California Privacy Statement

EFFECTIVE DATE: 01/1/2020
REVISED 05/06/2026

This PRIVACY STATEMENT FOR CALIFORNIA RESIDENTS (“Notice”) supplements the information contained in the Privacy Notice of Bank of Marin (collectively, “we,” “us,” or “our”) and applies solely to individuals who reside in the State of California (“consumers” or “you”). Bank of Marin adopts this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this notice.

PERSONAL INFORMATION WE COLLECT

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”).
We may allow analytics providers to collect limited information about website and digital banking usage. Where applicable, such providers act as service providers or contractors and are contractually restricted from using Personal Information for purposes other than providing services to Bank of Marin.

SENSITIVE PERSONAL INFORMATION

Certain Personal Information we collect may be classified as “Sensitive Personal Information” (“SPI”) under the CPRA, such as government identifiers, account access credentials, and precise geolocation. Bank of Marin collects and uses SPI only for purposes permitted by the CPRA, including to provide financial products and services, detect and prevent fraud, ensure security and integrity, comply with legal obligations, and for other lawful purposes.
California residents have the right to limit the use and disclosure of Sensitive Personal Information to those purposes permitted by law.
CATEGORIES OF PERSONAL INFORMATION COLLECTED

Category of personal information	Representative Data Elements	Do we Collect?
Identifiers	Real name, or alias Postal address Unique identifier, unique personal identifier Internet Protocol address Government issued identifier (e.g. Social Security number) Passport number Driver’s license number Telephone number Email address, account name, or other similar identifiers.	Yes
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	Name Signature State or Government issued identification card number Physical characteristics or description Insurance policy number Employment history Bank account number Credit or debit card number Other financial information Medical information Health insurance information.	Yes
Protected classification characteristics under California or federal law	Date of birth/age Gender Veteran or military status Marital status Race Ethnicity or National Origin Religion Disability	Yes
Commercial information	Records of personal property Products or services purchased, obtained, or considered Other purchasing or consuming histories or tendencies	Yes
Biometric information	Fingerprints Faceprints or face imagery Voiceprints and/or voice recordings that can be extracted	Yes
Internet or other similar network activity	Browsing history Search history Information regarding interaction with a website, application, or advertisement.	Yes
Device Information *Note: Some information included in this category may overlap with other categories.	Device identifier or identifying information, characteristics, or settings about the device you use to access our online services IP Address Information in cookies, pixel tags or from collection technologies Mobile ad identifiers Mobile device information (with permission, such as location, contacts, camera)	Yes
Geolocation data	Physical location Movements Precise geolocation	Yes
Sensory data	Audio Visual Electronic Note: these data types are typically collected during phone and in-person for security and training purpose.	Yes

Category of personal information	Representative Data Elements	Do we collect?
Professional / Employment information	Current or past job history or performance evaluations	Yes
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))	Education records, such as, enrollment, grades, transcripts, student schedules Student financial information, including tuition costs and reimbursement	Yes
Inferences drawn from other personal information	Inferences based on information about an individual to create a summary about, for example an individual’s preferences and characteristics Note: Inferences are not performed based on any sensitive personal information collected.	Yes
Sensitive Personal Information	Government identifiers (Social security, driver’s license, state identification card, or passport number) Complete account access credentials (usernames, account numbers or card numbers, combined with any security or access code, password, or credential required for allowing access to an account) Precise geolocation Racial or ethnic origin, religious or philosophical beliefs, or Union Membership Biometric information when used for the purpose of uniquely identifying a consumer Personal information collected and analyzed concerning a consumer’s health *Note: Some information included in this category may overlap with other categories.	Yes

PERSONAL INFORMATION NOT COVERED:

Publicly available information from government records.
De-identified or aggregated consumer information.
Information excluded from the CCPA’s scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

SOURCES OF PERSONAL INFORMATION

We obtain the categories of personal information listed above from the following categories of sources:

Directly from our clients. For example, from documents that our clients provide to us related to the services for which they engage us.
Indirectly from our clients. For example, through information we collect from our clients in the course of providing services to them.
Directly and indirectly from activity on our website (www.bankofmarin.com). For example, from submissions through our website portal or website usage details collected automatically.
From third parties that interact with us in connection with the services we perform. For example, from credit reporting agencies when reviewing for deposit and credit products.

PURPOSE FOR COLLECTION AND USE OF PERSONAL INFORMATION

We may use the personal information we collect for the following business or commercial purposes:

Purpose of Collection and Use	Example
Provide and manage products and services	Establish your account(s) and/or preferences, process transactions for our products and services including checking accounts, credit cards, loans, investment accounts, as well as additional products for businesses such as commercial financing and payment services Support the ongoing management and maintenance of our products and services including to provide account statements, online banking access, online services, customer service, payments and collections, and account notifications To respond to your inquiries and fulfill your requests To provide important information regarding the products or services for which you apply or may be interested in applying for, or in which you are already enrolled, changes to terms, conditions, and policies and/or other administrative information. To allow you to apply for products or services (for example, to prequalify for a mortgage, apply for a credit card, or to open an account) and evaluate your eligibility for such products or services.
Support our everyday operations, including to meet risk, legal, and compliance requirements	Perform accounting, monitoring, and reporting Enable information security and anti-fraud operations, verify your identity, as well as credit, underwriting, and due diligence Support audit and investigations, legal requests and demands, as well as exercise and defend legal claims Enable the use of service providers for business purposes Comply with policies, procedures, and contractual obligations For compliance, fraud prevention, and safety purposes, including protecting the security of account and personal information Collect information through our social media pages and other online interactions with you to assist in verifying your identity and account status. We may combine this online information with information collected from offline sources or information we already have Defend or protect us, you, our client, or third parties, from harm or in legal proceedings Respond to court orders, lawsuits, subpoenas, and government requests

