Privacy Policy.

HL Hunt is a financial-technology group operating consumer and commercial credit, payments, and adjacent infrastructure. The data controller responsible for personal information processed under this Policy is HL Hunt Inc., a Kentucky corporation with its principal place of business in Lexington, Kentucky, United States.

Group entities covered

This Policy applies to HL Hunt Inc. and each of its wholly-owned subsidiaries operating under common control, including, without limitation:

• HL Hunt Lending LLC — NMLS #2759282; the regulated lending entity within the group.
• HL Hunt Pay — payments orchestration and merchant services.
• HL Hunt Banking — banking-as-a-service program operated in partnership with an FDIC-insured sponsor bank.
• Any future subsidiary acting under the HL Hunt brand and the same governance framework.

To whom this Policy applies

This Policy applies to natural persons interacting with HL Hunt in any capacity — including website visitors, prospective and current members, authorized representatives of commercial customers, job applicants, partners' personnel, and members of the public who contact us. Where you are a personnel of an institutional partner, your employer's privacy notice may apply in addition to this Policy.

Capitalized terms not defined here have the meaning given to them in the applicable statute — including the GDPR (Regulation (EU) 2016/679), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.), and the Gramm-Leach-Bliley Act (15 U.S.C. §6801 et seq.).

The categories of personal information HL Hunt collects depend on the nature of your relationship with us. The table below tracks the statutory categories enumerated in Cal. Civ. Code §1798.140(v)(1), with concrete examples drawn from our actual practices.

Special note on sensitive personal information

Where we process sensitive personal information, we limit such processing to (i) services you have specifically requested; (ii) detection of security incidents and protection against malicious or unlawful activity; (iii) verification of identity to meet our regulatory obligations; and (iv) ensuring the quality and safety of our services. We do not use sensitive personal information to infer characteristics about you for advertising or marketing purposes.

We collect personal information from the following sources, each governed by appropriate legal grounds and contractual safeguards:

Directly from you

When you register for an account, complete an application, communicate with our team, respond to surveys, or otherwise interact with our products and services. This is the largest single category of personal information we hold.

Automatically through our services

Through cookies and similar technologies (see our Cookie Policy), device telemetry, SDK instrumentation in our mobile applications, and server-side logs. These collections are governed by the consent and legal-basis framework described in Section 5.

From third parties acting at your direction

Banks and financial institutions you connect via account-aggregation services (e.g., Plaid, MX), identity-verification providers, and credit bureaus when you authorize a credit pull.

From third parties acting under their own legal basis

Consumer reporting agencies (Experian, Equifax, TransUnion, Innovis, LexisNexis, Early Warning Services), government databases (e.g., OFAC, FinCEN, SDN list), commercial data providers, fraud-prevention networks, public records, social-media platforms where you have made information publicly available, and our institutional partners.

From your employer or commercial principal

If you are an authorized representative or beneficial owner of a commercial customer, we may obtain information about you from your organization in connection with onboarding, beneficial-ownership verification under the Bank Secrecy Act, or authorized representative designations.

Inferred or derived

We generate certain information about you through internal analysis — including credit-risk scores, fraud indicators, account-health signals, and product-affinity inferences. These derivations are described further in Section 11 (Automated Decisions & Profiling).

We use personal information for clearly-defined business purposes. We do not use personal information for purposes that are materially different from, unrelated to, or incompatible with the purposes described here without first providing notice and, where required, obtaining your consent.

Service delivery

• To register, maintain, and service your account and any product you have requested.
• To process applications, underwrite credit, issue and service credit lines, and manage payment processing through HL Hunt Pay.
• To furnish account information to consumer reporting agencies in the Metro 2 format, consistent with the Fair Credit Reporting Act.
• To investigate and resolve disputes, including under FCRA §623 and Regulation E.

