Privacy Notice for California Residents
Last Updated: May 3, 2021
This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS (the “Notice”) supplements the information contained in the Privacy Statement of Wyndham Capital Mortgage, Inc. (“WCM”, “we”, “us”, and “our”). and applies solely to visitors, users, consumers, and others who reside in the State of California (“consumers” or “you”). We adopt this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this Notice.
NOTICE AT COLLECTION
For the purposes of the CCPA, we currently collect the categories of personal information listed in the chart below:
|A. Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.||YES|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.||YES|
|C. Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||YES|
|D. Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||YES|
|E. Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||NO|
|F. Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.||YES|
|G. Geolocation data.||Physical location or movements.||YES|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.||NO|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.||YES|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||NO|
|K. Inferences drawn from other personal information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||YES|
Business or Commercial Purposes: We use the categories of personal information listed above to provide our products and services to you, to operate, manage, and maintain our business, and to accomplish other business and commercial purposes, including the following:
- To fulfill or meet the reason for which the information is provided;
- To provide you with information, products or services that you request from us;
- To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you;
- Manage our relationship with you;
- Allow you to contact us and facilitate your communication with us;
- Respond to your feedback, requests, questions, or inquiries;
- Detect fraud and prevent loss;
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections;
- To operate our website and present its contents to you;
- For testing, research, analysis and product development;
- Promote products and services to you;
- Provide you with more tailored advertising;
- Ensure the privacy and security of our website and services;
- As necessary or appropriate to protect the rights, property or safety of us, our clients or others; and
- As otherwise described to you when collecting your personal information.
Other Processing Activities: As permitted by applicable law, we may use all of the personal information that we collect in order to:
- Comply with federal, state, or local laws;
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
- Cooperate with law enforcement agencies concerning conduct or activity that we, a service provider, or a third party reasonably and in good faith believe may violate federal, state, or local law;
- Exercise or defend legal claims; and
- Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Personal information does not include:
• Publicly available information from federal, state, or local government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA’s scope, including:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- Personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the California Financial Privacy Act;
- Personal information bearing on any activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by an agency, furnisher, or user subject to regulation under the Fair Credit Reporting Act (FCRA).
DATA PRACTICES DURING LAST 12 MONTHS
Personal Information Collected: As described in this Notice, we have collected the categories of personal information listed below during the preceding 12 months:
- Categories of personal information described in the California Customer Records statute;
- Characteristics of protected classifications;
- Commercial information;
- Internet or other electronic network activity information;
- Geolocation data;
- Professional or employment-related information;
- Inferences drawn from other personal information.
Categories of Sources: We obtain the categories of personal information listed above from the following categories of sources:
- Directly from our clients or their agents. For example, from documents that our clients provide to us related to the services for which they engage us.
- Indirectly from our clients or their agents. For example, through information we collect from our clients in the course of providing services to them.
- Directly and indirectly from activity on our website (www.wyndhamcapital.com). For example, from submissions through our website portal or website usage details collected automatically.
- From third parties that interact with us in connection with the services we perform.
- Lead providers that consumers have provided information regarding inquiries for mortgage loans from consumers.
- Data analytics providers.
- Data brokers.
Business and Commercial Purpose for Collecting: We have collected the categories of personal information listed above for the purposes listed in the “Business or Commercial Purposes” section above.
Personal Information Disclosed for a Business Purpose: We have disclosed for a business purpose the categories of personal information listed below during the preceding 12 months:
- Categories of personal information described in the California Customer Records statute;
- Characteristics of protected classifications;
- Commercial information;
- Internet or other electronic network activity information;
- Geolocation data;
- Professional or employment-related information;
We have disclosed each category of personal information to the following categories of third parties: (1) corporate parents, subsidiaries, and affiliates; (2) advisors (accountants, attorneys); (3) investors; (4) service providers (vendors that assist in providing services to consumers in connection with our products or services, data analytics, data storage, mailing, marketing, payment processing, website and platform administration, technical support, security monitoring); (5) operating systems and platforms; and (6) internet service providers.
No Personal Information Sold: We do not sell your personal information and have not sold categories of personal information during the preceding 12 months. We will not sell your personal information unless we modify this Notice and take additional steps as may be required under the CCPA.
