Overview

In today's environment, where people are subjected to marketing calls, junk mail, and spam and are very concerned about fraud and identity theft, we recognize the seriousness of our responsibility to help maintain the privacy and security of your personal information. As a result, we have adopted privacy and security practices that go beyond minimum legal requirements in order to give you greater comfort. We invite you to compare what we do with any other lender that you are presently using or considering.

Recognize and prevent scams
We take your security seriously. Protect yourself from fraudsters who reach out to you pretending to be LightStream. Always confirm the caller is from LightStream before sharing personal information.

• After you submit an application at LightStream.com or on the LightStream Mobile App, we may contact you to verify your identity and some of the information you provided in your application.
• LightStream will only call you directly if there are questions about an application you’ve submitted.
• LightStream will not contact you to ask for or confirm your personal information until after you have submitted your loan application.
• LightStream does not conduct telemarketing outreach.
• If someone calls you and tells you that you have been approved for a loan that you did not apply for, it is not LightStream.
• LightStream does not charge any fees and will never ask you to send funds before signing your loan agreement. The only money you are required to send us is your regular monthly payment after taking out a loan from us.

We are a Norton Secure Site:

For Nevada residents only, Nevada law requires that we also provide you with the following contact information:

Bureau of Consumer Protection, Office of the Nevada Attorney General
555 E. Washington St., Suite 3900
Las Vegas, NV 89101
Phone: 702.486.3132
Email: BCPINFO@ag.state.nv.us

We may modify this privacy and security policy from time to time. We will post such changes to this page and update the last revised date. If the changes to the policy are significant, we will provide a more prominent notice including, possibly, an email notification to you.

CCPA Privacy Notice / Notice At Collection

Last Updated December 2023

Maintaining the privacy and security of your personal information is LightStream’s highest priority. In doing so, we want to provide transparency regarding how and why your data is collected, how it is used, with whom it may be shared, and how long it is kept. This notice, as well as LightStream’s Privacy Policy and Statement of Online Privacy Practices informs consumers how we will interact with your personal information.

The purpose of this Notice at Collection and CCPA Privacy Notice (“Notice”) is to provide you with timely notice, at or before the point of collection, of the details about our practices concerning the privacy of your personal information. This Notice is directed to consumers who reside in the state of California (“consumers” or “you”) and relates to personal information covered by the California Consumer Privacy Act (CCPA). Specifically, this Notice provides comprehensive information about our online and offline practices, along with details concerning how you may exercise your California privacy rights and make requests to access, correct or delete the information that LightStream holds about you. We will not collect additional categories of personal information without providing you a new Notice at Collection disclosing these categories.

Please note that LightStream adheres to an exemption within the CCPA for data collected pursuant to the Gramm-Leach-Bliley Act (GLBA). This Notice and the rights described do not apply to information we collect when you apply for or obtain our financial products and services for personal, family, or household purposes, which is subject to our Privacy Policy.

The following charts provide specifics about LightStream’s practices related to the collection, use and selling or sharing of personal information:

