Sascu Privacy Policy — How We Protect Member Information
Sascu is committed to safeguarding the personal and financial information of every member. This privacy policy describes the types of information Sascu collects, how that information is used, the limited circumstances under which it may be shared, and the steps members can take to control their privacy preferences. Sascu complies with the Gramm-Leach-Bliley Act, NCUA privacy regulations, and all applicable federal and state financial privacy laws.
Your Questions, Answered Clearly
Information Sascu Collects
Sascu collects information about members that is necessary to provide financial products and services, process transactions, comply with legal and regulatory obligations, and protect against fraud and unauthorized access. The information Sascu gathers falls into three general categories: information provided directly by the member, information generated through account activity, and information obtained from external sources for verification or risk assessment purposes.
Information provided by members includes data submitted on account applications, loan applications, and other forms. This covers names, addresses, Social Security numbers, dates of birth, telephone numbers, email addresses, employment details, income information, and asset documentation. When a member opens an account at Sascu, the credit union collects sufficient information to verify the member's identity under the Customer Identification Program requirements of the USA PATRIOT Act. Sascu retains this information for the duration of the membership and for a period afterward as required by recordkeeping regulations.
Transaction and experience information is generated as the member uses Sascu products and services. Each deposit, withdrawal, transfer, loan payment, debit card purchase, bill payment, and wire transfer creates a transaction record that Sascu maintains in the member's account history. This category also includes account balances, payment histories, overdraft occurrences, credit card usage patterns, and the member's history of interactions with Sascu customer service. Sascu Online Banking and the Sascu Mobile App automatically log session information including the type of device and browser used, the Internet Protocol address from which the session originated, the pages and features accessed, and the time and duration of each session. This technical data helps Sascu detect unauthorized access attempts, diagnose technical issues, and improve the digital banking experience.
Information from external sources includes credit reports obtained from consumer reporting agencies when a member applies for a loan or credit card, employment and income verifications from employers or payroll services, property valuations from appraisal firms for mortgage applications, and identity verification data from third-party identity verification services. Sascu obtains this information with the member's authorization, typically as part of a loan application or credit product request. External information is used only for the specific purpose for which it was obtained and is not retained beyond the period necessary to fulfill that purpose and meet regulatory recordkeeping requirements.
Online and Mobile Tracking
The Sascu website and Sascu mobile app use cookies, web beacons, and similar technologies to support site functionality, remember member preferences, and collect aggregate analytics about website usage. Functional cookies enable the online banking login process and remember display preferences such as font size. Analytics cookies collect anonymized data about which pages visitors view, how long they spend on each page, and whether they arrived from a search engine or another referring website. Sascu does not use tracking technologies to build profiles of individual members for advertising purposes, nor does the credit union participate in third-party advertising networks that track users across non-Sascu websites. Members can configure their browser to reject cookies, though doing so may prevent certain Sascu website features from functioning correctly. The Sascu online banking platform will not operate without cookies enabled because they are required for session security.
How Sascu Uses and Shares Member Information
Sascu uses member information to provide the financial products and services members request, to process transactions accurately, to communicate about account status and available services, to comply with legal obligations, and to protect the security of member accounts. Sascu does not sell member information to third parties for marketing purposes. The credit union shares information only in the specific circumstances described in this policy, and only to the extent necessary to accomplish the purpose of the sharing.
Sascu may share member information with third-party service providers that perform operational functions on behalf of the credit union. These service providers include the company that prints and mails account statements, the vendor that processes debit card transactions, the provider that hosts Sascu online banking infrastructure, the firm that conducts independent financial audits, the agency that provides insurance quotes to members, and the company that manages collections on delinquent accounts. Each service provider is contractually bound to use member information only for the specific purpose Sascu has authorized, to maintain information security standards at least as protective as Sascu's own, and to return or destroy member information when the service engagement ends. Sascu does not authorize service providers to use member information for their own marketing or to disclose it to other parties.
Information may be shared with consumer reporting agencies as permitted by the Fair Credit Reporting Act. When a member applies for credit, Sascu reports the inquiry to the credit bureau and subsequently reports the member's payment history on the account. Sascu also reports information to fraud prevention services and check verification systems to protect members and the credit union from fraudulent transactions. These reports contain only the information necessary to fulfill the reporting purpose and are made in compliance with the privacy protections established by federal law.