CALIFORNIA CONSUMER RIGHTS
The CCPA provides California consumers with certain rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Requests to Know and Requests to Delete
The CCPA gives consumers the right to request that we (1) disclose what personal information we collect, use, disclose, and sell, and (2) delete certain personal information that we have collected or maintain. You may submit these requests to use as described below, and we honor these rights where they apply.
However, by way of example, these rights do not apply where we collect or sell a consumer’s personal information if: (1) we collected that information while the consumer was outside of California, (2) no part of a sale of the consumer’s personal information occurred in California, and (3) no personal information collected while the consumer was in California is sold. In addition, de-identified information is not subject to these rights.
These rights also do not apply to personal information collected or disclosed under certain exemptions under the CCPA. This includes, but is not limited to, personal information collected or disclosed pursuant to the Health Information Portability Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), or information reflecting a written or verbal communication or transaction between us and a consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with us occur solely within the context of the us conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.
If a request is submitted in a manner that is not one of the designated methods for submission, or if the request is deficient in some manner unrelated to our verification process, we will either (1) treat the request as if it had been submitted in accordance with the designated manner, or (2) provide you with specific directions on how to submit the request or remedy any deficiencies with the request, as applicable.
Request to Know
You have the right to request: (1) the specific pieces of personal information we have collected about you; (2) the categories of personal information we have collected about you; (3) the categories of sources from which the personal information we collected is collected; (4) the categories of personal information about you that we have sold and the categories of third parties to whom the personal information was sold; (5) the categories of personal information about you that we disclosed for a business purpose and the categories of third parties to whom the personal information was disclosed for a business purpose; (6) the business or commercial purpose for collecting, disclosing, or selling that personal information; and (7) the categories of third parties with whom we share that personal information. Our response will cover the 12-month period preceding our receipt of a verifiable request.
Verification Process. We are required by law to verify the identities of those who submit requests to know, and our verification process is described in detail below. We will inform you if we cannot verify your identity.
Response Process. Upon receiving a request to know, we will confirm receipt of the request within 10 business days and provide information about how we will process your request. The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request). In general, we will respond to the request within 45 calendar days from the day we receive it; but, if necessary, we may take up to an additional 45 days to respond to your request. If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 calendar days.
Once verification is complete, we will associate the information provided by you in the verifiable consumer request to any personal information previously collected by us about you. We will promptly take steps to disclose and deliver, free of charge to you, the information requested. We will provide an individualized response to requests regarding categories of personal information as required by applicable law; but, we may refer you to our general practices outlined in this Notice when our response would be the same for all consumers and all the information that is otherwise required to be in a response is presented here.
If you do not have a password-protected account with us, we may respond to a request to know related to household personal information by providing aggregate household information. If all consumers of a household jointly request access to specific pieces of personal information for the household, we will comply with the request if we can verify the identity of each consumer.
Delivery. Except as otherwise provided by applicable law, the information will be provided in writing and may be delivered through your account with us. If you do not maintain an account with us, we will respond by mail or electronically (at your option) in a portable and, to the extent technically feasible, readily-useable format that allows you to transmit the information to another entity. Alternatively, we may offer a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information. If we do not take action on your request, we will, without delay and, at the latest, within the time period permitted for our response, inform you of the reasons that we did not take action and any rights you may have to appeal the decision.
Limitations. We are committed to responding to requests to know in accordance with applicable law. However, your rights are subject to the following limitations:
Denials. If we deny a verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception under applicable law, we will inform the requestor and explain the basis for the denial. If the request is denied only in part, we will disclose the other information sought by the consumer.
Request to Delete
You have the right to request the erasure/deletion of certain personal information collected or maintained by us. As described below, we will delete your personal information from our records and direct any service providers (as defined under applicable law) to delete your personal information from their records.
Submission Instructions: You may submit a request to know via: (1) our toll-free telephone number (888) 923-9911; (2) by email to email@example.com; or (3) by completing this online form. We may present you with the choice to delete select portions of your personal information, but a global option to delete all personal information will be offered and more prominently presented.
Verification Process. We are required by law to verify the identities of those who submit requests to delete, and our verification process is described in detail below. We will inform you if we cannot verify your identity.
