Privacy Notice for California Residents

Effective June 2022

Maintaining the privacy and security of your personal information is LightStream’s highest priority. In doing so, we want to provide transparency regarding how and why your data is collected, how it is used, and with whom it may be shared. This document, as well as LightStream’s Privacy Policy and Online Privacy Practices set forth how we will interact with your personal information. Specifically, it provides information on how you may exercise your California privacy rights. This Notice is directed to consumers who reside in the state of California and relates to collection, use, and disclosure of personal information covered by the California Consumer Privacy Act (CCPA). That said, all of our consumers are welcome to submit questions or requests about their data.

It is important to note that LightStream does not sell personal information. Because such sales do not occur, there is no link on our websites to opt-out of such activity.

To help ensure transparency around our handling of consumer personal information, we offer a portal with our partner, OneTrust, to facilitate receiving and processing requests related to accessing and potentially deleting your data. This portal helps us meet certain legal and compliance requirements such as those under the CCPA. It also gives non-CA consumers a vehicle to make similar requests.

CCPA Privacy Notice

LightStream’s Privacy Policy and Online Privacy Practices provide consumers details about our practices concerning the privacy of personal information. This Notice provides further information about our practices, along with details concerning how “Consumer Access” (“Right to Know”) and/or “Right to Request Deletion” requests may be submitted. This Notice is designed to provide additional information to California residents pursuant to CCPA.

The following are some general notes about LightStream’s practices related to the collection, use and sharing of personal information:

As a financial institution, it is necessary for us to collect certain personal information in order to provide our products and services, fulfill consumer requests, to comply with the federal and state laws, and other legal obligations.

Below is a list of categories of personal information we have collected in the past 12 months:

  • Personal identifiers (ex: name, contact information)
  • Demographic/Protected class information (ex. marital status, sex)
  • Government Issued data (ex: passport, driver’s license, SSN)
  • Biometric information (ex: voiceprints or fingerprints)
  • Commercial information (ex: purchase histories, transaction information)
  • Professional or employment-related information
  • Education information
  • Financial related data (ex: account number, account dates and balances, credit data, financial transactions)
  • Geolocation (ex: your IP address when visiting a LightStream website or your physical location when using an ATM)
  • Internet or other electronic network activity information (ex: browsing history)
  • Audio, electronic, visual, thermal or olfactory information (ex: voice recordings when you contact a call center)
  • Personally identifiable health information
  • Background/criminal records
  • Marketing opt-out/preference information
  • Inferences drawn from any of the above information

It is necessary for LightStream to share certain personal information with affiliates and/or trusted service providers in order to provide our products and services, and to comply with legal, regulatory, and contractual obligations. We may disclose each of the categories of personal information described above to such external or affiliated companies. When engaging service providers, LightStream ensures that such partners will maintain the information in accordance with our privacy and security standards, and only use the data for the use(s) specified in the contract. Below are categories of third parties with whom we share personal information:

  • Affiliates and other entities in the LightStream family
  • Businesses with which we partner to offer products and services for our clients or prospective customers, such as joint marketing or bill pay partners
  • Service providers that provide various services to us, such as those we use to help detect and prevent fraud, improve our online services, and to better market and advertise our services to you
  • Other parties when you authorize or direct us to share your information, such as when you use a third-party service to help manage your financial information across financial institutions or when you transfer funds from LightStream
  • Credit reporting agencies to report on or learn about your financial circumstances and as permitted by law
  • Government entities and other third parties as needed for legal or similar purposes, such as:
    • To respond to requests from our regulators
    • To respond to a warrant, subpoena, governmental audit or investigation, law enforcement request, legal order or other legal process
    • To facilitate a merger, acquisition, sale, bankruptcy, or other disposition of some or all of our assets
    • To exercise or defend legal claims

Purpose for Collection and Use

We collect and use personal information in order to conduct business, manage relationships and accounts, and maintain operational functions at LightStream. In the past 12 months, we have collected and used personal information for the following purposes:

  • Deliver, manage and support products and services (ex: account information, statements, notifications)
  • Manage business operations
  • Assess and manage risk, manage internal financials
  • Meet legal, regulatory, or compliance requirements
  • Manage fraud and financial crimes
  • Support and optimize channels and interactions (ex: improving website performance)
  • Perform services on behalf of another entity or business (ex: processing data for healthcare providers, or when LightStream acts as servicer or processor for another company)
  • Provide employee benefits and other services (ex: retirement, health), manage hiring, employment, performance, and staffing