Compliance and security

• To verify identity (KYC) and beneficial ownership (KYB) under the Bank Secrecy Act and applicable state law.
• To screen against sanctions lists (OFAC SDN, EU Consolidated, UK HMT) and politically exposed person (PEP) lists.
• To detect, investigate, prevent, and report suspected fraud, identity theft, money laundering, and other illegal activity.
• To comply with subpoenas, court orders, regulatory examinations, and lawful requests from public authorities.
• To safeguard our infrastructure and the integrity of our services through threat detection, incident response, and audit logging.

Communications and member support

• To respond to inquiries, provide member support, and notify you of operational matters (e.g., service interruptions, billing).
• To send transactional communications related to your account.
• To send marketing and promotional communications where permitted by law and your stated preferences. You may opt out of marketing communications at any time as described in Section 10.

Research, analytics, and product development

• To analyze usage of our products and improve them.
• To develop new products, services, and features.
• To produce aggregated and de-identified statistics that do not identify any individual.

Business operations

• For internal recordkeeping, accounting, audit, tax, and litigation purposes.
• In connection with a merger, acquisition, restructuring, financing, or sale of all or part of our business, subject to appropriate confidentiality undertakings.

For individuals in the European Economic Area, the United Kingdom, and Switzerland, HL Hunt processes personal information under one or more of the legal bases set out in Article 6 of the GDPR. The applicable basis depends on the specific purpose:

• Contract performance (Art. 6(1)(b)) — for processing necessary to provide a service you have requested, including account opening, transaction processing, and member support.
• Legal obligation (Art. 6(1)(c)) — for processing required to comply with applicable law, including financial-services regulation, anti-money-laundering, sanctions screening, recordkeeping, and lawful government requests.
• Legitimate interests (Art. 6(1)(f)) — where processing is necessary for our legitimate interests (or those of a third party) and those interests are not overridden by your rights and freedoms. We use this basis for fraud prevention, network and information security, product analytics, internal operations, and direct marketing of our own products.
• Consent (Art. 6(1)(a)) — for processing that requires your specific, freely given, informed, and unambiguous consent, including non-essential cookies and certain marketing activities. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
• Vital interests (Art. 6(1)(d)) — in exceptional cases necessary to protect the life of an individual.

Sensitive categories

Where processing involves special categories of personal data under Article 9 GDPR, we rely additionally on Article 9(2)(a) (explicit consent), Article 9(2)(b) (employment, social-security, and social-protection law), or Article 9(2)(g) (substantial public interest), as applicable.

U.S. financial-services context

For U.S. members, our use of nonpublic personal financial information is governed by the Gramm-Leach-Bliley Act and Regulation P (12 C.F.R. Part 1016). Our GLBA Privacy Notice, delivered separately, sets out the categories of information collected, the parties with whom information is shared, and your right to opt out of certain disclosures where applicable.

HL Hunt discloses personal information only to the categories of recipients listed below, and only as needed to fulfill the purposes described in Section 4. Each recipient is subject to confidentiality undertakings and, where applicable, a written data processing agreement.

Affiliates and subsidiaries

Within the HL Hunt group, under common ownership and a unified data-governance framework.

Service providers and subprocessors

Vendors and contractors engaged to provide infrastructure, payment processing, identity verification, customer support, analytics, communications, and other operational functions. A current list is published at hlhunt.org/subprocessors.

Banking and payment partners

Sponsor banks, card networks (e.g., Visa, Mastercard, ACH operators), payment processors, and clearing-house participants involved in executing the financial transactions you request.

Consumer reporting agencies

Experian, Equifax, TransUnion, Innovis, and other agencies — to furnish account and payment information consistent with the Fair Credit Reporting Act and our published Data Furnisher Policies.

Regulators, law enforcement, and other public authorities

State financial regulators (including the California Department of Financial Protection and Innovation), the Consumer Financial Protection Bureau, the Financial Crimes Enforcement Network (FinCEN), the Internal Revenue Service, courts, and other authorities, in response to lawful requests, subpoenas, court orders, or as otherwise required by law.

Professional advisers

Attorneys, auditors, accountants, and other professional advisers acting under duties of confidentiality.

