Privacy & Security

Last updated August 29, 2025

Online Privacy Policy

This Online Privacy Policy describes how Montecito Bank & Trust (the "Bank") collects and uses information from or about you through its Internet banking interfaces (e.g. website or mobile application) owned and controlled by the Bank.

Our Consumer Privacy Policy describes our information sharing practices and your choices in limiting that sharing.

Personal Information We Collect Online

Personal Information means personally identifiable information such as name, address, telephone number, taxpayer identification number, or account numbers. We collect this information online when you complete one of our online forms, surveys, applications or other online fields that request this type of information:

• To respond to your inquiries and fulfill your requests
• To send you important information regarding our online site ("Sites"), changes to our terms, conditions, and policies and/or other administrative information
• To send you marketing communications that we believe may be of interest to you
• To personalize your experience on the Sites by presenting products and offers tailored to you
• To allow you to apply for one of our products and evaluate your eligibility for such a product
• To verify your identity and/or location in order to allow access to your accounts, conduct online transactions and to maintain measures aimed at preventing fraud and protecting the security of account and Personal Information
• To allow you to participate in surveys, sweepstakes, contests and similar promotions and to administer these activities. Some of these activities have additional rules, which could contain additional information about how we use and disclose Personal Information
• For our business purposes, such as data analysis, audits, developing new products, enhancing our Sites, improving our services, identifying usage trends and determining the effectiveness of our promotional campaigns
• For risk control, to comply with laws and regulations and to comply with other legal process and law enforcement requirements.

Other Information We Collect Online

Other Information is any information other than Personal Information that does not reveal your specific identity or does not directly relate to an individual, such as:

• Browser information
• Information collected through cookies, pixel tags and other technologies
• Aggregated and De-identified data

Other Information We Collect Through Email

Other Information is any information other than Personal Information that does not reveal your specific identity or does not directly relate to an individual, such as:

• Browser information
• Information collected through cookies, pixel tags and other technologies
• Aggregated and De-identified data

How We Collect and Use Other Information

We and our third-party service providers may collect and use Other Information in a variety of ways, including:

• Through your browser: Certain information is collected by most browsers, device type, screen resolution, operating system version and internet browser type and version. We use this information to ensure that our Sites function properly and for security purposes.
• Using cookies: Cookies are pieces of information stored directly on the device you are using. Cookies we use do not contain or capture unencrypted Personal Information. Cookies allow us to collect information such as browser type, time spent on the Sites, pages visited, and language preferences. We use the information for security purposes, to facilitate navigation, to display information more effectively, to personalize your experience while visiting the Sites, and to recognize your device to allow your use of our online products. We also gather statistical information about the usage of the Sites in order to continually improve the design and functionality, to monitor responses to our advertisements, to understand how customers use the Sites and to assist us with resolving questions regarding the Sites.
• You can refuse to accept these cookies, and most devices and browsers offer their own privacy settings for cookies. You will need to manage your cookie settings for each device and browser you use. However, if you do not accept these cookies, you may experience some inconvenience in your use of the Sites and some online products. For example, we will not be able to recognize your device, and you will need to answer a challenge question each time you log on.
• Using pixel tags, web beacons, clear GIFs or other technologies: These may be used in connection with some Site pages, downloadable mobile applications and HTML-formatted email messages to measure the effectiveness of our communications, the success of our marketing campaigns, compile statistics about usage and response rates, and to assist us in resolving customers' questions regarding use of our Sites.
• IP Address: Your IP Address is a number that is automatically assigned to the device that you are using by your Internet Service Provider (ISP). An IP Address is identified and logged automatically in our server log files whenever a user visits the Sites, along with the time of the visit and the page(s) that were visited. Collecting IP Addresses is standard practice on the internet and is done automatically by many web sites. We use IP Addresses for purposes such as calculating Site usage levels, helping diagnose server problems, and administering the Sites.
• Aggregated and De-identified Data: Aggregated and De-identified Data is data that the bank may create or compile from various sources, including accounts and transactions. This information, which does not identify individual customers, is used by the bank for its business purposes, which may include offering products or services, research, marketing or analyzing market trends, and other purposes consistent with applicable laws.
• We may collect information regarding your mobile device such as device settings, unique device identifiers, information about your location, and analytical information that may assist with diagnostics and performance. For your convenience, you may be asked to grant permission for access to your mobile device's geolocation data. This information may be collected when you use certain services that are dependent on your mobile device’s location (such as the location of an ATM or in store transactions). If you initially granted permission to the collection of geolocation information, you can subsequently stop the collection of this information at any time by changing the preferences on your mobile device. Please note, however, that if you revoke permission to our collection of location information, you may no longer be able to use some features of the service.

