Privacy Policy

Cyprus Union Savings Bank ("CUSB," "we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information about members, applicants, and visitors to our website and mobile app. This policy complies with the General Data Protection Regulation (GDPR), the Cyprus Data Protection Law (Law 125(I)/2018), and all other applicable EU and Cypriot privacy laws.

Overview

As a financial institution, we collect certain personal information to provide you with banking products and services, comply with legal obligations, prevent fraud, and improve our offerings. We are committed to using your information only in ways that serve your interests and our legitimate business needs — and never for purposes you haven't authorized or wouldn't reasonably expect.

1. Information We Collect

We collect personal information from a variety of sources, including directly from you, from third parties, and automatically through your use of our digital services. Categories of information collected include:

• Identity Information: Full legal name, date of birth, Social Security Number or ITIN, government-issued ID numbers, and photographs where required.
• Contact Information: Home address, mailing address, email address(es), and telephone number(s).
• Financial Information: Account balances, transaction history, income, assets, liabilities, credit history, credit scores, and employment information.
• Device & Usage Data: IP address, browser type, operating system, device identifiers, pages visited, links clicked, session duration, and referring URLs when you use our website or mobile app.
• Location Data: General geographic location derived from your IP address; precise location data only if you grant permission in the mobile app (e.g., to find nearby ATMs).
• Communications: Records of your communications with us, including phone call recordings (where permitted by law and disclosed), emails, chat transcripts, and in-branch interactions.
• Third-Party Data: Information from credit bureaus, identity verification services, government databases, and other financial institutions as permitted by law.

2. How We Use Your Information

We use your personal information for the following purposes:

• Account Administration: Opening and maintaining accounts, processing transactions, and providing account statements.
• Loan Underwriting: Evaluating loan applications, verifying information, and managing loan servicing.
• Legal Compliance: Fulfilling obligations under the Bank Secrecy Act (BSA), Anti-Money Laundering (AML) regulations, USA PATRIOT Act, OFAC sanctions screening, and other applicable laws.
• Fraud Prevention: Detecting, investigating, and preventing fraudulent transactions, identity theft, and other financial crimes.
• Member Communications: Sending account alerts, statements, disclosures, and responses to your inquiries.
• Marketing: Informing you about CUSB products and services that may benefit you (subject to your opt-out rights — see Section 8).
• Service Improvement: Analyzing usage patterns to improve our digital platforms, products, and member experience.
• Security: Protecting the integrity of our systems and member data.

3. Information Sharing

We may share your personal information with third parties only in the following circumstances:

• Service Providers: Third-party vendors who perform services on our behalf (e.g., data processing, statement printing, ATM network operators, fraud detection services) under strict confidentiality agreements that prohibit them from using your information for any other purpose.
• Legal Requirements: When required by law, court order, subpoena, or regulatory demand, including reporting to the IRS, FinCEN, and other government agencies.
• Affiliated Companies: We may share information with CUSB subsidiaries and affiliates for joint marketing or to offer you additional products and services. You may opt out of this sharing.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections.
• With Your Consent: For any other purpose with your explicit consent.

We do not share your personal information with non-affiliated third parties for their own marketing purposes without your explicit consent.

4. We Don't Sell Your Data

Cyprus Union Savings Bank does not sell, rent, trade, or otherwise transfer your personal information to outside parties for commercial purposes. This policy applies to all members, former members, and applicants. We do not engage with data brokers, advertising networks, or marketing aggregators with respect to your personal financial information.

5. Cookies & Tracking Technologies

Our website and mobile app use cookies and similar tracking technologies to enhance functionality and analyze usage. Types of cookies we use:

• Essential Cookies: Required for the website and online banking to function properly. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website (e.g., pages visited, time spent). We use anonymized data only.
• Preference Cookies: Remember your settings and preferences (e.g., language, accessibility settings).
• Security Cookies: Support fraud detection and session authentication.