Purpose of Collection and Use	Example
Manage, improve, and develop our business	Personalize, develop, as well as improve our products and services Support customer relationship management To personalize your experience on our websites and enhance websites To allow you to participate in surveys and other forms of market research, sweepstakes, contests, and similar promotions and to administer these activities. Some of these activities have additional rules, which may contain additional information about how Personal Information is used and shared
Research and Analytical Purposes	Understand how you use our websites, mobile applications, and other digital properties (collectively, the “Sites”) The methods and devices you use to access our Sites Make improvements to our Sites Conduct research and analysis, identify usage trends, determine effectiveness of promotional campaigns, and to drive product and services innovation
Marketing and Advertising Purposes	Send you marketing and advertising communications about our products and services
Provide and manage digital and mobile products and services	Information stored on your device, such as location, camera, contacts, or other features you are enrolled in to enrich and simplify your own user experience and improve our services, as well as provide additional security to protect your account.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

SHARING PERSONAL INFORMATION

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract. The business purpose are what you would reasonably expect are necessary to provide you with the products and services we offer. We do not collect or use your sensitive personal information for the purpose of inferring

characteristics about you.

*Category of Personal Information or () Sensitive Personal Information**	Category of recipients to who we disclose personal information
Identifiers	Affiliates, Service providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	Service providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Protected classification characteristics under California or federal law	Service providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Commercial Information	Service providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Biometric Information	Service providers and Contractors
Internet or other similar network activity	Service providers and Contractors Advertising or Analytics Providers For Risk, Legal and Compliance
Device Information	Advertising or Analytics Providers
Geolocation Data	Service providers and Contractors
Sensory Data	Service providers and Contractors
Professional or employment related information	Service providers and Contractors Representatives of CA residents For Risk, Legal and Compliance
Non-public education information (per the Family Educational Rights and Privacy Act)	Service providers and Contractors
*Category of Personal Information or () Sensitive Personal Information**	Category of recipients to who we disclose personal information

DATA RETENTION

The Bank retains Personal Information, including sensitive personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including legal, regulatory, audit, and business requirements. When no longer required, information is securely deleted in accordance with our record retention policies.

SHARING, SELLING AND DISCLOSURE OF PERSONAL INFORMATION

We may disclose your personal information to service providers, contractors and other third parties for business purposes subject to contractual protections. Bank of Marin does not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising. Where applicable we recognize and process Global Privacy Control (GPC) signals as opt-out requests under California law.

YOUR CALIFORNIA PRIVACY RIGHTS

Right to Know / Access

Request disclosure of the categories and specific pieces of Personal Information collected, sources, purposes, and disclosures.

Right to Delete

Request deletion of Personal Information, subject to statutory exceptions.

Right to Correct

Request correction of inaccurate Personal Information.

Right to Limit Use of Sensitive Personal Information

Limit use and disclosure of SPI to purposes permitted by law.

Non‑Discrimination

We will not discriminate against you for exercising your privacy rights.

EXERCISING YOUR RIGHTS

You may submit a verifiable consumer request by:

Calling 1-866-626-6004, option 6.
Emailing branchservices@bankofmarin.com.

RESPONSE TIMING AND FORMAT

We respond to verified requests within 45 days, with a possible extension up to 90 days where permitted. Responses cover the 12‑month period preceding the request and are provided in a portable, readily usable format where required.

FINANCIAL INCENTIVES

We do not offer financial incentives in exchange for Personal Information unless expressly permitted by law. Any such program would include required disclosures.

CHANGES TO THIS NOTICE

We may update this Notice from time to time. The effective date will be updated accordingly, and changes will be posted on our website.

CONTACT INFORMATION
If you have questions or wish to exercise your rights:
Bank of Marin
Phone: 1‑866‑626‑6004 (Option 6)
Email: branchservices@bankofmarin.com

EXERCISING ACCESS, DATA PORTABILITY, AND DELETION RIGHTS

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Calling us at 1-866-626-6004, option 6.
Emailing us at branchservices@bankofmarin.com.

Only you or a person authorized to act on your behalf may make a valid consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and,
Describe your request with enough detail that allows us to properly understand, evaluate, and respond to it.

In some instances, we may not be able to honor your request. For example, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Additionally, we will not honor your request where an exception applies such as where the disclosure of personal information would adversely affect the rights and freedoms of another consumer or where the personal Information that we maintain about you is not subject to the CCPA’s access or deletion rights. We will advise you in our response if we are not able to honor your request.

RESPONSE TIMING AND FORMAT

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

NON-DISCRIMINATION

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

CHANGES TO OUR PRIVACY NOTICE

We reserve the right to amend this PRIVACY NOTICE FOR California Residents at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the Website and update the Notice’s effective date. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.

CONTACT INFORMATION

If you have any questions or comments about this Notice, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us:
Call us at 1-866-626-6004, option 6 or send an email to branchservices@bankofmarin.com.