Octopus Financial Group

Purpose:

The purpose of this policy is to ensure that Octopus Financial Group complies with the Gramm-Leach-Bliley Act (GLBA) and its regulations concerning the protection of private financial information. The policy establishes the procedures for the collection, use, and disclosure of nonpublic personal information (NPI) and outlines the company’s practices for informing customers about its information-sharing practices.

1. Collection of Nonpublic Personal Information (NPI):

• Definition: NPI refers to personal financial information that is not publicly available and is obtained through customer transactions, interactions, or applications for financial services.

• Data Collection: Octopus Financial Group collects NPI in the course of providing financial products or services to customers, including but not limited to:

- Personal identifying information (name, address, date of birth, etc.)

- Financial information (income, assets, debts, credit history)

- Transaction information (payment history, loan balances)

• Authorized Access: Access to NPI is restricted to authorized personnel only, such as loan officers, processors, and customer service representatives, who need the information to perform their job duties.

2. Use of Nonpublic Personal Information:

• Permitted Uses: Octopus Financial Group will use NPI solely for legitimate business purposes, including:

- Processing mortgage applications

- Offering loan products or services

- Verifying customer financial data

- Maintaining customer accounts and records

- Complying with legal, regulatory, and contractual obligations

• Prohibited Uses: NPI will not be used for purposes unrelated to providing financial services, marketing, or other activities without explicit customer consent.

3. Disclosure of Nonpublic Personal Information:

• Disclosure to Third Parties:

Octopus Financial Group will not disclose NPI to third parties except as required or permitted by law. This includes, but is not limited to:

- Disclosures required for the processing of loans (e.g., sharing information with credit bureaus, underwriters, or regulatory bodies)

- Sharing with third-party service providers under confidentiality agreements

• Opt-Out Rights:

Customers have the right to opt-out of certain types of information sharing with non-affiliated third parties, as permitted under the GLBA. Written notices will be sent to customers explaining their rights, and they can exercise this option by contacting the company.

4. Written Notice to Customers:

• Initial Privacy Notice:

At the time of establishing a customer relationship, Octopus Financial Group will provide a clear and concise privacy notice to customers. This notice will explain:

- The types of NPI collected

- How the information is used and shared

- How the information is protected

- The customer’s right to opt-out of certain disclosures

• Annual Privacy Notice:

Annually, Octopus Financial Group will send a reminder notice to customers outlining the company’s privacy practices and offering them the opportunity to opt-out of information sharing, if applicable.

5. Safeguarding Nonpublic Personal Information:

• Data Protection:

Octopus Financial Group employs appropriate safeguards to protect NPI from unauthorized access, disclosure, alteration, or destruction. These safeguards include:

- Secure electronic systems for storing and transmitting customer data

- Encryption and firewall protections for online systems

- Access control and authentication procedures for employees handling sensitive data

• Employee Training:

All employees will receive regular training on the importance of safeguarding customer information, recognizing potential security threats, and following internal procedures for handling NPI.

• Vendor Management:

Third-party vendors with access to NPI will be required to maintain appropriate data security measures and sign confidentiality agreements to ensure compliance with GLBA standards.

6. Compliance Monitoring and Enforcement:

• Internal Audits:

Octopus Financial Group will conduct regular audits to ensure that NPI protection procedures are being followed and that customer data is properly safeguarded.

• Disciplinary Actions:

Employees found in violation of this policy may be subject to disciplinary action, up to and including termination, depending on the severity of the breach.

7. Policy Review and Updates:

• Ongoing Evaluation:

This policy will be reviewed annually or in response to regulatory changes to ensure compliance with GLBA and other applicable privacy laws.

• Updates:

Any changes to the company's privacy practices or information-sharing procedures will be communicated to customers through updated privacy notices.