Online Privacy Practices

Effective: March 18, 2024

We value our customers' privacy, which is why we are committed to being transparent about our privacy practices. These Online Privacy Practices (“Policy”) describe the collection, use and disclosure of your information when you visit and use our website at usdirectexpress.com or the Direct Express^® Mobile App (hereinafter “Platforms”) which are operated by Comerica Bank. For more information about how we handle Personal Information when providing your Direct Express^® Card service, including when you log in to access your account information, please refer to our Notice of Privacy Practices.

Your use of our Platforms, including disputes concerning privacy, is subject to these Online Privacy Practices and the Online and Mobile Terms & Conditions. By using our Platforms, you are accepting the practices set out in these Online Privacy Practices and our Online and Mobile Terms & Conditions.

As used in this Policy, the terms described below have the following definitions:

Personal Information means data that is processed by or on behalf of us that can be associated with or reasonably linked with an identified or identifiable person or household. Personal Information does not include information that does not identify a specific user.

Process or Processing means any method or way that we handle Personal Information or sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and consultation, disclosure by transmission, disseminating or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information.

QUICK LINKS

1. Personal Information We Collect And Use
1. Personal Information You Provide
2. Information Collected From Your Devices
3. Personal Information Provided by Others
4. Other Reasons we may Process Your Personal Information
2. Cookies And Other Tracking Technologies
3. De-Identified and Aggregate Data
4. How We Share Personal Information
5. Disclosures Applicable to California Residents
1. Legal Categories of Personal Information
2. Disclosures of Personal Information for a Business Purpose
3. California Privacy Rights
4. Additional California Privacy Rights (Shine the Light Notice)
5. How to make a Request and What to Expect
6. Children's Privacy
7. Data Retention
8. How We Protect Your Personal Information
9. Changes To This Policy
10. Contact Us

1. Personal Information We Collect And Use

We collect Personal Information about you directly from you, automatically from your devices, and from third parties. Where we collect data about you from one of these sources, we have outlined the purposes for its collection and the Personal Information collected for that purpose below.

1. Personal Information You Provide

   You may provide us with Personal Information directly through your interactions with us for the following purposes:

   • Account Registration: When you register with us, we collect Personal Information to verify your identity and register you with an online profile, including the last four digits of your Card Number, CVV, Card expiration Date, Social Security Number, phone number, user ID and password directly from you.
2. Information Collected From Your Devices

We use cookies, pixels (web beacons) embedded scripts, and other tracking technologies (“Tracking Technologies”) on our Platforms which collect information about your use of our Platforms automatically. We may collect information about how you use our Platforms from your device(s) or browser, for the following purposes:

• Operate Platforms: In order to operate our Platforms, troubleshoot bugs and provide technical support, we collect certain Usage Information through the use of cookies, pixels (web beacons) and similar technologies, which may include, Internet Protocol (IP) address, domain name, click activity, actions you take on the pages you visited on our Platforms, log information about your use of the Platforms, browser information, operating system, internet service provider and/or date/time stamp automatically from your device(s).


• Analyzing and Improving our Products and Services: To better understand how our customers and visitors use our Platforms, to improve our Platforms, Services and business operations, and to develop new products and services, we may collect Usage Information through the use of cookies, pixels (web beacons) and similar technologies, which may include, Internet Protocol (IP) address, domain name, click activity, actions you take on the pages you visited on our Platforms, log information about your use of the Platforms, browser information, operating system, internet service provider, and/or date/time stamp automatically from your device(s).


• Permissions Specific to Android Devices: We or our third-party vendors may also collect following information specific to customers who use Android devices:
  • Biometric information: Allows us to collect your biometric information, such as your fingerprint, when you log in to one of our mobile applications.
  • Application permissions: Allows Google Play Store to keep a record from where you downloaded one of our mobile applications.
  • Read phone state: Allows us to know if you are on a call while using one of our mobile applications. This helps us to detect and prevent fraud.