Sources of Personal Information

LightStream collects information from various sources in the course of providing products and services to you, and the sources will vary based on the relationship and products or services we provide to a client or consumer. Below is a list of the categories of sources from which we obtain data:

  • Directly from you or your guardians/representatives
  • Outside service providers, vendors, and third parties from which we collect personal information or market data as part of providing products and services, completing transactions, or supporting operations
  • Outputs from analytics
  • Websites, mobile applications, and social media
  • Our affiliates or subsidiaries
  • Outside merchants or business partners such as credit card or lending partnerships, or corporate clients
  • Public records or publicly available data

LightStream's No Sale Policy

As noted above, LightStream has not sold personal information to third parties in the preceding 12 months, including personal information of minors under the age of 16. Therefore, there is no opt-out for the sale of data provided on our website, since there is no activity from which to opt out.

Consumer Access Requests

Consumers are welcome to submit requests to see, delete, or correct your personal data by visiting our Consumer Rights Request Portal, hosted by OneTrust:

  • To submit a data access request for yourself, click here
  • To submit a data access request on behalf of another individual, click here

If you need assistance completing the form or have any other questions or comments, you may email us at All requests must be verified prior to receiving a response, using LightStream authentication protocols. Requesters will be asked to supply certain basic Personal Information to enable us to validate the requestor is the consumer who is subject to the request, such as name, Social Security number, and address. Information submitted for verification purposes will only be used to verify the requestor’s identity and/or authority to make a request on another’s behalf.

Requests made on another person’s behalf can only be accepted upon receipt of documentation that the requestor is an authorized agent, parent, or legal guardian of the consumer whose information is being requested. This will require the submission of a valid Power of Attorney, Birth Certificate, approved LightStream authorization form, Guardianship Order, or other court order granting authority to receive information, as appropriate.

Upon submission of a request, CA consumers will receive an initial response confirming receipt within 10 days. A full response will be provided to CA consumers within 45 days (unless an extension of up to 45 additional days is requested, upon which the consumer will receive notice and an explanation for the extension).

Please note that LightStream adheres to an exemption within the CCPA for data collected pursuant to the Gramm-Leach-Bliley Act (GLBA). This enables us to best protect the security of our clients and consumers when responding to requests. Data provided pursuant to GLBA is often highly sensitive Personal Information, including financial data, that could lead to identity theft should it land in the wrong hands. We will continue to provide access to sensitive financial data only through our established, secure mechanisms to obtain that information such as online or mobile banking, or visiting a branch. Therefore, specific pieces of data collected pursuant to GLBA will not be provided through the Consumer Rights Access Request Portal.

"Right to Request Deletion" Requests

Consumers also have a right under the CCPA to request deletion of their personal information collected or maintained by LightStream.

The submission methods, authentication protocols, and time frames for response are identical to those referenced above in the “Consumer Access Requests” section. Keep in mind that the GLBA exemption and other legal exemptions may also apply to these requests. For example, LightStream cannot delete data provided by a client to service an active (or recently active) account, because such data is still needed to provide the product or service and/or meet legal retention requirements. Another example would be the inability to delete certain data that is subject to a legal hold.

LightStream will explain in its response the manner in which it has deleted the personal information. Or, if an exemption applies restricting LightStream’s ability to delete the data, LightStream will describe the basis for the denial of the request in its response. Should an exemption apply precluding the destruction of the data, LightStream will not use the consumer’s personal information for any other purpose than provided for by that exemption (for example, if certain data cannot be deleted due to a legal hold, we will ensure that such data is no longer used for LightStream marketing purposes).


The submission of a "Right to Know" or "Right to Request Deletion" request will have no impact on the service and/or pricing you receive from LightStream. It will not result in any denial of goods or services, or different prices, rates or quality of goods or services.


This Consumer Rights and CCPA Notice may be revised from time to time, so please review this page periodically. Any changes will become effective when we post the revised notice on the site (please note the effective date listed at the top of this page). If we revise this or other privacy notices in a manner that materially changes our privacy practices, we will provide conspicuous notice on our website and provide direct notice to our clients.