General Personal Information

General Personal Information

Categories of Personal Information Collected & Disclosed	Purpose for Collection	Purpose for Disclosure
A. Identifiers: For example, real name or alias, address, online identifier, IP address, email address, account name, SSN, driver’s license number, passport number, or other similar identifiers.	Deliver, manage and support products and services, manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Meet legal, regulatory, or compliance requirements Market our products and services Manage and optimize internal operations purposes Support and optimize channels and interactions	Share for all purposes from “purpose for collection”
B. Personal Information Categories from Cal. Civ. Code § 1798.80I: For example, name, signature, SSN, physical characteristics or description, address, phone number, passport number, driver’s license or state ID card number, policy or account numbers, education, employment, employment history, credit or debit card numbers, or any other financial, medical or health insurance information.	Deliver, manage and support products and services, manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Meet legal, regulatory, or compliance requirements Market our products and services Manage and optimize internal operations purposes Support and optimize channels and interactions	Share for all purposes from "purpose for collections"
C. Characteristics of CA or Federal Protected Classifications: For example, race, religion, national origin), age (40 and over), gender, sexual orientation, medical condition, ancestry, pregnancy (includes childbirth, breastfeeding and/or related medical conditions), familial status, disability, veteran status, or genetic information.	Deliver, manage and support products and services, manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Meet legal, regulatory, or compliance requirements Market our products and services Manage and optimize internal operations purposes Support and optimize channels and interactions	Share for all purposes from “purpose for collection”
D. Commercial Information: For example, records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Deliver, manage and support products and services, manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Meet legal, regulatory, or compliance requirements Market our products and services Manage and optimize internal operations purposes Support and optimize channels and interactions	Share for all purposes from “purpose for collection”
E. Biometric Information: For example, physiological, biological or behavioral characteristics, including DNA, that can be used to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.	Assess and manage risk (fraud and security detection through identity verification)	Share for all purposes from “purpose for collection”
F. Internet or Other Similar Network Activity: For example, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement	Deliver, manage and support products and services, manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Meet legal, regulatory, or compliance requirements Market our products and services Manage and optimize internal operations purposes Support and optimize channels and interactions	Share for all purposes from “purpose for collection”
G. Sensory Data or Recordings: For example, audio, electronic, visual, thermal, olfactory, or similar information that can be linked or associated with a particular consumer or household	To assess and manage risk To meet regulatory or compliance requirements Manage and Optimize Internal Business Operations Support and Optimize Channels and Interaction	Share for all purposes from “purpose for collection”
H. Professional or Employment-Related Information: For example, compensation, evaluations, performance reviews, personnel files and current and past job history.	Assess and manage risk Deliver, manage and support products and services, managing relationships and maintaining accounts Meet legal, regulatory or compliance requirements	Share for all purposes from “purpose for collection”
I. Education Information (defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)): Education records directly related to a student maintained by an education institution or party acting on its behalf, for example, non-public information that can be used to distinguish or trace an individual’s identity in relation to an educational institution either directly or indirectly through linkages with other information.	N/A	N/A
J. Profile Data: For example, inferences drawn from personal information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Deliver, manage and support products and services, manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Market our products and services Manage and optimize internal operations purposes Support and optimize channels and interactions	Share for all purposes from “purpose for collection”

We may also disclose personal information for other purposes at your direction or with your consent.

Sensitive Personal Information

Categories of Sensitive Personal Information	Purpose for Collection	Purpose for Disclosure
SSN, Driver’s License, State ID Card, Passport Number	Deliver, manage and support products and services manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Meet legal, regulatory, or compliance requirements	Share for all purposes from “purpose for collection”
Account Login, financial account, debit or credit card number when provided with any security or access code, password or credentials allowing access to an account	Deliver, manage and support products and services manage relationships and maintain accounts Assess and manage risk Manage fraud and financial crimes Meet legal, regulatory, or compliance requirements	Share for all purposes from “purpose for collection”
Contents of a consumer’s mail, email and text messages (unless LightStream is the intended recipient)	N/A	N/A
Genetic Data	N/A	N/A
Biometric information for the purpose of unique identification	Assess and manage risk (fraud and security detection through identity verification)	Share for all purposes from “purpose for collection”

What we Sell to Third Parties or Share with Third Parties for Cross-Context Behavioral Advertising and what we Share with Third Parties for Business Purposes

We have sold or shared with third parties for cross-context behavioral advertising personal information to third parties in the preceding 12 months as disclosed in the table below. We also share personal information for business purposes with the third parties described below.