For more information about our use of Tracking Technologies, see “Cookies and Other Tracking Technologies” section below.

3. Personal Information Provided by Others
• Operate Platforms:Operate Platforms: In order to operate our Platforms, troubleshoot bugs and provide technical support, we collect certain Usage Information through the use of third-party cookies, pixels (web beacons) and similar technologies, which may include, Internet Protocol (IP) address, domain name, click activity, actions you take on the pages you visited on our Platforms, log information about your use of the Platforms, browser information, operating system, internet service provider date/time stamp from third party service providers


• Analyzing and Improving our Products and Services: To better understand how our customers and visitors use our Platforms, to improve our Platforms, Services and business operations, to develop new products and services, we may collect Usage Information through the use of third-party cookies, pixels (web beacons) and similar technologies, which may include, Internet Protocol (IP) address, domain name, click activity, actions you take on the pages you visited on our Platforms, log information about your use of the Platforms, browser information, operating system, internet service provider and date/time stamp from third party service providers.


• Protecting our Business: To protect and secure our business, systems, the Services and our websites, to investigate, prevent, detect and respond to fraud, unauthorized access, or other potential threats to the rights and safety of any individual or third party, or other unauthorized activities or misconduct, we may collect Usage Information and Log Information, which may include, Internet Protocol (IP) Address, device information, browser information, actions you take on the pages you visited on our Platforms, and date/time stamp from third party service providers.


4. Other Reasons we may Process Your Personal Information

In addition to the foregoing, we may use Personal Information as described in this Policy for the following business purposes:

• Defending Legal Rights: To manage and respond to actual and potential legal disputes and claims, and to otherwise establish, defend, or protect rights or interests, including in the context of anticipated or actual litigation.


• Auditing, Reporting, Governance and Internal Operations: To conduct our business, including fulfilling our financial, tax and accounting obligations, such as audits, assessments, privacy, security, and financial controls, accounting, record keeping and legal functions, any actual or contemplated merger, acquisition, asset sale or transfer, financing, bankruptcy, or restructuring of all or part of our business.


• Complying with Legal Obligations:To comply with the law, our legal obligations and legal processes (such as warrants, subpoenas, court orders, and regulatory or law enforcement requests).

For more information about our use of Tracking Technologies, see “Cookies and Other Tracking Technologies” section below.

2. Cookies And Other Tracking Technologies

As mentioned above, we collect information from your online visits to our Platforms and your use of our online banking services to help gather statistics about usage and effectiveness, personalize your experiences and tailor our interactions with you. We do so through the use of various technologies, including the use of cookies, web beacons and other use-tracking devices.

• Cookies. A “cookie” is generally a small piece of data sent from a website and stored in a user's web browser while the user is browsing the internet. A “session cookie” is a cookie that exists in temporary memory only while the user is reading and navigating a particular website. A session cookie is typically deleted when the user closes his or her browser. A “persistent cookie” is a cookie that generally outlasts the user's current online session and may be sent back to the server every time the user visits the same website. Persistent cookies are commonly referred to as “tracking cookies” since the user's activity on a particular website may be tracked over time.


• Web Beacons. A “web beacon” is an object that is embedded in a web page or e-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail. It is basically a technique to track who is reading a web page or e-mail. Web beacons, also called “web bugs” are often invisible to the user because they may be very small (only 1-by-1 pixel) and/or are made to blend in with the background color of the webpage, document, or e-mail message. Web bugs are identified with HTML IMG tags in the webpage.


• Other Technologies. We may use other use-tracking devices, which may change from time-to-time as technology changes, to help diagnose problems and to administer our Platforms. We also may track browser types to help us understand our visitors' needs related to our Platforms design.