Social Media Sites

The Bank provides experiences on social media platforms, such as Facebook^®, that enable online sharing and collaboration among users who have registered to use them. Any content you post, such as pictures, information, opinions, or any Personal Information that you make available to other participants on these social platforms, is subject to the Terms of Use and Privacy Policies of those platforms. Please refer to them to better understand your rights and obligations with regard to such content.

Online Banking

Montecito Bank & Trust safeguards your personal information online by using Secure Socket Layer (SSL) technology to encrypt your personal information such as User Ids, Passwords, and account information over the internet. As a security measure, you may access your account information online from our website only if you have registered with Montecito Bank & Trust online banking. For more information on the security of our online banking solutions, visit our Online Demos & Customer Education page where you will find user guides about this and other topics.

Protecting Children's Privacy Online

The Site is not directed to individuals under the age of thirteen (13), and we request that these individuals do not provide Personal Information through the Site. We do not knowingly collect information from children under 13 without parental consent. For more information about the Children's Online Privacy Protection Act (COPPA), visit the Federal Trade Commission website.

Updates to this Privacy Policy

This Online Privacy Policy is subject to change. Please review it periodically. If we make changes to the Online Privacy Policy, we will revise the "Last Updated" date at the top of this Notice. Any changes to this Notice will become effective when we post the revised Notice on the Sites. Your use of the Sites following these changes means that you accept the revised Notice.

Last Updated: April 16, 2025

California Consumer Privacy Act Notice

Your privacy is important to us. This California Consumer Privacy Act Disclosure explains how Montecito Bank & Trust's ("we," or "us") collect, use, and disclose personal information relating to California residents covered by the California Consumer Privacy Act of 2018 ("CCPA"). This notice is provided pursuant to the CCPA.

Introduction 

Under the CCPA, "Personal Information" is information that identifies, relates to, or could reasonable be linked directly or indirectly with a particular California resident. The CCPA, however, does not apply to certain information, such as information subject to the Gramm-Leach-Bliley Act ("GLBA").

The specific Personal Information that we collect, use, and disclose relating to a California resident covered by the CCPA will vary based on our relationship or interaction with that individual. For example, this Disclosure does not apply with respect to information that we collect about California residents who apply for or obtain our financial products and services for personal, family, or household purposes.

Keeping Personal Information secure is one of our most important priorities. Consistent with our obligations under applicable laws and regulations, we maintain physical, technical, electronic, procedural, and organizational safeguards and security measures that are designed to protect personal data against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access, whether it is processed by us or elsewhere.

Collection and Disclosure of Personal Information

We collect, for our business purposes, certain personal information to provide financial products and services, and for employment purposes ("personal information"). In particular, we have collected the following categories of personal information relating to California residents within the last twelve (12) months:

• Identifiers, such as name and government-issued identifier (e.g., Social Security number, legal first name, last name, etc.);
• Personal information, as defined in the California safeguards law, such as contact information and financial information (email address, current address, phone number, date of birth);
• Characteristics of protected classifications under California or federal law, such as sex and marital status, or beneficiary information;
• Commercial information, such as transaction information and purchase history;
• Internet or network activity information, such as browsing history and interactions with our website;
• Geolocation data, such as device location and Internet Protocol (IP) location;
• Biometric information, such as fingerprints;
• Audio, electronic, visual and similar information, such as call and video recordings;
• Professional or employment-related information, such as work history and prior employer as part of your employment with Montecito Bank & Trust;
• Inferences drawn from any of the Personal Information listed above: used to create a profile or biography about, for example, an individual’s background and qualifications; and
• Sensitive Personal Information such as:
  • Social Security number, driver’s license, state identification card, or passport number;
  • Account log-in, financial account, debit card or credit card number, password, or credentials allowing access to an account;
  • Racial or ethnic origin;
  • The contents of mail, email, and text messages; and
  • Biometric information processed to uniquely identify an individual.

The categories of sources from whom we collected this Personal Information are:

• Directly from a California resident or the individual’s representatives through paper applications, telephone, or electronic means.
• Service Providers and other third parties to provide products and services or process transactions requested by you.
• Public Record Sources (Federal, State or Local Government Sources)
• Information from Corporate Clients about individuals associated with the Clients, for example, an employee or board member.
• Outside companies we use to support human resources and workforce management activities.

The categories of third parties to whom we disclosed Personal Information for our business purposes described in this privacy disclosure are:

• Vendors and Service Providers who provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure, customer service, email delivery, auditing, marketing and marketing research activities.
• Partners and Third Parties who provide services such as payment, banking and communication infrastructure, storage, legal expertise, tax expertise, notaries and auditors, who promote the bank and its financial services and products to customers and other prospective buyers.
• Other Third Parties who enable customers to conduct business online and via mobile devices.
• Outside companies in connection with routine or required reporting, including consumer reporting agencies.
• Government Agencies as required by laws and regulations.