Contact Us

If you have any questions or comments on this notice or our privacy practices generally, please contact us at


In today's environment, where people are subjected to marketing calls, junk mail, and spam and are very concerned about fraud and identity theft, we recognize the seriousness of our responsibility to help maintain the privacy and security of your personal information. As a result, we have adopted privacy and security practices that go beyond minimum legal requirements in order to give you greater comfort. We invite you to compare what we do with any other lender that you are presently using or considering.

Recognize and prevent scams
We take your security seriously. Protect yourself from fraudsters who reach out to you pretending to be LightStream. Always confirm the caller is from LightStream before sharing personal information.

We are a Norton Secure Site:


For Nevada residents only, Nevada law requires that we also provide you with the following contact information:

Bureau of Consumer Protection, Office of the Nevada Attorney General
555 E. Washington St., Suite 3900
Las Vegas, NV 89101
Phone: 702.486.3132

We may modify this privacy and security policy from time to time. We will post such changes to this page and update the last revised date. If the changes to the policy are significant, we will provide a more prominent notice including, possibly, an email notification to you.

Privacy Policy

Rev. 02/2022

Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.
What? The types of personal information we collect and share depend on the product or service you have with us. This information can include:
  • Social Security number and income
  • account balances and payment history
  • credit history and credit scores
How? All financial companies need to share customers' information to run their everyday business—to process transactions, maintain customer accounts, and report to credit bureaus. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons LightStream chooses to share; and whether you can limit this sharing.
Reason we can share your personal information Does LightStream share? Can you limit this sharing?
For our everyday business purposes—
such as process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus
Yes No
For our marketing purposes—
to offer our products and services to you
Yes Yes (See below)
For joint marketing with other financial companies No We don't share
For our affiliates' everyday business purposes—
information about your transactions and experiences
Yes No
For our affiliates' everyday business purposes—
information about your creditworthiness
Yes Yes (See below)
For our affiliates to market to you Yes Yes (See below)
For nonaffiliates to market to you No We don't share
To limit our
  • LightStream customers, please go to Preferences in the customer service section of the LightStream web site to change your preferences to limit our sharing.
  • You may also email LightStream at
If you are a new customer, we can begin sharing information 30 days from the date you receive this notice. When you are no longer our customer, we may continue to share your information as described in this notice. However, you can contact us at any time to limit our sharing and to restrict telemarketing, direct marketing postal mail and email solicitations.
Who we are
Who is providing this notice? LightStream, and its affiliates.
What we do
How does LightStream protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.

Our employees are bound by our Code of Ethics and policies to access consumer information only for legitimate business purposes and to keep information about you confidential.
How does LightStream collect my personal information? We collect your personal information, for example, when you
  • open an account or deposit money
  • pay your bills or apply for a loan
  • use your credit or debit card
We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.
Why can't I limit all sharing? Federal law gives you the right to limit sharing only for
  • affiliates' everyday business purposes—information about your creditworthiness
  • affiliates to market to you
  • nonaffiliates to market to you
State laws and individual companies may give you additional rights to limit sharing.
What happens when I limit sharing for an account I hold jointly with someone else? Your choices will apply to everyone on your account—unless you tell us otherwise
Affiliates Companies related by common ownership or control. They can be financial and nonfinancial companies. LightStream is a division of Truist Bank.
  • Our affiliates include companies with Truist, BB&T, or Sterling Capital in their name, GenSpring Holdings, Inc., Regional Acceptance Corporation, McGriff Insurance Services, Inc., MBT, Ltd., and GFO Advisory Services, LLC.
Nonaffiliates Companies not related by common ownership or control. They can be financial and nonfinancial companies.
  • LightStream does not share information with nonaffiliates so they can market to you.
Joint marketing A formal agreement between nonaffiliated financial companies that together market financial products or services to you.
  • LightStream does not have any joint marketing partners.
Other important information
State and Local Regulations: If, in addition to federal law, you are protected by specific state or local rules concerning information sharing and marketing, Truist will fully comply with these regulations as well. Under Vermont and California law, we will not share information we collect about you with companies outside of Truist Bank, unless the law allows. Nevada State law requires that we provide residents with the following contact information: Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington Street, Suite 3900, Las Vegas, NV 89101; Phone: 702.486.3132; Email:
Use of Third Parties: We have arrangements with companies whose experience is essential for our own services to operate properly. These companies, some of which may be located outside the United States, work at LightStream's direction, only receive the information necessary to perform these functions, and adhere to LightStream’s data security guidelines.
Important Notice about Credit Reporting: We may report information about your account(s) to credit bureaus. Late payments, missed payments, or other defaults on your account(s) may be reflected in your credit report.
Do Not Call Policy. This notice is LightStream’s Do Not Call Policy under the Telephone Consumer Protection Act. LightStream abides by all federal and state regulations on telephone usage, maintains an internal Do Not Call list and makes no telemarketing calls to numbers on this list. All Do Not Call requests are implemented within 30 days and the selection is permanent - unless you elect to remove your number from the list.

