LAST REVISED: MAY 7, 2021

California Privacy Notice

This California Privacy Notice contains rights and disclosures required by the California Consumer Privacy Act (“CCPA”) and applies only to “personal information” that is subject to that law. Most of our data collection, use, and sharing practices are governed by our Gramm-Leach Bliley Act, however, if you are a California resident, CCPA may apply as they relate to our products and services. This California Privacy Notice should be read in conjunction with Figure’s Privacy Policy and Terms of Service, which are incorporated herein by reference.

The CCPA also includes certain exceptions related to certain information in a business-to-business context, information collected about employees, job applicants, and contractors, and public information lawfully obtained from government records. You can review Figure Lending LLC’s Gramm-Leach-Bliley Act Privacy Notice  Opens a new window., and, if you are a user of Figure Pay, the Figure Pay Gramm-Leach-Bliley Act Privacy Notice  Opens a new window., for more information on how we share information here  Opens a new window..

Under the CCPA, “Personal Information” is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. This information is referred to in this Notice as “Personal Data.”

We collect Personal Data in a variety of contexts. For example, we collect Personal Data to provide individual and commercial financial products and services, and for our employment and human resource purposes.

The Personal Data that we collect about a specific California resident will depend on, for example, our relationship or interaction with that individual.

Types of Personal Data We Collect

In the past 12 months, we may have collected and disclosed the following categories of Personal Data for business purposes to our third-party service providers, our affiliates and business partners, and regulators/government agencies. We may also continue to collect these categories of Personal Data.

Categories of InformationExamples
Address and other identifiersName, postal address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
Characteristics of protected classificationsAge, gender, and marital status
Unique and online identifiersIP address, device IDs, browsing history, search history, and information on consumer’s interaction with a website
Commercial informationRecords of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
Biometric InformationFingerprints
Internet or other electronic network activity informationBrowsing history, search history, settings, and information regarding an individual’s interaction with an internet website, application, or advertisement, device information, including name of device and operating system, cookies and pixel tags, city of login, and other data that your browser automatically sends
Audio or video footage or other visual informationService calls, video recording of notary session, voicemails and other audio recordings, photographs
Professional or Employment InformationEmployer, years of employment
Educational InformationSchool attended, level of educational attainment, schools attended

The table includes examples in each category but these examples are not exclusive and may not be applicable to job applicants or employees. In addition, we may draw inferences about you based on the information you provide, such as individual preferences or characteristics, and we may collect and use information as described to you when collecting the information. We may also receive Personal Data that individuals provide to us or store on our systems.

Why We Collect Personal Data and How We Use It

The purposes for which we collect and use Personal Data depend on, among other things, our relationship or interaction with a specific California resident. The table below lists the purposes for which we collect and use Personal Data in different contexts.

Purposes for Collection and UseExamples
Provide and manage products and services
  • Establish and process transactions for our products and services including HELOC, Unsecured, Mortgage ReFi, and Student Refinance loans, investment accounts, as well as additional products for businesses such as institutional financing and payment services
  • Support the ongoing management and maintenance of our products and services including but not limited to provide account statements, online access, customer service, payments and collections, and account notifications
Support our everyday operations, including to meet risk, legal, and compliance requirements
  • Perform accounting, monitoring, and reporting
  • Enable information security and anti-fraud operations, as well as credit, underwriting, and due diligence
  • Support audit and investigations, legal requests and demands, as well as exercise and defend legal claims
  • Enable the use of service providers for business purposes
  • Comply with policies, procedures, and contractual obligations
Manage, improve, and develop our business(es)
  • Market, personalize, develop, as well as improve our products and services
  • Conduct research and analysis, including to drive product and services innovation
  • Support customer relationship management
Support employment, infrastructure, and human resource management
  • Provide benefits to employees and dependents, including healthcare and retirement plans
  • Manage pay and compensation activities
  • Manage and operate our facilities and infrastructure
  • Process employment applications

Sources of Personal Data

The sources from which we collect Personal Data depend on, among other things, our relationship or interaction with a specific California resident. The information below lists the categories of sources from which we collect Personal Data in different contexts.