General Personal Information

Categories sold to or shared with third parties over the last 12 months	Categories of third parties to whom this category of personal information has been sold or shared	Categories of Third Parties to whom the information was shared for business purposes
A. Identifiers:	Ad servers, networks, & exchanges Social media platforms Online publishers Data analytics providers Data providers and aggregators Advertising services platforms Market research companies Consumer survey companies	Other entities in the Truist family Service Providers that provide various services to us Other parties when you authorize or direct us to share your information, such as when you use a third party service to help manage your financial information across financial institutions or when you transfer funds from LightStream Credit reporting agencies to report on or learn about your financial circumstances Government entities and other third parties as needed for legal or similar purposes
B. Personal Information Categories from Cal. Civ. Code § 1798.80(e)	N/A	Other entities in the Truist family Service Providers that provide various services to us Other parties when you authorize or direct us to share your information, such as when you use a third party service to help manage your financial information across financial institutions or when you transfer funds from LightStream Credit reporting agencies to report on or learn about your financial circumstances Government entities and other third parties as needed for legal or similar purposes
Characteristics of CA or Federal Protected Classifications	N/A	Other entities in the Truist family Service Providers that provide various services to us Other parties when you authorize or direct us to share your information, such as when you use a third party service to help manage your financial information across financial institutions or when you transfer funds from LightStream Credit reporting agencies to report on or learn about your financial circumstances Government entities and other third parties as needed for legal or similar purposes
D. Commercial Information	Ad servers, networks, & exchanges Social media platforms Online publishers Data analytics providers Data providers and aggregators Advertising services platforms Market research companies Consumer survey companies	Other entities in the Truist family Service Providers that provide various services to us Other parties when you authorize or direct us to share your information, such as when you use a third party service to help manage your financial information across financial institutions or when you transfer funds from LightStream Credit reporting agencies to report on or learn about your financial circumstances Government entities and other third parties as needed for legal or similar purposes
E. Biometric Information	N/A	Other entities in the Truist family Service Providers that provide various services to us
F. Internet or Other Similar Network Activity	Ad servers, networks, & exchanges Social media platforms Online publishers Data analytics providers Data providers and aggregators Advertising services platforms Market research companies Consumer survey companies	Other entities in the Truist family Service Providers that provide various services to us Other parties when you authorize or direct us to share your information, such as when you use a third party service to help manage your financial information across financial institutions or when you transfer funds from LightStream
G. Professional or Employment-Related Information	Consumer survey companies	N/A
H. Profile Data	Ad servers, networks, & exchanges Social media platforms Online publishers Data analytics providers Data providers and aggregators Advertising services platforms Market research companies Consumer survey companies	Service Providers that provide various services to us

Sensitive Personal Information

Categories sold to or shared with third parties over the last 12 months	Categories of third parties to whom this category of personal information has been sold or shared	Categories of third parties to whom the information was shared for business purposes
Social Security Number, Driver’s License, State Identification Card, or Passport Number	N/A	Other entities in the Truist family Service Providers that provide various services to us Other parties when you authorize or direct us to share your information Credit reporting agencies to report on or learn about your financial circumstances Government entities and other third parties as needed for legal or similar purposes
Account log-in, financial account, debit card, or credit card number when provided with any security or access code, password, or credentials allowing access to an account	N/A	Service Providers that provide various services to us
Contents of a consumer’s mail, email, and text messages (unless we are the intended recipient of the communication)	N/A	N/A
Genetic Data	N/A	N/A
Biometric information for the purpose of unique identification	N/A	Other entities in the Truist family Service Providers that provide various services to us

Notice of Right to Opt Out of Sale/Sharing

You may at any time direct LightStream to stop selling or sharing your personal information, which is called the “Right to Opt Out.” Once you make an opt out request, LightStream will comply within 15 business days, and will wait at least 12 months before asking you to reauthorize sales or sharing.

You may exercise your Right to Opt Out of Sale/Sharing in the following ways:

To opt out of tags, cookies, pixels that collect information when you visit LightStream.com	Click Do Not Sell or Share My Personal Information to use the interactive form
To opt out of other personal information sold to or shared with third parties	Sign on to LightStream Online Portal/Account Services platform and go to Profile then Privacy & Preferences to opt out of sharing personal information

Notice of Right to Limit Use of Sensitive Personal Information

You have the right to limit our use and disclosure of your sensitive personal information collected by LightStream for the purpose of inferring characteristics about you. This is called the “Right to Limit”. LightStream only collects/processes sensitive personal information without the purpose of inferring characteristics about a consumer, therefore there is not an opt-out for the use of sensitive personal information.

You do not have the right to limit certain uses and disclosures of your sensitive personal information for the following business purposes:

• Providing our goods and services reasonably expected of an average consumer,
• Preventing, detecting, and investigating security incidents affecting personal information, provided that the use of personal information is reasonably necessary and proportionate for this purpose,
• Resisting malicious, deceptive, fraudulent, or illegal actions against us and prosecuting those responsible for those actions, provided that the use of personal information is reasonably necessary and proportionate,
• Ensuring the physical safety of an individual, provided that the use of personal information is reasonably necessary and proportionate for this purpose,
• Short-term, transient use, including non-personalized advertising shown as part of a consumer’s current interaction with us, provided that we do not build a profile about the consumer or alter the consumer’s experience outside their current interaction with us,
• Performing services on behalf of another business (e.g., maintaining accounts, processing orders or transaction),
• Verifying or maintaining the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, or improving, upgrading, or enhancing the services or device owned, manufactured, manufactured for, or controlled by us,
• Any collection or processing that is not for the purpose of inferring characteristics about you.