Updated March 2022

LightStream has a longstanding commitment to protecting the confidentiality and security of our clients' personal information. We believe it is helpful to have an overview of how this commitment is applied as LightStream collects, uses, and protects your personal information when you visit us online.

For California residents, the California law requires that we provide consumers with advance notice of the types of personal information we collect from consumers, our intended use of such information, and a description of your privacy rights under California law. This includes rights to request disclosure of the types of personal information we have collected on you and your right to request that we delete certain information we have collected from you. Please click here for further information on your specific consumer privacy rights.

What information do we collect?

When you visit the LightStream website, application or otherwise interact with us online, we may collect the below information:

  • Your browser type
  • Your IP address (Your IP address is a number that is automatically assigned to your device by your Internet Service Provider. An IP address is identified and logged automatically whenever you visit a site, along with the time of the visit and the page(s) that were visited.)
  • The presence of any software on your device that may be necessary to view our site
  • Information about the device you are using
  • Personal information submitted on applications, forms, and electronic messaging. Personal information includes:
    • Name
    • Social Security Number
    • Address
    • Email
    • Telephone number
    • Account numbers
    • Usernames
    • Passwords
    • Other non-public information
  • Website analytics information such as pages visited and average time spent on a particular page
    • If you would prefer that your movements and actions online at not be monitored, you can opt-out of tracking.
      • NOTE: It is necessary to install a cookie on your browser to identify that you have opted-out. If you delete the opt-out cookie, or change devices or web browsers, you will need to opt-out again.
  • Search engine traffic referral information
  • Responses to advertisements and promotions

How do we use the information we collect?

The information we collect online helps LightStream to:

  • Analyze our site usage and enhance the user's experience:
    • Diagnose server problems
    • Alert users of any possible software compatibility issues
    • Help us make decisions about how various technologies are used and identify usage trends
  • Send marketing communications:
    • Present personalized offers, ads, or content we believe may be of interest to you
    • Determine the effectiveness of promotional campaigns
  • Make business decisions:
    • Analyze data
    • Perform market research
    • Conduct audits
    • Develop and improve products and services
  • Effectively manage your account:
    • Ensure your identity and protect the security of your personal and account information from unauthorized access
    • Process transactions on your account
    • Respond to product applications and questions
    • Fulfill regulatory requirements

Technologies we use

LightStream and its online advertising and marketing partners may employ various technologies to collect information, including:

  • Cookies: Cookies are pieces of information stored directly on your device. Cookies provide information that is used for security purposes, to facilitate navigation, to display information more effectively and to personalize/customize your online experience.
  • Pixel tags, web beacons, clear GIFs or other technologies: This technology may be placed on certain pages of our website, applications, emails and other marketing initiatives. These tags usually work in conjunction with cookies, and allow us to measure the effectiveness of our site and compile statistics about usage and response rates.
  • Firewalls, passcodes, data encryption and other safety features: LightStream uses these technologies to ensure that the information you provide us remains secure. Learn more about how we safeguard your information online, and learn measures you can take to protect yourself.

Interacting with LightStream online

Online advertising on third-party websites and applications

LightStream advertises its products and services on websites and applications not affiliated with LightStream. The third-party companies we hire to display these ads use their own tracking technologies to measure the effectiveness of these ads and to understand your interest. Many of our third-party partners have their own privacy policies. We encourage you to review these policies carefully.

Some of our third-party advertising is interest-based and may use information about your online interests to customize the online ads you see. LightStream has adopted the use of the AdChoices Icon (also known as the Advertising Option Icon) for our interest-based advertising (excluding ads appearing on platforms that do not accept the icon). Anyone receiving an interest-based ad can click on the displayed icon to receive more information. The AdChoices Icon does not prevent you from receiving advertisements, but allows you to control whether you receive interest-based advertisements and from which companies. Visit the Digital Advertising Alliance website for more information about the AdChoices Icon and interest-based advertising.