  • From California residents directly, or other individuals acting on their behalf, through physical (e.g., online application), audible (e.g., phone), or electronic (e.g., mobile application, social media) sources.
  • Public records or widely available sources, and other records and information that are made available by federal, state, or local government entities.
  • Outside companies or organizations that provide data to support activities such as fraud prevention, underwriting, and marketing. Examples may include internet service providers, payment integration, operating systems and platforms, advertising networks, and data analytics providers.
  • Outside companies or organizations from whom we collect Personal Data to support human resource and workforce management activities. Examples may include operating systems and platforms (e.g., Greenhouse), and social networks (e.g., LinkedIn).
  • Outside companies or organizations from whom we collect Personal Data as part of providing products and services, completing transactions, supporting our everyday operations, or business management and development. Examples include companies or organizations to whom we provide products or services; other parties, partners, and financial institutions; and parties involved in other transactions involving transfers of all or part of a business, or a set of assets.

Categories of Third Parties and Our Disclosure of Personal Data

The categories of third parties to whom we disclose Personal Data about a specific individual depend on, among other things, our relationship or interaction with a specific California resident. During the past 12 months, we have disclosed for our business purposes the eleven categories of Personal Data listed above to the following categories of third parties:

  • Outside companies or organizations, including service providers subject to appropriate confidentiality and use restrictions, to whom we disclose Personal Data as part of providing products and services, completing transactions, supporting our everyday operations, or business management and development.
  • Government agencies including to support regulatory and legal requirements
  • Outside companies or organizations, including service providers subject to appropriate confidentiality and use restrictions, to whom we provide Personal Data to support human resource activities and workforce management. Examples may include operating systems and platforms and data analytics providers.
  • Outside companies or organizations, in connection with routine or required reporting, including consumer reporting agencies and other parties.

California residents have the right to opt out of the sale of their information by businesses that sell Personal Data. The CCPA defines a “sale” as the disclosure of Personal Data for monetary or other valuable consideration. Figure does not offer an opt out from the sale of Personal Data because we do not and have not within at least the last 12 months sold Personal Data that is subject to the CCPA’s sale limitation. The CCPA also requires that we state that we have no actual knowledge that we have sold Personal Data of California residents 15 years of age and younger.

Requests Under the CCPA

If you are a California resident, you have the right to request that we:

  1. Disclose to you the following information covering the 12-month period prior to your request (“Access Request”):

    a. The categories of Personal Data Figure has collected about you and the categories of sources from which Figure collected the Personal Data;

    b. The business or commercial purpose for collecting Personal Data about you;

    c. The categories of third parties to whom Figure disclosed Personal Data about you, and the categories of Personal Data disclosed;

    d. The specific pieces of Personal Data Figure collected about you; and

  2. Delete Personal Data that Figure collected from you (“Deletion Request”).

In addition, you have the right to be free from discrimination by a business for exercising your rights under the CCPA.

Responding to Requests

Privacy and data protection laws, other than the CCPA, apply to the Personal Data that we collect, use, and disclose. When these laws apply, Personal Data may be exempt from, or outside the scope of, Access Requests and Deletion Requests. For example, information subject to certain federal privacy laws, such as the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability, is exempt from CCPA Requests. As a result, in some instances, we may decline all or part of an Access Request or Deletion Request related to Personal Data exempt from CCPA Requests. This means that we may not provide some or all of this Personal Data when you make an Access Request. Also, we may not delete some or all of this Personal Data when you make a Deletion Request.

There may be some types of Personal Data that can be associated with a household (a group of people living together in a single home). Requests for access or deletion of household Personal Information must be made by each member of the household. We will verify each member of the household using the verification criteria explained below. If we are unable to verify the identity of each household member with the degree of certainty required, we will not be able to respond to the request.

Furthermore, we are not required to delete information that is necessary for us to: complete the transaction for which we collected the information; provide you with a good or service you requested; perform a contract Figure entered into with you; detect security incidents; maintain the functionality or security of Figure’s systems; comply with or exercise rights provided by the law; or use the information internally in ways that are comparable with the context in which you provided the information to Figure or that are reasonably aligned with expectations based on your relationship with Figure, among other things. We may also retain information where another exception to the deletion requirements in Cal. Civ. Code § 1798.105(d) applies.

In addition to the above, we may not include Personal Data when we respond to or process Access Requests or Deletion Requests when the CCPA recognizes another exception. For example, we will not provide the Personal Data about another individual where doing so would adversely affect the data privacy rights of that individual. As another example, we will not delete Personal Data when it is necessary to maintain that Personal Data to comply with a legal obligation.