Corporate-transaction counterparties

In the context of a merger, acquisition, financing, due diligence, or sale of all or part of our business — subject to appropriate confidentiality undertakings and, where required, data-protection safeguards.

With your direction or consent

Any third party to whom you direct us to disclose your information.

"Sale" and "sharing" under U.S. state privacy laws

HL Hunt does not "sell" personal information in exchange for monetary consideration. Under the broader CCPA / CPRA definitions of "sale" and "sharing for cross-context behavioral advertising," certain disclosures to advertising and analytics partners may technically fall within those definitions. You may opt out of all such disclosures via our Cookie Preference Center, by transmitting a Global Privacy Control signal, or by emailing info@hlhunt.org.

HL Hunt is headquartered in the United States. Certain of our subprocessors are established in the United States or other jurisdictions outside the European Economic Area, the United Kingdom, and Switzerland. Where personal data is transferred from such jurisdictions to a country that has not received an adequacy decision under Article 45 of the GDPR, HL Hunt relies on one or more of the following safeguards under Chapter V of the GDPR:

• The EU-U.S. Data Privacy Framework and the UK Extension, where the receiving organization is certified;
• The European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented as required by a transfer impact assessment;
• The United Kingdom's International Data Transfer Addendum issued by the Information Commissioner's Office;
• The Swiss Federal Data Protection and Information Commissioner's recognition of these mechanisms;
• Other lawful transfer mechanisms permitted under applicable law.

You may request a copy of the relevant transfer mechanism, with confidential commercial information redacted, by emailing info@hlhunt.org.

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, satisfy applicable legal and regulatory obligations, resolve disputes, and enforce our agreements. Retention periods vary by data category and operational context, as outlined below.

Where personal information is no longer required for any operative purpose, we either delete it or irreversibly de-identify it such that it can no longer be associated with an individual. De-identified information may be retained indefinitely for legitimate analytical purposes.

HL Hunt maintains an information-security program designed to protect the confidentiality, integrity, and availability of personal information. The program is documented, periodically reviewed by senior management, and informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the AICPA Trust Services Criteria.

Technical safeguards

• Encryption in transit — TLS 1.3 for all external-facing endpoints; certificate pinning where applicable.
• Encryption at rest — AES-256 for production data stores, with keys managed by a cloud HSM and rotated on a defined schedule.
• Tokenization — primary account numbers (PANs) are stored only in a PCI-compliant portable vault and never traverse HL Hunt's general systems; HL Hunt Pay operates within SAQ-A scope.
• Access controls — least-privilege role-based access, single sign-on, multi-factor authentication for all administrative interfaces.
• Logging and monitoring — centralized logging, automated alerting on anomalous activity, and retention of security telemetry as required by law.
• Vulnerability management — automated dependency scanning, periodic penetration testing, and a coordinated-disclosure path for external researchers.

Organizational safeguards

• Background checks and confidentiality undertakings for all personnel with access to personal information.
• Security and privacy training delivered at onboarding and on a recurring basis.
• A written incident-response plan with defined roles, escalation paths, and notification timelines that meet or exceed those required under applicable law (including the GDPR Art. 33 72-hour controller obligation).
• A SOC 2 controls framework under continuous improvement, with an external attestation roadmap.

Breach notification

In the event of a personal-data breach, HL Hunt will notify affected individuals and relevant supervisory authorities as required by applicable law — including, where applicable, state breach-notification statutes, the GDPR, the UK DPA, the FTC Safeguards Rule, and applicable sectoral rules.

Despite our safeguards, no security program can be entirely free from risk. We do not warrant that personal information is immune from unauthorized access. We do, however, treat any incident with the seriousness it warrants and communicate openly with affected individuals.

Depending on the jurisdiction in which you are located and the legal basis for our processing, you have the following rights with respect to personal information we hold about you. To exercise any right, contact us using the methods described in Section 14. We will respond within the time periods required by applicable law — generally 45 days under U.S. state privacy laws (extendable by 45 days) and one month under the GDPR (extendable by two months).