Cookies and Tracking Technologies can be categorized based on their function. Our Platforms uses the following categories:

• Necessary. These are required for the operation of our Platforms, such as to ensure security and fix bugs. These cookies cannot be switched off. You can set your browser to block or alert you about these, but some parts of our Platforms may not work if you do.
• Analytics. These allow us to analyze Platforms usage and understand how visitors use it. These may recognize and collect information about the number of visitors, the pages they view, how long they view pages and how they move around our Platforms when they are using it. This helps us to improve the way our Platforms works, for example, by ensuring that visitors are easily finding what they are looking for.

Your browser settings may allow you to automatically transmit an opt-out preference signal or “Do Not Track” signal to online services you visit. Our Platforms currently are not designed to respond to Do Not Track signals received from web browsers.

Please note that if you set your browser to disable cookies or other tracking mechanisms, then your experience using our online services may not be the same depending on the particular service. Specifically, functionality of a service may be limited, may not function properly, or may not work at all. These functionalities include, but are not limited to, settings as to screen size and appearance, logon verification, and pre-populated information.

Our mobile applications may include third-party SDKs that allow us and our service providers to collect information about your mobile app activity. In addition, some mobile devices come with a resettable advertising ID (such as Apple’s IDFA and Google’s Advertising ID) that, like cookies and pixel tags, may allow us and our service providers to identify your mobile device over time for advertising purposes in compliance with applicable app store consent rules.

3. De-Identified and Aggregate Data

We may de-identify and aggregate data for its business purposes, including but not limited to, to improve the Platforms, to maintain the security and integrity of its systems, for analytics, and other legitimate business purposes. Where we process De-identified Data, we commit to maintain and use the information in de-identified form and not attempt to reidentify the information, except where permitted by law. We may disclose De-identified Data to third parties who commit themselves to maintaining the De-identified Data in de-identified form and not attempt to re-identify the data for any business purpose.

4. How We Share Personal Information

We may share information about you to third parties as indicated below:

• With other companies that provide services to us: We may share personal information with third-party service providers that perform services and functions at our direction and on our behalf. These third-party service providers may, for example, assist us in operating and maintaining our Platforms, protect and detect fraud, secure our systems, etc. We do not sell your information to these third-party service providers.
• In aggregated, de-identified form to provide data to third parties for our benefit: We may provide aggregated statistical data to third-parties for our own analytics and business purposes. This data will not personally identify you or provide information about your specific use of the Platforms.
• With other third parties for our business purposes or as permitted or required by law: We may share information about you with other parties for our business purposes or as permitted or required by law, including:
• if we believe, in our sole discretion, that the disclosure of Personal Information is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity;
• to investigate violations of or enforce a user agreement or other legal terms applicable to any Service;
• to protect our property, Services and legal rights;
• to help assess and manage risk and prevent fraud against us, our customers and fraud involving our Platforms or use of our Services; and
• to support our audit, compliance, and corporate governance functions.
• Compliance with Legal Obligations: We may need to disclose certain information to auditors, government authorities, law enforcement, regulatory agencies, our legal counsel, third party litigants and their counsel, or other authorized individuals in order to comply with laws that apply to us, or other legal obligations such as contractual requirements.
• Changes in Business Structure/Ownership: We may disclose or transfer your Personal Information to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or ownership interest (including any bankruptcy or similar proceedings).

We do not sell any individual's Personal Information, nor do we share that Personal Information with third parties for those parties' commercial use.

5. Disclosures Applicable to California Residents

The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) requires us to disclose information related to the privacy rights that California Residents have regarding their personal data, the Legal Categories of Personal Information we have collected (including the source, purpose, and business purposes we may share your Personal Information and with whom), and the process for exercising your rights under California Law. If you are a California Resident, this section is applicable to you.

All capitalized terms used in this Section not defined in this Policy shall have the same meanings as given under the CCPA and CPRA.

1. Legal Categories of Personal Information

To help describe our practices in the preceding twelve (12) months, including the Legal Categories, Sources, Purpose for Collection and Use, and our Sharing with Third Parties for a Business Purpose, we have summarized this in the Privacy Chart below. We have not sold Personal Information with Third Parties in the preceding twelve (12) months.