Sascu may disclose information when required by law, such as in response to a valid subpoena, court order, or regulatory examination. Federal and state financial regulators, including the NCUA, have authority to examine Sascu records as part of their supervisory responsibilities. Law enforcement agencies may request information pursuant to legal process. Sascu reviews each legal demand for information to ensure it is valid and appropriately scoped before disclosing member information. When permitted by law, Sascu notifies the affected member of the disclosure unless notification is prohibited by the terms of the legal demand. Sascu also reports information to the Consumer Financial Protection Bureau and other agencies as required by applicable financial regulations.
| Category | What We Share | Opt-Out Available | Legal Basis |
|---|---|---|---|
| Joint Marketing Partners | Name, contact information, transaction experience | Yes | Fair Credit Reporting Act, GLBA |
| Service Providers | Information necessary to perform contracted service | No (required to provide services) | GLBA service provider exception |
| Consumer Reporting Agencies | Account status, payment history, credit application information | No (permitted by FCRA) | Fair Credit Reporting Act |
| Fraud Prevention Services | Transaction details, account status flags | No (required for security) | GLBA fraud prevention exception |
| Legal and Regulatory Response | Information specified in subpoena, court order, or regulatory request | No (legally required) | Subpoena, court order, regulatory authority |
| Affiliate Sharing (Future) | As described in any future affiliate privacy notice | Yes | FCRA affiliate sharing rules |
| Third-Party Marketing | Not shared | N/A (no sharing occurs) | N/A (prohibited by Sascu policy) |
Member Privacy Rights and Opt-Out Options
Federal law gives Sascu members specific rights regarding their personal financial information. These rights include the right to receive an annual privacy notice describing Sascu information practices, the right to opt out of certain types of information sharing, and the right to limit how Sascu uses information for marketing purposes. This section explains each of these rights and the steps members can take to exercise them.
Sascu provides this privacy policy to all members at account opening and annually thereafter. The annual notice is delivered through the member's preferred communication channel, which may be postal mail or electronic delivery through Sascu online banking. If Sascu makes a material change to its privacy practices, an updated notice is provided before the change takes effect, and members are given an opportunity to opt out of new sharing arrangements to the extent required by law. The current version of the Sascu privacy policy is always available on the Sascu website.
Members have the right to opt out of information sharing with joint marketing partners. Joint marketing refers to arrangements where Sascu partners with another financial institution to offer products such as insurance or investment services. Under these arrangements, Sascu may share the member's name, contact information, and transaction experience data with the marketing partner so the partner can make the member aware of relevant product offerings. Members who prefer not to participate in joint marketing can submit an opt-out request by calling Sascu customer service at (208) 555-0147, by sending a secure message through Sascu online banking, by mailing a written opt-out notice to the Sascu privacy office at any Sascu branch address, or by visiting a branch and completing an opt-out form in person. Opt-out requests are processed within thirty days of receipt and remain in effect until the member revokes the opt-out in writing. Even if a member opts out of joint marketing, Sascu may still send the member information about Sascu's own products and services, as these communications are a normal part of the member relationship.
Accuracy and Access to Personal Information
Sascu maintains procedures to ensure that member information is accurate, current, and complete in accordance with reasonable commercial standards. Members can review and update their contact information through Sascu online banking at any time. Changes to name, address, telephone number, and email address can be made through the Profile or Settings section of the online banking platform. For changes to information that cannot be updated through self-service, such as Social Security number corrections or legal name changes due to marriage or court order, members must visit a Sascu branch with appropriate documentation. Members who believe information in their Sascu records is inaccurate should contact Sascu customer service promptly. If Sascu determines that an error exists, the information is corrected within a reasonable time and, where applicable, notification of the correction is sent to any consumer reporting agency or other party that previously received the inaccurate information.
Information Security and Data Retention
Sascu maintains a comprehensive information security program designed to protect member data against unauthorized access, alteration, disclosure, or destruction. The program includes administrative safeguards such as employee training and access controls, technical safeguards such as encryption and intrusion detection systems, and physical safeguards such as secured facilities and access logging. Sascu's information security program is reviewed and updated at least annually to address evolving threats, and the credit union undergoes regular security examinations by the NCUA and independent security auditors.
