Privacy & Data

Oxleigh State Bank may use third-party service providers for analytics, marketing, IT services, customer support, payment processing, and fraud prevention. These providers are contractually required to protect your personal information and may only use it for the purposes we authorize.

Examples include cloud hosting, identity verification services, fraud monitoring tools, email delivery providers, and customer communication platforms. We evaluate providers carefully to ensure they meet our privacy and security standards.

If information is accessed or transferred outside the United States, we take steps to ensure that the data remains protected in accordance with U.S. privacy laws and banking security standards.

Certain operations may involve cross-border processing for regulatory compliance, payment processing, customer support, or technology infrastructure. Regardless of where processing occurs, we apply consistent security and confidentiality requirements.

We may use your contact information to send informational messages about your account, service updates, or product announcements. Where permitted by law, we may also send promotional communications about products, services, and events.

You can opt out of marketing communications at any time by using the unsubscribe link in an email, updating preferences (where available), or contacting our support team through our Contact Us page.

In some cases, automated systems may be used to evaluate applications, detect fraud, reduce risk, or assess creditworthiness. These systems may use algorithms and scoring models based on the information you provide and information from permitted third-party sources.

If legally required, you may request human review of certain automated decisions. If you have questions about a decision, please contact us through our Contact Us page.

In the unlikely event of a data breach, Oxleigh State Bank will comply with federal and state notification requirements. If your personal information is impacted, we will notify you promptly with information about what happened and recommended steps to protect your account.

Notifications may be delivered via email, postal mail, secure message, or phone depending on the nature and severity of the incident.

We use cookies and similar technologies to support essential site functionality, protect against fraud, measure performance, and improve user experience. Some cookies are necessary for secure login sessions and to maintain site preferences.

You may control cookies through your browser settings. Disabling certain cookies may limit functionality such as secure login sessions or preference saving.

Oxleigh State Bank may update this Privacy & Data policy from time to time to reflect changes in legal requirements, banking practices, or technology. The “Last Updated” date at the top of this page indicates the most recent revision.

We encourage you to review this policy periodically. Continued use of our services after an update constitutes acceptance of the revised policy.

You have the right to request access to the personal information we hold about you and request corrections to inaccurate, incomplete, or outdated data. Depending on your jurisdiction, you may also have the right to request deletion, restriction, or portability of certain personal information.

Requests can be submitted through our Contact Us page or via your secure online banking portal (where available).

For security purposes, we may require identity verification before processing a request. We aim to respond within a reasonable timeframe and in accordance with applicable privacy laws.

We retain personal information only as long as necessary to provide services, comply with legal and regulatory obligations, resolve disputes, and enforce agreements.

Retention periods vary depending on the type of data, regulatory requirements, and business needs. When data is no longer required, it is securely deleted, anonymized, or archived according to legal requirements.

Oxleigh State Bank employs industry-standard technical, administrative, and physical safeguards to protect personal information against unauthorized access, disclosure, alteration, or destruction.

Security measures may include encryption in transit and at rest, multi-factor authentication, access controls, secure firewalls, intrusion detection systems, and routine security audits.

Even with strong safeguards, no method of electronic storage or transmission is completely secure. Users are encouraged to protect their credentials and report suspicious activity immediately.

Our services are not directed at children under the age of 13 (or a higher minimum age required by local law). We do not knowingly collect personal information from children without parental consent.

If you believe we have inadvertently collected information from a child, please contact us through our Contact Us page and we will take appropriate steps to delete it.

Where legally required, you may request a copy of certain personal information in a structured, commonly used, and machine-readable format. This may allow you to transfer your data to another provider or retain it for your records.

Requests must be submitted through secure channels and may require identity verification.

We may disclose personal information if required by law, court order, subpoena, regulatory authority, or to prevent fraud, financial crime, or illegal activity.

When disclosure is required, we limit it to what is necessary and handle the process with strict confidentiality and security.

We may use cookies, pixels, or similar technologies to deliver advertising that may be more relevant based on your browsing activity. This is sometimes called interest-based advertising.

You may opt out of interest-based advertising through industry tools such as YourAdChoices or through your browser/device settings.

Some browsers transmit “Do Not Track” signals. At this time, our systems do not automatically alter tracking behavior in response to these signals. However, we provide options to manage cookies and marketing preferences where applicable.

We may collect technical information such as browser type, IP address, operating system, and device identifiers. This helps us maintain site functionality, optimize performance, detect fraud, and improve security.

This information is generally used in aggregated form and is not intended to identify you personally unless needed for security purposes.

Oxleigh State Bank is committed to making its website accessible in accordance with the WCAG 2.1 AA guidelines.

If you encounter accessibility barriers or require alternate formats, please contact us via our Contact Us page.

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of external sites. We encourage you to review their privacy policies before providing any personal information.

If you have questions, concerns, or complaints regarding this Privacy & Data policy, you may contact our Privacy Officer:

• Email: privacy@oxleigh.com
• Phone: 1-800-XXX-XXXX
• Mail: Oxleigh State Bank, Attn: Privacy Officer, 123 Main Street, City, State ZIP

We take privacy inquiries seriously and will respond within a reasonable timeframe.