Use of Personal Information

In the past twelve (12) months, we have used Personal Information relating to California residents to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives, including the following:

• Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services.
• Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
• Short-term, transient use where the information is not disclosed to a third party and is not used to build a profile or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
• Auditing related to a current interaction and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
• Undertaking activities to verify or maintain the quality or safety of a service controlled by us, and to improve, upgrade, or enhance the service controlled by the business.
• Debugging to identify and repair errors that impair existing intended functionality.
• Complying with laws and regulations and to comply with other legal process and law enforcement requirements, including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions.

Sale of Personal Information

In the past 12 months, we have not sold Personal Information subject to the CCPA, including Personal Information of minors under the age of 16. For purposes of this Disclosure, sold means the disclosure of Personal Information to a third-party for monetary or other valuable consideration.

Data Retention

We will keep Personal Information no longer than reasonably necessary to fulfil the purposes described in this Disclosure. According to our retention policy, we are required to destroy records containing Personal Information according to specific periods contained in that policy. However, we may need to hold such records beyond these retention periods as set forth in our record retention policy, due to regulatory requirements, or in response to a regulatory audit, investigation, or other legal matter.

Your Rights under the CCPA

If you are a California resident, you have the right to:

Request we disclose to you, free of charge, the following information covering the 12 months preceding your request ("Access Request");

• the categories of Personal Information we have collected about you;
• the categories of sources from which the Personal Information was collected;
• the purpose for collecting Personal Information about you;
• the categories of third parties to whom we disclosed Personal Information about you and the categories of Personal Information that was disclosed (if applicable) and the purpose for disclosing the Personal Information about you; and
• the specific pieces of Personal Information we have collected about you.

Request we delete Personal Information we collected from you, unless the CCPA recognizes an exception ("Deletion Request");

Request we correct inaccurate Personal Information that we maintain about you (“Correction Request”); and

Be free from unlawful discrimination for exercising your rights under the CCPA.

We will acknowledge receipt of your request and advise you how long we expect it will take to respond if we are able to verify your identity. Requests for specific pieces of Personal Information will require additional information to verify your identity. If you submit a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom you are submitting a request.

Privacy and data protection laws, other than the CCPA, apply to much of the Personal Information that we collect, use, and disclose. When these laws apply, Personal Information may be exempt from, or outside the scope of, Access or Deletion Requests. For example, information subject to certain federal privacy laws is exempt from CCPA requests. As a result, in some instances, we may decline all or part of an Access or Deletion Request related to Personal Information exempt from CCPA Requests. This means that we may not provide some or all of this Personal Information when you make an Access Request. Also, we may not delete some or all of this Personal Information when you make a Deletion Request.

As examples, our processing of or response to an Access Request or Deletion Request may not include some or all of the following Personal Information:

• Consumer Accounts: Personal Information connected with consumer accounts used for personal, family, or household purposes.
• Employment: Personal Information about an individual who is a current or former employee or job applicant, and we use that Personal Information within the context of that individual’s role as a current or former employee or job applicant.
• Business-to-Business Relationships: Certain Personal Information we collect in the course of providing a product or service to another business, or in the course of receiving a product or service from another business.

The types of Personal Information described above are examples. We have not listed all types of Personal Information that may not be included when we respond to or process Access Requests or Deletion Requests.

In addition to the above, in some instances, we may not be able to honor your request. For example, we will not honor your request if we cannot verify your identity or if we cannot verify that you have the authority to make a request on behalf of another individual. Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another consumer or where the Personal Information that we maintain about you is not subject to the CCPA's access or deletion rights.

We will advise you in our response if we are not able to honor your request. We will not provide social security numbers, driver's license numbers or government issued identification numbers, financial account numbers, health care or medical identification numbers, account passwords or security questions and answers, or any specific pieces of information if the disclosure presents the possibility of unauthorized access that could result in identity theft or fraud or unreasonable risk to data or systems and network security.

How to Exercise Your Rights

If you are a California resident, to exercise the rights described above, please submit a verifiable consumer request to us by either:

• Calling 805-963-7511 or 800-348-0146; or
• Emailing [email protected]

We will ask you to provide the following information to identify yourself:

• Name, social security or individual taxpayer identification number, date of birth, contact information, and a copy of government issued photo ID.

Changes to This Disclosure

This Disclosure is subject to change. Please review it periodically. If we make changes to this Disclosure, we will revise the "Updated" date at the top of this Disclosure.

Questions or Concerns

You may contact us with questions or concerns about this Disclosure and our practices by:

Phone: 805-963-7511 or 800-348-0146

Email: [email protected]

Mail:

Montecito Bank & Trust
Attn: Risk and Compliance
P.O. Box 2460
Santa Barbara, CA 93120