Privacy Chart

Category	Sources	Purposes for Collection and Use	Sharing with Third Parties for a Business Purpose
A. Identifiers.   A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.	Directly From You Automatically From Your Device	Account Registration Operate the Platforms Improve the Platforms and Services	Security Analytics Operate the Platforms
B.   Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).   A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, marital status, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	Directly From You	Account Registration	Security Fraud Prevention Analytics
C.   Protected classification characteristics under California or federal law.   Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	Not Collected	Not Collected	Not Collected
D.   Commercial information.   Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Not Collected	Not Collected	Not Collected
E.   Biometric information.   Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, DNA data, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	Not Collected	Not Collected	Not Collected
F.   Internet or other similar network activity.   Browsing history, search history, information on an employee's interaction with a website, application, or advertisement.	Automatically from Your Device	Analytics Improve Platforms and Services Operate the Platforms	Security Fraud Prevention Analytics Improve the Platforms and Services
G.   Geolocation data.   Data that can identify a consumer's physical location or movements.	Automatically from Your Device ·	Provide ATM Locator Feature	Not Shared
H.   Sensory data.   Audio, electronic, visual, olfactory, or similar information.	Not Collected	Not Collected	Not Collected
I.     Professional or employment-related information.   Current or past job history or performance evaluations.	Not Collected	Not Collected	Not Collected
J.    Education information as defined by the Family Education Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).   Information that is not publicly available maintained by an education agency or institution related directly to a student.	Not Collected	Not Collected	Not Collected
K.   Inferences drawn from other personal information.   Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Not Collected	Not Collected	Not Collected
L.   Sensitive personal information.   Personal information that reveals a consumer's: Social Security number, driver's license number, state identification card number, or passport number; a consumer's account log-in, financial account, debit card, or credit card number in combination with any security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer's mail, email, and text messages (not business related); genetic data; biometric data used to uniquely identify a consumer; health data; or data related to sex life or sexual orientation.	Directly from You Automatically from Your Device	Account Registration Provide ATM Locator Feature	Not Shared

2. Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for a business purpose:

1. Category A: Identifiers.
2. Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
3. Category G: Geolocation data.
4. Category F: Internet or Other Similar Network Activity.
5. Category L: Sensitive personal information.
No Sales of Personal Information

In the preceding twelve (12) months, we have not sold any Personal Information.

3. California Privacy Rights

For the Personal Information that we collect about you pursuant to this Policy, you may have the following rights or choices that we will accommodate where your requests meet legal and regulatory requirements and do not risk making our other data less secure or changing our other data. You may also designate an authorized agent to make a request on your behalf.

Access/ Know:

You may have the right to know the categories of Personal Information collected about you, the business purposes we use and share your Personal Information, and to know whether your Personal Information is disclosed / Sold and to whom. You also may have the right to access your Personal Information and to receive a copy of your information.

Deletion:

You also may request that we delete your Personal Information. Note, however, that we may not always be able to comply with your request to delete for specific legal reasons, in which case we will notify you of these reasons.

Limit Use and Disclosure of Sensitive Personal Information:

You may have the right to direct us to limit our use of your sensitive Personal Information to that use which is necessary to perform the services and which is reasonably expected by the average consumer requesting the services.

Non-Discrimination / Non-Retaliation:

You may have the right not to receive discriminatory treatment by the us because you exercise your privacy rights.

Opt out of the Sale or Sharing

You may have the right to opt out of the Sale of your Personal Information, to the extent applicable. We do not engage in the Sale of Personal Information. You may also have the right to request that we do not Share certain Personal Information with third parties.

Opt out of Profiling and/or Cross-Context Behavioral Advertising:

You may have the right to opt out of the Processing of your Personal Information for the purposes of Cross Context Behavioral Advertising or Profiling which is used in furtherance of decisions that produce legal or similarly significant effects. “Profiling” means any automated processing of Personal Information to evaluate, analyze, or predict aspects concerning an individual's economic situation, health, personal preferences, interest, reliability, behavior, location or movements. We do not engage in Profiling or Behavioral Advertising activities.