Administrative safeguards at Sascu include employee background checks, mandatory annual privacy and security training for all staff, role-based access controls that limit each employee's data access to what is necessary for their job function, and disciplinary policies for privacy violations. Sascu also maintains an incident response plan that defines the steps the credit union takes if a data breach occurs, including containment, investigation, member notification, and regulatory reporting in accordance with applicable state and federal breach notification laws.
Technical safeguards include 256-bit Transport Layer Security encryption for all data transmitted between member devices and Sascu servers, AES-256 encryption for data stored in Sascu databases, multi-factor authentication for online banking access, automatic session timeouts, intrusion detection and prevention systems that monitor network traffic for suspicious activity, and regular vulnerability scanning and penetration testing. Sascu also employs data loss prevention tools that monitor outgoing communications and file transfers for unauthorized disclosure of member information. Physical safeguards at Sascu facilities include controlled access to data centers and server rooms, surveillance systems, visitor logging, and secure disposal procedures for documents and electronic media containing member information.
Sascu retains member information for the duration of the membership relationship and for a period afterward as required by applicable recordkeeping regulations. Different categories of information have different retention periods. Account transaction records are retained for a minimum of seven years in accordance with NCUA recordkeeping requirements. Loan files and associated documentation are retained for the life of the loan plus a specified period after payoff. Identity verification records collected under the USA PATRIOT Act are retained for five years after account closure. When the retention period for a category of information expires, Sascu securely destroys the information using methods appropriate to the format: paper records are shredded, electronic records are overwritten or degaussed, and backup media are destroyed in accordance with industry standards.
Children's Privacy
Sascu does not knowingly collect personal information from children under the age of 13 through the Sascu website or online banking platform without verifiable parental consent. The Sascu website is directed at a general audience of adults who are eligible for credit union membership. Youth savings accounts and student checking accounts opened at Sascu for members under the age of 18 require a parent or legal guardian as a joint account holder, and the adult joint holder provides consent for the collection and use of the minor's information. If Sascu learns that it has collected personal information from a child under 13 without parental consent, the information is promptly deleted from Sascu records. Parents or guardians who have questions about how Sascu handles children's information can contact the Sascu privacy office through customer service.
Gramm-Leach-Bliley Act Compliance
The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, establishes privacy and data security requirements for financial institutions including credit unions. The law's privacy provisions, implemented through Regulation P issued by the Consumer Financial Protection Bureau, require Sascu to provide members with notice of its information-sharing practices and to give members the opportunity to opt out of certain types of sharing. Sascu complies fully with GLBA and Regulation P, as verified through regular NCUA examinations.
Under GLBA, Sascu is required to provide an initial privacy notice when a member relationship is established and an annual notice thereafter. Sascu meets this requirement by delivering this privacy policy at account opening and making it continuously available on the Sascu website. The annual notice is delivered through the member's preferred delivery method. Members who have questions about Sascu's GLBA compliance or who wish to obtain a paper copy of the privacy policy can contact Sascu customer service at (208) 555-0147.
The GLBA Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program. Sascu's security program, described in the Information Security section of this policy, addresses all elements of the Safeguards Rule, including designation of a program coordinator, risk assessment, implementation of safeguards, service provider oversight, and program evaluation and adjustment. Sascu's Board of Directors receives an annual report on the status of the information security program, including risk assessment findings, security incident summaries, and planned improvements. Members with specific questions about Sascu security practices can direct inquiries to the Sascu compliance office through the secure messaging feature in online banking or by mail to any Sascu branch address.
Changes to This Privacy Policy
Sascu reserves the right to modify this privacy policy at any time to reflect changes in information practices, legal requirements, or the services offered to members. Material changes to the policy are communicated to members at least thirty days before the effective date through the member's preferred delivery channel. The communication describes the nature of the change and provides members with an opportunity to opt out of new information-sharing arrangements to the extent the change involves sharing that is subject to opt-out rights under GLBA. The effective date of the current privacy policy is displayed at the end of this document. Members who continue to maintain accounts with Sascu after the effective date of a revised privacy policy are deemed to have accepted the revised terms, except to the extent they have exercised opt-out rights that remain in effect.