- If we cannot verify the identity of the person making a request to delete, we may deny the request. We will, however, treat the request as a request to opt-out of sales of personal information.
- If there is no reasonable method by which we can verify the identity of the requestor to the degree of certainty required, we will state this in our response and explain why we have no reasonable method by which we can verify the identity of the requestor.
Response Process. Upon receiving a request to delete, we will confirm receipt of the request within 10 business days and provide information about how we will process your request. The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request). We will use a two-step process for online requests to delete in which you must first, clearly submit the request to delete and then second, separately confirm that you want your personal information deleted. In general, we will respond to the request within 45 days from the day we receive it; but, if necessary, we may take up to an additional 45 calendar days to respond to your request. If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 calendar days.
Once verification is complete, we will take one of the following actions: (1) permanently and completely erase the personal information on our existing systems (with the exception of archived or back-up systems); (2) de-identify the personal information; or (3) aggregate the consumer information. For personal information stored on archived or backup systems, we may delay compliance with your request to delete for that data until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.
If you do not have a password-protected account with us, we may respond to a request to delete related to household personal information by providing aggregate household information. If all consumers of a household jointly request deletion for the household, we will comply with the request if we are able to verify the identity of each consumer.
Delivery. In our response to you, we will inform you of whether or not we have complied with your request. We will also inform you of our obligation to maintain a record of the request under California law.
Limitations. We are committed to responding to requests to delete in accordance with applicable law. However, we are not required to delete your personal information if it is necessary for us (or our service providers) to maintain your personal information in order to:
- Complete the transaction for which the personal information was collected;
- Fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
- Provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you;
- Otherwise perform a contract between us and you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
- Debug to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise his/her right of free speech, or exercise another right provided for by law;
- Comply with the California Electronic Communications Privacy Act;
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent;
- Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
- Comply with a legal obligation; and
- Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the information was provided.
Denials. If we deny your request, we will (1) inform you that we will not comply with the request and describe the basis for the denial; (2) delete the personal information that is not subject to the exception; and (3) not use the personal information retained for any other purpose than provided for by the applicable exception(s).
To determine whether the individual making the request is the consumer about whom we have collected information, we will verify your identity by matching the identifying information provided by you in the request to the personal information that we already maintain about you. As a part of this process, you will be required to provide your name, telephone number, email address, and the address of the subject property for which you may have sought a loan from Wyndham Capital.
If we cannot verify your identity based on the information already maintained, we may request additional information from you. We will try to limit the information collected, and we will only use this information to verify your identity and for security or fraud-prevention purposes. Except as required by law, we will delete any new personal information collected for the purposes of verification as soon as practical after processing the request.
We require different levels of authentication based upon the nature of the personal information requested. A more stringent verification process is applied when (1) sensitive or valuable personal information is involved, (2) there is a greater risk of harm to the consumer, and/or (3) there is a higher likelihood that fraudulent or malicious actors would request the information.
Password-Protected Account. If you have a password-protected account with us, we may verify your identity through our existing authentication practices for the account. We will require you to re-authenticate yourself before disclosing or deleting your data. If we suspect fraudulent or malicious activity on or from the password-protected account, we will not comply with the request until further verification procedures determine that the request is authentic and that the consumer making the request is the person about whom we have collected information.
Request to Know Categories. For a request to know categories of personal information, we will verify the identity of the consumer making the request to a “reasonable degree of certainty” by matching at least two (2) data points provided by the consumer with data points maintained by us, which we have determined to be reliable for the purpose of verifying the consumer.
Request to Know Specific Pieces. For a request to know specific pieces of personal information, we will verify the identity of the consumer making the request to a “reasonably high degree of certainty” by matching at least three (3) pieces of personal information provided by the consumer with personal information maintained by us, which we have determined to be reliable for the purpose of verifying the consumer, together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. We are required by law to maintain all signed declarations as part of our record-keeping obligations.
Request to Delete. For a request to delete, we will verify the identity of the consumer to a “reasonable degree of certainty” or a “reasonably high degree of certainty,” depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty.
The CCPA allows you to use authorized agents to make requests on your behalf. If you use an authorized agent to submit a request to know or request to delete, we may require you to: (1) provide the authorized agent with written permission to do so; and (2) verify your identity directly with us. However, we will not require these actions if you have provided the authorized agent with power of attorney pursuant to the California Probate Code. We may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.