Verifying your identity

To protect you and prevent fraudulent requests, we will take reasonable steps to verify your identity before fulfilling a rights request, in proportion to the sensitivity of the request. For most requests, verifying the email address associated with your account is sufficient. For deletion or sensitive data requests, we may request additional verification.

Authorized agents

You may designate an authorized agent to make a request on your behalf in accordance with applicable state law. We will require evidence of the agent's authority — typically a signed written authorization or a power of attorney — and may verify your identity directly.

Right to lodge a complaint

If you believe our processing of your personal information violates applicable law, you have the right to lodge a complaint with a supervisory authority. We would appreciate the chance to address your concerns first; please contact us via the channels in Section 14.

HL Hunt uses automated processing — including machine-learning models — to support a number of operational decisions. The most significant such use is Hunt Score, our internal risk-and-underwriting model, which contributes to credit decisions made by HL Hunt Lending LLC.

What automated processing we use

• Credit underwriting — risk scores, debt-to-income calculations, and affordability assessments contributing to approval, decline, pricing, and credit-limit decisions.
• Fraud detection — transaction-level scoring to identify potentially fraudulent activity for human review.
• Identity verification — automated matching of submitted documents against database records.
• Account-health monitoring — signals used to identify members who may benefit from outreach or assistance.

Information used

These models draw upon information you provide, information from consumer reporting agencies, transactional behavior, and inferences derived from that data. Sensitive personal information is not used as a direct input into our credit-scoring or fraud models, except where required for identity verification.

Your rights regarding automated decisions

For decisions producing legal or similarly significant effects (such as a credit decision), you have the right to:

• Obtain human review — request that a qualified individual review the decision and consider additional information you provide;
• Express your point of view — submit information or context you believe is relevant to the decision;
• Contest the decision — challenge the outcome through our dispute-resolution procedures or, where the decision relied on a consumer report, through the dispute procedures specified by the Fair Credit Reporting Act (15 U.S.C. §1681i);
• Receive an explanation — for adverse credit decisions, you will receive an adverse-action notice under Regulation B and FCRA §615, identifying the principal reasons.

To exercise any of these rights, email info@hlhunt.org.

HL Hunt's services are not directed to children. We do not knowingly collect personal information from individuals under the age of 18 in connection with our consumer financial products, which are restricted by law to adults. We do not knowingly collect personal information from individuals under the age of 13 for any purpose, consistent with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§6501–6506).

If we learn that we have inadvertently collected personal information from a child without verifiable parental consent, we will delete that information promptly. A parent or guardian who believes their child has provided personal information to us should contact info@hlhunt.org immediately.

Consistent with Cal. Civ. Code §1798.120(c), we affirmatively declare that we do not "sell" or "share" the personal information of consumers known to be under 16 years of age.

This Privacy Policy is reviewed on at least a quarterly basis and updated to reflect changes in our practices, technology, applicable law, and our regulatory environment. The version number and effective date at the top of this Policy will always identify the operative version, and a brief change-log will be maintained for transparency.

Where a change is material — for example, a change in the categories of personal information we collect, the purposes for which we use it, or the categories of recipients to whom we disclose it — we will provide prominent advance notice on our website and, where appropriate, by direct notification to registered members. Continued use of our services following the effective date of an updated Policy constitutes your acknowledgment of the changes, though continued use does not waive any right that requires affirmative consent under applicable law.

We encourage you to review this Policy periodically.

If you have questions or concerns about this Privacy Policy, our processing of your personal information, or you wish to exercise any of the rights described in Section 10, please contact our Privacy team:

Regulatory complaints

You also have the right to lodge a complaint with the data-protection authority in your jurisdiction:

• European Union — your national supervisory authority. A list is published by the European Data Protection Board at edpb.europa.eu.
• United Kingdom — the Information Commissioner's Office (ICO) at ico.org.uk.
• California — the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General's Office.
• Other U.S. jurisdictions — your state attorney general's office, and where applicable the Consumer Financial Protection Bureau at consumerfinance.gov/complaint.

We would, however, appreciate the opportunity to address your concerns before you contact a regulator.