How to Make Requests

If you are a California resident, you can make an Access Request or a Deletion Request by:

  1. Contacting us at 888-819-6388  Opens a new window.; or
  2. Email your request to privacy@figure.com  Opens a new window.

Our responses to such requests will cover the 12-month period preceding our receipt of the request. You will need to submit certain information in order for us to verify your identity or request before we process your request including your name, address, email address, phone number, attestation that you are a California resident and relationship with Figure. You may also designate an agent to submit a request on your behalf.

Authorized Agents

If you are a California resident, you may authorize an agent to make an access or deletion request on your behalf. A California resident’s authorized agent may make a request on behalf of the California resident by contacting us at the toll-free number or email listed above. As part of our verification process, we may request that you provide, as applicable:

  • For an individual (“requestor”) making a request on behalf of a California resident:
    • The requestor’s name; contact information; social security or individual taxpayer identification number; date of birth; and Driver’s License or State ID.
    • The name; contact information; social security or individual taxpayer identification number; date of birth; and Driver’s License, State ID, or of the California resident on whose behalf the request is being made.
    • A document to confirm that the requestor is authorized to make the request. We accept as applicable, a copy of a power of attorney, legal guardianship or conservatorship order, or a birth certificate of a minor if the requestor is the custodial parent.
  • For a company or organization (“legal entity requestor”) making a request on behalf of a California resident:
    • The legal entity requestor’s active registration with the California Secretary of State.
    • Proof that the California resident has authorized the legal entity requestor to make the request. We accept as applicable, a copy of power of attorney, or legal guardianship or conservatorship order.
    • The name; contact information; social security or individual taxpayer identification number; data of birth; and Driver’s License or State ID of the California resident on whose behalf the request is being made. From the individual who is acting on behalf of the legal entity requestor, proof that the individual is authorized by the legal entity requestor to make the request. We accept a letter on the legal entity requestor’s letterhead, signed by an officer of the organization.

We will respond to requests for access or deletion as soon as practicable and in any event generally not more than within 45 days after receipt of your request. We may extend this period to 90 days in some cases.

Non-Discrimination: If you exercise any of the rights explained in this Privacy Notice, we will continue to treat you fairly. If you exercise your rights under this Privacy Notice, you will not be denied or charged different prices or rates for goods or services, or provided a different level or quality of goods or services than other consumers.

Accessibility: We are committed to ensuring that our communications are accessible to individuals with disabilities. Individuals with disabilities can access this policy in alternative formats by contacting us at the address, phone, or email address below. This website is designed to meet content accessibility guidelines. To submit accessibility-related requests or report barriers to accessibility, please contact us by either:

Do Not Track Signals

Our Site currently does not respond to “Do Not Track” (“DNT”) signals and operates as described in this Privacy Notice and Figure’s Privacy Policy whether or not a DNT signal is received. If we do so in the future, we will describe how we do so in Figure’s Privacy Policy.

Links to Other Websites

This Privacy Notice only applies to information collected by Figure through our Services. Our Services may contain links to other web sites, apps or online services not operated or controlled by Figure (“Third Party Sites”). The policies and procedures described here do not apply to Third Party Sites. By providing links to Third Party Sites or services we do not imply that we endorse or have reviewed such websites or services. We suggest that you contact those sites directly for information about their data practices and policies and we encourage you to read their privacy policies before providing any information to them.

Security

You use the Services at your own risk. We use reasonable precautions, including technical and administrative measures, to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from us in connection with the Services may not be secure. Therefore, you should take special care in deciding what information you send to us.

Update Your Information

You may be able to update some of your account information through your App settings.

Changes to This Privacy Notice

We reserve the right to amend, alter, or otherwise change this Privacy Notice at our sole and absolute discretion. If we make material changes to this Privacy Notice, we will post notice that the Policy has been updated in the “Last Revised” section of the Policy, and the revised version will be effective when it is posted. For material retroactive changes, we will notify you consistent with the law. Further use of the Services following any such changes constitutes your agreement to follow and to be bound by the amended Privacy Notice, so we encourage you to check for updates.

Contacting Us

If you have any questions, you can contact us at 888-819-6388  Opens a new window. or privacy@figure.com  Opens a new window..