Request Correction:

You may have the right to request correction of the Personal Information that we hold about you. We may need to verify the accuracy of the new data you provide to us.

4. Additional California Privacy Rights (Shine the Light Notice)

Pursuant to California Civil Code § 1798.83 (California Shine the Light Law), California residents may have the right to request:

• A list of the categories of the “Personal Information” as defined by law disclosed to third-parties without your consent, other than with our affiliates, for direct marketing purposes during the preceding calendar year; and
• The nature of the third-parties' business, if any.

We do not share Personal Information with non-affiliate third parties for their direct marketing purposes absent your consent. If you are a California resident, you may request information about our compliance with the Shine the Light law and/or withdraw previously given consent to sharing with non-Affiliate third parties for their direct marketing purposes by contacting using the methods in the “Contact Us” section below. Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than those provided in the Contact Us section.

5. How to make a Request and What to Expect

How to Make a Request. If you are a California Resident and you would like to make a request to exercise any of your privacy rights, you should call us at 1-888-741-1115.

Verification. For some requests, we may be required to verify your identity, meaning that we need to make sure that you are the individual about whom the Personal Information we hold relates. Where we request information to verify your identity, we will not ask you to provide new information that we do not already hold about you.

Responding to Requests. Your request will be evaluated to determine whether the request meets the legal requirements and if we are able to honor it. For example, we may not be able to re-identify information relating to an individual who visits our Platforms but is not a customer with us. We make every effort to respond to privacy requests within forty-five (45) days of when they were made to us. In the event that we need more time, we will notify you.

Requests by Authorized Agents. You may designate an authorized agent to make a request on your behalf. Privacy laws require that any request you submit to us is subject to an identification and verification process, and confirmation of the agent’s authority, which may include attestation under penalty of perjury. Absent a power of attorney, we will also require the consumer to verify their own identity. We may verify identity based on matching information you provided with data we have maintained on you in our systems.

6. Children's Privacy

In accordance with the Children's Online Privacy Protection Act (“COPPA”), we do not knowingly request or solicit Personal Information from anyone under the age of thirteen (13) nor will we knowingly allow anyone under the age of thirteen (13) to create a user account. In the event that we receive actual knowledge that we have collected such Personal Information without the requisite and verifiable parental consent, we will delete that information from our database as quickly as is practical. We reserve the right to request proof of age at any stage so that we can verify that minors are not using the Services.

7. Data Retention

We will only retain your Personal Information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Information, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements. After the retention period has expired, we will delete your Personal Information.

8. How We Protect Your Personal Information

We strive to maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Information against loss, misuse, unauthorized access, disclosure, and alteration. Security measures may include firewalls, data encryption, access controls to our data centers, and information access authorization controls.

While we are dedicated to securing our systems and Services, we cannot guarantee that loss, misuse, or alteration will never occur. Please keep in mind that no method of storage or transmission over the Internet is completely secure, so your use of our Platforms and provision of information to us is at your own risk.

Do not share your password(s) and account information with anyone. You are responsible for maintaining and verifying that the Personal Information we hold about you is accurate and current. We recommend that when you complete your online transactions to log off completely before visiting other sites and/or restart your personal computer. This may clear your cookies. We also recommend that you do not visit other sites during your online banking session with us.

9. Changes To This Policy

We reserve the right to change our Online Privacy Practices. If we make updates to our Online Privacy Practices, we will update the Online Privacy Practices and revise the “Effective Date” at the top of these Online Privacy Practices. Any updates to our Online Privacy Practices become effective when we post the updates to our website. Your continued use of any portion of our website following the posting of the updated Online Privacy Practices will constitute your acceptance of the changes.

10. Contact Us

For questions regarding this Policy or to make a request pursuant to this Policy related to your Personal Information, contact us by calling 1-888-741-1115.