We do not use advertising or cross-site tracking cookies. You may manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of online banking. We do not respond to browser "Do Not Track" signals at this time, but we do honor opt-out requests submitted through the methods in Section 8.

6. Data Security

We implement and maintain comprehensive administrative, technical, and physical safeguards to protect your personal information against unauthorized access, use, alteration, and disclosure. Our security measures include:

• 256-bit SSL/TLS encryption for all data in transit;
• AES-256 encryption for sensitive data at rest;
• Multi-factor authentication (MFA) for all online banking access;
• Real-time fraud monitoring and behavioral analytics;
• Strict employee access controls on a need-to-know basis;
• Regular third-party security audits and penetration testing;
• Incident response plan tested annually.

In the event of a data breach that may affect your information, we will notify you as required by applicable law, including GDPR Article 33 (72-hour supervisory authority notification) and Article 34 (member notification without undue delay), within the timeframes specified by law.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy and to comply with applicable legal and regulatory requirements. General retention periods:

• Active Member Records: Duration of membership plus 7 years after account closure.
• Loan Records: Duration of loan plus 7 years after final payment or charge-off.
• Transaction Records: 7 years from transaction date (required by BSA/AML regulations).
• Website Logs: 90 days unless required longer for security investigations.
• Marketing Data: Until you opt out or request deletion, subject to legal retention minimums.

8. Your Privacy Rights & Choices

You have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Opt-Out of Marketing: Opt out of receiving marketing communications from us or from sharing with affiliates for marketing purposes.
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request that we limit the processing of your data in certain circumstances.

To exercise any of these rights, contact us at [email protected] , call +357 22 880 100, or visit any branch. We will respond within 45 days. We will not discriminate against you for exercising your privacy rights.

To opt out of marketing, you may also call +357 22 880 100, update your preferences in online banking under Settings → Communication Preferences, or reply "STOP" to any marketing text message.

9. GDPR & EU Privacy Rights

As a Cyprus-based institution operating within the European Union, all members and data subjects benefit from the full protections of the General Data Protection Regulation (GDPR) and the Cyprus Data Protection Law (Law 125(I)/2018). In addition to the rights listed in Section 8, you have the right to:

• Know the legal basis under which we process your personal data (Article 6 GDPR);
• Object to processing based on legitimate interests or for direct marketing purposes (Article 21 GDPR);
• Not be subject to automated decision-making, including profiling, that produces legal effects (Article 22 GDPR);
• Lodge a complaint with the Cyprus Commissioner for Personal Data Protection at dataprotection.gov.cy.

Our lawful bases for processing are: contract performance (account administration, loan servicing), legal obligation (AML/KYC compliance), legitimate interests (fraud prevention, security), and consent (marketing). To exercise your GDPR rights, email [email protected] with subject line "GDPR Data Request."

10. Children's Privacy

Our website and online banking services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe we have inadvertently collected information from a child under 13, please contact us immediately and we will promptly delete such information. Custodial and minor accounts require a parent or legal guardian as a joint account holder.

11. Third-Party Links

Our website and mobile app may contain links to third-party websites and services (e.g., co-branded partner pages, financial calculators hosted by third parties). We are not responsible for the privacy practices or content of those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit. The presence of a link on our website does not constitute an endorsement of that site's privacy practices.

12. Policy Changes

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email, secure message in online banking, or a prominent notice on our website at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy reflects the most recent revision. Your continued use of CUSB services after the effective date constitutes your acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Officer:

• Email: [email protected]
• Mail: Privacy Officer, Cyprus Union Savings Bank, 1 Makarios III Avenue, Nicosia 1065, Cyprus
• Phone: +357 22 880 100 (Monday–Friday, 8:30AM–4:30PM EET)

You also have the right to file a complaint with the Cyprus Commissioner for Personal Data Protection at dataprotection.gov.cy, or with the European Data Protection Board (EDPB) at edpb.europa.eu if you believe your GDPR rights have been violated.