Privacy Policy
How Valley First collects, uses, protects, and shares your personal information — and what rights you have under federal financial privacy laws and California consumer privacy regulations.
Privacy Information
Valley First is committed to protecting the privacy and security of member information through strong data safeguards, limited information sharing, and compliance with federal financial privacy regulations and California consumer privacy laws.
This privacy policy explains how Valley First handles your personal information. It applies to current and former members, as well as applicants for Valley First products and services. We recognize that financial institutions occupy a position of trust, and maintaining that trust requires transparency about our data practices. This policy describes what information we collect, why we collect it, how we use and protect it, and under what circumstances — if any — we share it with others.
Valley First operates under multiple privacy and data protection frameworks. Federally, we comply with the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, which govern how financial institutions handle nonpublic personal information. As an institution serving California residents, we also comply with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the California Financial Information Privacy Act. These laws provide California members with specific rights regarding their personal information, which are detailed later in this policy. The NCUA and Consumer Financial Protection Bureau oversee privacy compliance for federally insured credit unions and publish additional consumer guidance on financial privacy rights.
Information We Collect
Valley First collects personal information that members provide directly, transaction data generated by account activity, and credit information from consumer reporting agencies when members apply for lending products.
Valley First collects several categories of personal information in the course of providing financial services. The first category is information you provide directly: your name, residential and mailing addresses, Social Security number or taxpayer identification number, date of birth, telephone numbers, email addresses, employment information, income, assets, and other details necessary to open and maintain accounts or evaluate loan applications. When you apply for credit, we also collect information about your financial obligations, employment history, and the purpose of the loan.
The second category is transaction and experience information generated by your use of Valley First products. This includes account balances, transaction amounts and descriptions, payment history, overdraft history, and account usage patterns. When you use our online banking platform or mobile app, we automatically collect device information — browser type, operating system, IP address, and device identifiers — along with login timestamps, pages visited, and features used. This information helps us detect fraud, troubleshoot technical issues, and improve the digital banking experience.
The third category is information from outside sources. When you apply for a loan or credit card, Valley First obtains credit reports and credit scores from consumer reporting agencies including the major credit bureaus. We may also verify employment, income, or asset information with employers, financial institutions, or verification services. For business accounts, we may collect information about the business entity, its owners, and its financial condition from public records, commercial databases, and the business's own submissions. Valley First does not collect biometric data beyond what your device uses for local authentication — fingerprint and facial recognition data remain on your device and are never transmitted to or stored by Valley First.
How We Use and Share Information
Valley First uses member information to provide and improve financial services, prevent fraud, comply with legal requirements, and — with strict limitations — share with service providers and as required by law.
The primary use of member information is delivering the financial products and services you have requested. This includes processing transactions, maintaining accounts, underwriting and servicing loans, providing customer support, sending account statements and notices, and communicating about your accounts. We also use information for operational purposes: detecting and preventing fraud, verifying identity, assessing creditworthiness, conducting risk management, performing internal audits, and improving our products and digital platforms based on aggregated usage patterns.
Valley First does not sell member personal information to third parties for marketing or any other purpose. We do not share account numbers or access credentials with non-affiliated third parties for their independent marketing use. There are limited circumstances in which information may be shared: with service providers who perform functions on our behalf under contractual confidentiality obligations — these include payment processors, statement production vendors, check printers, credit reporting agencies, collection agencies, and technology providers who operate components of our digital banking infrastructure; with regulatory agencies including the NCUA, CFPB, and other government entities as required by law; in response to valid legal process such as subpoenas, court orders, or search warrants; and to protect against fraud, unauthorized transactions, or other liability.
Valley First may share information with affiliates — companies related by common ownership or control — for everyday business purposes as permitted by the Fair Credit Reporting Act. Currently, Valley First does not operate affiliate companies, but this policy reserves the right to do so in the future with appropriate notice. We may also share information with joint marketing partners — other financial institutions with which we have formal agreements to offer co-branded products — though we do not currently maintain such partnerships. Any future sharing arrangement would be disclosed in an updated privacy notice provided to members before the sharing begins.
Data Usage Categories
| Data Category | Examples | How We Use It | Shared With |
|---|---|---|---|
| Identity Information | Name, SSN, date of birth, government ID | Account opening, identity verification, regulatory compliance | Service providers, regulators, law enforcement |
| Contact Information | Address, phone, email | Account communication, alerts, statements, marketing | Service providers (statement delivery, alerts) |
| Financial Information | Income, assets, employment, credit history | Loan underwriting, account eligibility, risk assessment | Credit bureaus, verification services |
| Transaction Data | Purchases, transfers, deposits, payments | Account management, fraud detection, spending insights | Payment processors, fraud detection vendors |
| Digital Usage Data | IP address, device type, login timestamps, pages viewed | Security monitoring, platform improvement, troubleshooting | Technology providers, security vendors |
| Credit Report Data | Credit scores, tradelines, inquiries | Credit decisions, account review, risk management | Credit bureaus (as required by FCRA) |
| Marketing Preferences | Communication opt-ins, product interests | Tailoring product recommendations and outreach | Not shared externally for marketing |
California Consumer Privacy Rights
California members have specific rights under the CCPA and CPRA, including the right to know what data is collected, request deletion, opt out of data sales, and not face discrimination for exercising privacy rights.