This Privacy & Data policy is provided for informational purposes only and does not create a contract or alter any existing agreements. Terms may change without notice.

Oxleigh State Bank reserves the right to update policies as necessary to comply with applicable laws and regulations. Users are responsible for reviewing this page periodically.

Non-personal or aggregated data may be retained indefinitely for analysis, reporting, product improvement, and service optimization. Examples include anonymized traffic statistics and aggregated survey results.

We may use analytics tools to monitor website performance, measure engagement, and improve usability. Analytics providers may collect information through cookies or scripts.

Where possible, analytics are anonymized or aggregated to reduce privacy impact.

If you participate in surveys, polls, or feedback forms, responses may be used to improve our products and services. Participation is voluntary and any personal information submitted will be handled according to this policy.

When you use Oxleigh State Bank, we may collect and process account-related information such as account numbers (masked where appropriate), balances, transaction history, payment instructions, beneficiary details, and related metadata.

This information is used to provide banking services, process transactions, prevent fraud, comply with financial regulations, and provide accurate customer support.

As a financial institution, we may be required to verify your identity under Know Your Customer (KYC) and anti-money laundering laws. This may include collecting and verifying information such as your name, address, date of birth, government-issued identification, and other supporting documentation.

We may also use third-party identity verification services to confirm authenticity and reduce fraud risk.

We actively monitor accounts and transactions to detect fraud, account takeover attempts, identity theft, and other suspicious activity. This may involve automated systems, behavioral analytics, and risk scoring.

Where required, suspicious activity may be reported to relevant authorities in accordance with applicable laws.

When you access our website or online banking portal, we may automatically collect information such as IP address, device type, browser type, operating system, session timestamps, pages visited, and error logs.

This information helps us maintain security, troubleshoot issues, prevent abuse, and improve performance.

If you contact us through phone, email, chat, or online forms, we may keep records of those communications. This may include support tickets, call recordings (where permitted by law), chat transcripts, and email history.

These records help us resolve issues, improve service quality, and meet regulatory requirements.

If supported by your device, you may choose to use biometric authentication such as fingerprint or facial recognition to access your account. Biometric data is generally stored on your device and not transmitted to Oxleigh State Bank.

We may store authentication logs such as login timestamps, failed login attempts, and security events to protect your account.

To protect your account, we may use multi-factor authentication (MFA/2FA) such as one-time codes via SMS, email, authenticator apps, or secure banking portal verification.

You are responsible for keeping your authentication credentials secure and not sharing one-time codes with anyone.

We use personal information for the following purposes:

• To provide, operate, and maintain our banking services
• To process payments and transactions
• To verify identity and comply with regulatory requirements
• To detect, prevent, and investigate fraud and security incidents
• To provide customer support and respond to requests
• To improve our website, mobile experience, and product offerings
• To send important account, security, or service communications

We do not sell your personal information. However, we may share information in limited circumstances such as:

• With service providers who help us operate and secure our services
• With payment networks, processors, and financial partners to complete transactions
• With regulators, auditors, and law enforcement where legally required
• With affiliates or successor entities in the event of a merger, acquisition, or restructuring
• With your consent or at your direction

We may share information with affiliated entities for operational, compliance, and risk management purposes. If Oxleigh State Bank is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to applicable confidentiality and privacy requirements.

As a regulated financial institution, we may be required to retain certain records for a minimum period of time, even if you close your account. These requirements may arise from banking, tax, anti-money laundering, and consumer protection laws.

Where required, we retain information securely and limit access to authorized personnel.

Depending on your jurisdiction, you may have privacy rights such as:

• The right to access personal information we hold about you
• The right to request correction of inaccurate information
• The right to request deletion (subject to legal obligations)
• The right to object to certain processing activities
• The right to withdraw consent where processing is based on consent

To submit a request, please use our Contact Us page.

Oxleigh State Bank will never ask for your password, PIN, or full authentication codes via email or unsolicited phone calls. If you receive suspicious messages claiming to be from us, do not click links or share personal information.

If you believe your account has been compromised, contact us immediately through official channels.

We recommend the following best practices to help protect your account:

• Use a strong, unique password
• Enable multi-factor authentication where available
• Do not share login credentials or one-time codes
• Log out after using shared or public devices
• Keep your browser and operating system updated
• Monitor your account regularly for unusual activity

We only collect personal information that is reasonably necessary for banking operations, legal compliance, service delivery, and account security. We do not collect personal information that is unrelated to these purposes.

Access to personal information is restricted to authorized personnel and service providers who need it to perform their duties.

Employees and contractors are required to follow confidentiality obligations and security policies. Access to customer information is controlled and monitored. Unauthorized access or misuse may result in disciplinary action and legal consequences.

We take reasonable steps to ensure personal information is accurate, complete, and up to date. Customers are encouraged to update account details promptly when changes occur.

If you believe information is incorrect, you may request an update through your secure online banking portal or via our Contact Us page.

We maintain an internal incident response process to detect, respond to, and recover from security events. Our systems may generate logs and alerts to monitor suspicious activity, protect infrastructure, and ensure availability.

Where appropriate, we may temporarily restrict access or require additional verification to protect customers.