In addition to the individual identity verification procedure described above, authorized agents will be required to submit the following written documentation:
Businesses: If the authorized agent is operating as a business, you must provide: (1) a certificate of good standing with your state of incorporation; (2) written authorization document that includes each customer’s name, address, telephone number, and valid email address, signed and dated by each consumer authorizing you, as the authorized agent, to act on behalf of each consumer in making the request; and (3) a valid email address for each consumer for our direct correspondence with each consumer, including an identity verification process to be conducted by us directly with that consumer.
Individuals: If the authorized agent is an individual, you must provide: (1) a “power of attorney” signed and dated by the consumer and notarized by a notary public naming you as the consumer’s authorized representative, which includes the consumer’s full name and physical California address and the consumer’s month/year of birth; (2) if you do not have a power of attorney signed by the consumer, then we require a written authorization document that includes the customer’s name, address, telephone number, and valid email address, signed by the consumer authorizing you, as the authorized agent, to act on behalf of the consumer in making the request; and (3) a valid email address for each consumer for our direct correspondence with each consumer, including an identity verification process to be conducted by us directly with that consumer.
If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, we may either (1) charge a reasonable fee, or (2) refuse to act on the request and notify the consumer of the reason for refusing the request. If we charge a fee, the amount will be based upon the administrative costs of providing the information or communication or taking the action requested.
You have the right not to receive discriminatory treatment by us due to your exercise of the rights provided by the California Consumer Privacy Act. We do not offer financial incentives and price or service differences, and we do not discriminate against consumers for exercising their rights under the CCPA.
• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
How Long Do We Store and Use Your Personal Information?
We will retain and use your personal information for as long as is necessary to fulfill the purposes for which it was collected, to comply with our business requirements and legal obligations, to resolve disputes, to protect our assets, to provide our services, and to enforce our agreements.
We take reasonable steps to delete the personal information we collect about you, where we have a legal obligation to do so, if you ask us to delete your information, unless we determine that doing so would violate our existing, legitimate legal, regulatory, dispute resolution, contractual, or similar obligations. To the extent permitted by law, we may retain and use anonymous and aggregated information for performance reporting, benchmarking, and analytic purposes and for product and service improvement
We are required by law to maintain records of consumer requests submitted under the California Consumer Privacy Act and how we responded to such requests for at least 24 months. We only use this information for recordkeeping purposes.
This Notice is applicable only to the website, and it does not apply to any third-party websites.
The website may contain links to, and media and other content from, third-party websites. These links are to external websites and third parties with which we may have no relationship. Because of the dynamic media capabilities of the website, it may not be clear to you which links are to the website and which are to external, third-party websites. If you click on an embedded third-party link, you will be redirected away from the website to the external third-party website. You can check the URL to confirm that you have left this website.
We cannot and do not (1) guarantee the adequacy of the privacy and security practices employed by or the content and media provided by any third parties or their websites, (2) control third parties’ independent collection or use or your personal information, or (3) endorse any third-party information, products, services or websites that may be reached through embedded links on this Site.
Updates and Changes to Our Privacy Notice
We reserve the right to amend this Notice at our discretion and at any time and to add to, change, update, or modify this Notice to reflect any changes to the way in which we treat your personal information nor in response to changes in law. When we make material changes to this Notice, we will notify you by email or through a notice on our website homepage for a reasonable period of time. Any such changes, updates, or modifications shall be effective immediately upon posting on the website. The date on which this Notice was last modified is identified at the beginning of this Notice.
You are expected to, and you acknowledge and agree that it is your responsibility to carefully review this Notice prior to using the website, and from time to time, so that you are aware of any changes. Your continued use of the website after the “Last Updated” date will constitute your acceptance and agreement to such changes and to our collection and sharing of your personal information according to the terms of the then-current Notice. If you do not agree with this Notice and our practices, do not access, view, or use any part of the website.
If you have any questions or comments about this Notice, our Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, you may contact us using the information below and we will do our best to assist you.
Phone: (888) 923-9911
Wyndham Capital Mortgage, Inc.
4064 Colony Road, Morrocroft2, Floor 2
Charlotte, NC 28211