Third-party aggregation services and tools

Aggregation allows you to gather information from many websites and view that information in a consolidated format. An example of why you might use a third-party aggregation tool is if you wanted a comprehensive view of assets and liabilities held within your financial accounts. If you provide information about your LightStream accounts (including your access information) to an aggregation service provider, we will consider that as your having authorized all transactions initiated by that aggregation site. LightStream reserves the right to disable aggregation for any account without notice. If you wish to cancel your third-party aggregation services you should also change your password at

Social Media

LightStream provides experiences on social media platforms such as Facebook or Twitter that enable online sharing and collaboration. Any content you post, such as pictures, information, opinions, or any personal information that you make available to other participants on these social platforms, is subject to the terms of use and privacy policies of those platforms. Please refer to them to better understand your rights and obligations with regard to such content.

Given the very public nature of social media, it is critical that we all safeguard confidential financial information. If you post information on a LightStream site that we feel should be shielded from public view, we will remove it. This includes not only specific details about your LightStream accounts and other private, confidential information (such as your Social Security Number), but details of information relayed in private conversations between you and LightStream representatives. Please know that in taking down or editing your posts, we are focusing our experience and best judgment to keep your personal information safe.

Linking to other sites

LightStream may provide links to non-LightStream companies, such as credit bureaus or merchants, and will notify you when leaving the LightStream site. If you choose to link to websites not controlled by LightStream, we are not responsible for the privacy or security of these sites, including the accuracy, completeness, reliability or suitability of their information. If you are asked to provide information on one of these sites we urge you to carefully study their privacy policies before sharing.

Protecting your children

LightStream strictly follows the federal guidelines of the Children's Online Privacy Protection Act (COPPA) which gives parents control over what type of information is collected online about their children. We do not knowingly collect, maintain, or use personally identifiable information from children under age 13 on our websites. We are not responsible for the data collection and use practices of nonaffiliated third-parties that are linked from our websites. Visit the COPPA website for more information.

Control your online privacy preferences

In summary, the below links can help you to customize and control your privacy preferences when interacting with LightStream online:

  • Opting-out of website analytics tracking
    • If you would prefer that your movements and actions online at not be monitored, you can opt-out of tracking.
      • NOTE: It is necessary to install a cookie on your browser to identify that you have opted-out. If you delete the opt-out cookie, or change devices or web browsers, you will need to opt-out again.
    • If you are a current LightStream customer, you can control your marketing preferences for direct mail, email and telemarketing preferences, along with the sharing of your personal information via our Preferences form. You may also email LightStream at

Online Privacy Practices updates

LightStream's Online Privacy Practices are subject to change, so please review them periodically. Any changes will become effective when we post the revised Practices on the site (please note the effective date listed at the top of this page). Your use of the site and applications following these changes means that you accept the revised Practices.

Our Security Practices

With regard to the security of your personal information, we employ a variety of electronic, physical, and procedural safeguards to protect your personal information including:

Encryption - We employ 128-bit Secure Sockets Layer (SSL) technology to encrypt your personal information when it is in transit between your web browser and our web server or vice versa. In addition, we also use advanced encryption when storing or backing up your personal information on our computers, substantially reducing the risk even in the event of loss or misuse of your personal information.

Software and Hardware Security - We employ stringent, up-to-date software and hardware solutions to minimize the risk that your encrypted, personal information could be hacked, lost, or stolen from our computer systems.

Physical Security - Your encrypted, personal information is located and stored in secure areas within our building and any offsite data processing facilities.

Access - Access to your personal information (either physically or online) is limited to you and our employees who have a "need to know" in order to perform their jobs and who have the appropriate authentications such as key cards, user IDs, and passwords. A user ID and password is required on the Sign In page on our web site for you to access and/or update your account information. Please remember to keep your user id and password secure. Also, if you prefer additional security, we offer our AccountLock feature which will prevent access to your account even with a valid user id and password. Access will only be granted after you request a pass code from us. We will then email you a randomly-generated, temporarily available pass code, allowing you one-time access to your account.

Training - We provide training to our employees regarding our security procedures.