Retention of Personal Information

LightStream has established product and business-level criteria for retention and disposal according to business requirements, laws, regulations, and applicable industry standards.

Sources of Personal Information

LightStream collects information from various sources, including:

• Directly from you or your guardians/representatives
• Service providers that support our business operations (e.g., data analytics providers)
• Websites, mobile applications, and social media
• Public records or publicly available data
• Data brokers
• Advertising networks
• Government entities

Consumer Rights Under the CCPA

Right to Know / See Data Request

You have the right to request that LightStream disclose categories or specific pieces of personal information we have collected about you over the last 12 months, the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, sold, or shared with third parties for cross context behavioral advertising, and the categories of third parties with whom we share personal information.

Right to Correct

You have the right to request correction of inaccurate personal information maintained by LightStream. Such updates are best made by logging into your online account or in the mobile app to make the corrections.

Right to Delete

You have the right to request deletion of personal information that LightStream has collected, subject to certain exceptions. For example, we may deny your request if retaining the information is necessary for us to complete a transaction you requested or comply with our legal obligations

Submitting a Verified Consumer Request

Consumers are welcome to submit right to know, correction, or deletion requests by visiting the Truist Privacy Center. LightStream is a division of Truist Bank and your requests made through the Truist Privacy Center will extend to other personal information Truist maintains about you. For example, if you ask to correct your phone number, we will modify the phone number across all Truist records where a correction can be made. Privacy preferences, such as email opt-outs or information sharing and use preferences, are managed separately. Information about LightStream’s privacy practices and how to manage your LightStream privacy preferences is available on this page (Lightstream.com/privacy).

If you need assistance completing the form or have any other questions or comments, you may email us at customerservice@lightstream.com. All requests must be verified prior to receiving a response, using Truist authentication protocols. Requesters will be asked to supply certain basic personal information to enable us to verify the request against our records, such as name, Social Security number, and address. Information submitted for verification purposes will only be used to verify the requestor’s identity and/or authority to make a request on another’s behalf.

Requests made on another person’s behalf can only be accepted upon receipt of documentation that the requestor is an authorized agent, parent, or legal guardian of the consumer whose information is being requested. This will require the submission of a valid Power of Attorney, Birth Certificate, approved LightStream authorization form, Guardianship Order, or other court order granting authority to receive information, as appropriate.

Upon submission of a request, consumers will receive an initial confirmation of receipt within 10 days. We will respond to your request within 45 days (unless an extension of up to 45 additional days is requested, upon which the consumer will receive notice and an explanation for the extension).

Opt Out Preference Signals

Your internet browser may give you more control over your privacy preferences via a Global Privacy Control (GPC) signal. This is a setting in your browser that notifies the websites you visit of your preferences to opt out of selling or sharing your personal information under California law. If you have opted out via the GPC signal, LightStream sites will recognize this signal and process your preference automatically as it pertains to tags, cookies and pixels that collect personal information when you visit LightStream.com. Please note the signal is processed at the browser-level and is not applied if you visit LightStream.com from a different browser or device that does not have the GPC signal enabled.

Non-Discrimination

The submission of any CCPA request will have no impact on the service and/or pricing you receive from LightStream. It will not result in any denial of goods or services, or different prices, rates or quality of goods or services, nor will it result in retaliation against an employee, applicant, or independent contractor.

Consumers Under 16 Years of Age

LightStream products and services are not intended for consumers under the age of 16, and we do not knowingly collect information from children under the age of 16 without consent. LightStream does not knowingly sell the personal information of minors under the age of 16 or share such information for cross-contextual advertising.

Updating Preferences

You can submit requests to update your sharing and marketing preferences by logging into your online account.

Updates

This Notice may be revised from time to time, so please review this page periodically. Any changes will become effective when we post the revised notice on the site (please note the effective date listed at the top of this page).

Contact Us

If you have any questions or comments on this notice or our privacy practices generally, please contact us at privacy@lightstream.com. You can also visit www.LightStream.com/privacy-security for additional information.