, thermal, olfactory, or similar information
• Business communication and collaboration partners: Identifiers; customer records information; protected classifications; biometric information; professional or employment related information; authentication data; audio, electronic, visual, thermal, olfactory, or similar information; geolocation data; and commercial information

We may have also disclosed your personal information to service providers and others as described in our general privacy policy.

Sales and Sharing

We may obtain information about customers or potential customers from third parties. We use the information to market and offer products. We may also sell that information to other third parties.

In the preceding 12 months, we may have sold personal information to third parties to market insurance products that may be of interest to you.

We may also allow third parties to collect your personal information who then use that information to provide you targeted advertising.

Targeted advertising cookies used for cross-context behavioral advertising are considered “sharing” under applicable California privacy law. Our cookie policy has more information about how we use cookies.

To opt out of sales and sharing of personal information, you must:

• Reject all cookies in our cookie preference center or enable Global Privacy Control (“GPC”) on your browser; and
• Submit a request using our privacy portal or call 888-305-783.

To learn more about GPC, please visit http://globalprivacycontrol.org.

Interactive Services Notice, Consent, and Disclaimers

This website may provide interactive features, including features such as chatbot, managed chat, and session replay and other tracking related to your activities on this website. You agree that we may record and retain a transcript of all communications via these features and/or may record or recreate your activity while using the website, in order to provide services, enhance your website experience, and for quality and verification purposes. We may work with trusted service providers to analyze, store, and/or use this data on our behalf. Your use or access of any of these features or of our website is governed by this Policy and our Terms of Use.

Your Rights

California law provides you specific rights regarding your personal information, and we discuss below those rights and how you can exercise them. We understand the importance of these rights, and we will not discriminate against you for exercising them. You may only make a verifiable consumer request for access twice within a 12-month period.

Right to Know/Access

Subject to some limitations, you have the right to request that we disclose certain information to you about our collection and use of your personal information. You can ask that we disclose to you:

• The categories of personal information we collected about you;
• The categories of sources for the personal information we collected about you;
• Our purpose for collecting selling or sharing your personal information;
• The categories of third parties to whom we disclosed your personal information; and
• The specific pieces of personal information we collected about you.

Once we process your verifiable consumer request, we will disclose the information you requested—unless an exception applies.

Right to Delete

Subject to some limitations, you also have the right to request that we delete any of your personal information that we have collected. Once we process your verifiable consumer request, we will delete your personal information from our records, unless an exception applies.

Right to Correct

Subject to some limitations, you have the right to request that we correct inaccurate information about you. If we received a verifiable consumer request, we will begin processing your request for correction. We may ask you to submit additional information to help us evaluate your contention that our information about you is not accurate. And, sometimes, we may delete your information rather than correcting it—but we will only do this if it will not negatively affect you, or you consent to the deletion.

Exercising Your Rights

We only honor verifiable consumer requests. We offer two ways to submit such a request:

• Completing the form on our privacy portal.
• Calling 888-305-7832.
• Authorized agents and vendors. Submit requests using our authorized agent and vendor privacy portal.

Only you or your authorized agent may make a request related to your personal information, unless the personal information concerns a minor (i.e., a person younger than 13-years old). If your request is via an authorized agent, we may still verify your identity directly with you and/or confirm that you provided the agent with authorization.  For minors, a parent or guardian must make the verifiable consumer request on the minor’s behalf. If you are an agent making a request, we require additional documentation. Specifically, written permission from the consumer.

When you use our online form, it will ask you for certain information. When information is designated as being mandatory, that means we will be unable to verify your identity (or the identity of your authorized agent) without it. We cannot respond to your request or provide you with personal information if we cannot both verify your identity or authority to make the request and confirm that personal information we have relates to you.

Security

We implement reasonable security practices and procedures to protect our assets from unauthorized access, destruction, modification, or disclosure. We have implemented various policies in data protection, threat prevention, application security, and security awareness and education to help guard against unauthorized access to our customers and company data. Please be aware that no data security practices can guarantee 100% security of the personal data you share with us.

Vulnerability Disclosure Policy

Introduction

Vericity, the parent of Efinancial, LLC, is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and conveying our preferences about how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

Authorization

If you make a reasonable faith effort to comply with this policy during your security research, we will consider your research to be authorized. Should legal action be initiated by a third party against you for activities conducted according to this policy, we will make this authorization known. We will work with you to quickly understand and resolve the issue, and Vericity will not recommend or pursue legal action related to your research.

Guidelines

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover an actual or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or use the exploit to pivot to other systems.
• Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Prohibited testing methods

The following test methods are not authorized:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
• High intensity scanning that may affect the availability of Vericity’s systems and services.

Scope

This policy applies to Vericity Inc systems only. No third-party systems, service providers, or partners are in scope, e.g., Salesforce.

Any services not expressly listed above, such as any connected services, are excluded from the scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@vericity.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

Reporting a vulnerability

We accept vulnerability reports sent to security@vericity.com. Please encrypt the email using our PGP Public Key. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within three business days.

Vericity Security_0x2B046F5A_public.asc
04 May 2022, 04:07 PM

What we would like to see from you (Optional)

To help us triage and prioritize submissions, we recommend that your reports:

• Describe the location the vulnerability was discovered and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts and screenshots are helpful).
• Be written in English, if possible.
• Your disclosure plans, if any.
• Your desire for public recognition (include your name and LinkedIn profile, if desired)

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and quickly as possible.

• We will acknowledge that your report has been received within three business days.
• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
• We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent to security@vericity.com. We also invite you to contact us with suggestions for improving this policy.

Updates to this Policy

We reserve the right to amend this California Privacy Policy at any time. We will post the updated policy on our website at www.efinancial.com and any changes will become effective when we do so.

Contact Us

If you have any questions or comments about this California Privacy Policy, the ways in which we collect and use your personal information, your choices and rights regarding your information, or wish to exercise your privacy rights under California law, please do not hesitate to contact us at 888-305-7832.