As a California-based financial institution, Valley First complies with the California Consumer Privacy Act (CCPA) and its expansion under the California Privacy Rights Act (CPRA). These laws grant California residents specific rights regarding personal information that businesses collect about them. While financial institutions are partially exempt from certain CCPA provisions for data already regulated under the Gramm-Leach-Bliley Act, Valley First voluntarily extends CCPA-style rights to members where doing so is consistent with our privacy principles and not prohibited by other legal obligations.
Under California law, you have the right to know what categories and specific pieces of personal information Valley First has collected about you over the preceding twelve months. You have the right to know the categories of sources from which we collected the information, the business purpose for collecting it, and the categories of third parties with whom we shared it. You have the right to request deletion of your personal information, subject to exceptions that allow Valley First to retain information necessary to complete transactions, detect security incidents, comply with legal obligations, or exercise legal rights. Because financial records must be retained for regulatory and audit purposes, certain account-related information cannot be deleted while an account remains open or during mandatory retention periods after closure.
You have the right to opt out of the sale or sharing of your personal information. Valley First does not sell member personal information and does not share it for cross-context behavioral advertising. You have the right to correct inaccurate personal information that Valley First maintains about you. You have the right to limit the use of sensitive personal information — including Social Security numbers, account credentials, and precise geolocation — to purposes necessary for providing the services you have requested. Valley First already limits the use of such information to account servicing, fraud prevention, and legal compliance. To exercise any of these rights, call member services at (559) 555-0142, send a secure message through the online banking messaging center, or mail a written request to Valley First Privacy Office, 2450 Commerce Boulevard, Fresno, CA 93721.
Data Security and Retention
Valley First protects member data with encryption, access controls, audits, and employee training, and retains information according to legal requirements and business needs — generally for the life of the account plus seven years.
Securing your personal information is a foundational responsibility. Valley First employs administrative safeguards including written privacy policies, employee training, and access controls that limit data access to staff who need it for their job functions. Technical safeguards include 256-bit SSL/TLS encryption for data transmitted between your browser and our servers, encryption at rest for stored data, firewalls, intrusion detection and prevention systems, multi-factor authentication requirements, automatic session timeouts, and annual security assessments against the NIST cybersecurity framework conducted by independent auditors. Physical safeguards include secured facilities, access-controlled server rooms, visitor logs, and secure destruction procedures for paper records containing personal information.
Data retention follows legal and business requirements. Account records — including applications, transaction histories, statements, and correspondence — are retained for the life of the account plus seven years after closure, consistent with federal recordkeeping requirements and statutes of limitation for legal claims. Credit application records are retained for prescribed periods under the Equal Credit Opportunity Act and Fair Credit Reporting Act. Marketing preference and web analytics data may be retained for shorter periods or until you request deletion. When information is no longer needed, it is securely destroyed using methods appropriate to the medium — shredding for paper, cryptographic erasure or physical destruction for electronic media.
Frequently Asked Questions About Privacy
Answers to common questions about Valley First privacy practices and member data rights.
What personal information does Valley First collect?
Valley First collects information you provide directly when opening accounts or applying for services — name, address, Social Security number, date of birth, employment details, income, and assets. We collect transaction data from your account activity including purchases, transfers, deposits, and payments. When you apply for credit, we obtain credit reports from consumer reporting agencies. We also collect digital usage data — IP address, device type, browser information, and login timestamps — when you use online or mobile banking. Valley First does not collect biometric data; fingerprint and facial recognition on mobile devices stay on your device.
Does Valley First share member information with third parties?
Valley First does not sell member personal information to third parties. We share information in limited circumstances: with service providers who perform functions on our behalf under strict contractual confidentiality (payment processors, statement vendors, technology providers), with consumer reporting agencies as permitted by the Fair Credit Reporting Act, with regulators including the NCUA and CFPB as required by law, and in response to valid legal process. We do not share account numbers or access credentials with non-affiliated third parties for their independent marketing use.
What privacy rights do California members have?
Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to know what personal information Valley First has collected about you, to request deletion of that information (subject to legal retention requirements for financial records), to opt out of the sale or sharing of personal information (Valley First does not sell member data), to correct inaccurate information, and to limit the use of sensitive personal information. Exercising these rights will not affect your account standing or service quality. Submit requests by calling (559) 555-0142, through the secure messaging center in online banking, or by mail to Valley First Privacy Office.
How does Valley First protect member data?
Valley First uses multiple layers of protection: administrative safeguards including access controls and employee privacy training, technical safeguards including 256-bit SSL/TLS encryption, encryption at rest, firewalls, intrusion detection, multi-factor authentication, and automatic session timeouts, and physical safeguards including secured facilities and access-controlled server rooms. The platform undergoes annual independent security assessments against the NIST cybersecurity framework and maintains SOC 2 Type II certification. All employees receive annual privacy and security training, and access to member data is restricted by role.