Privacy Policy Guidance for Enova SMB (ISO) Partners - 2023

Legal Disclaimer & Purpose of this Document

This document does not constitute legal advice of any kind, nor does it stipulate or offer exact wording for the privacy policies of Enova's partners.

The document is intended to clarify the expectations Enova has for its partners in terms of privacy disclosures and compliance with privacy regulations. It is also intended to offer resources for further reference and information about privacy policy best practice.

Enova Partnership Requirement

Enova is a publicly traded company with security and transparency obligations to our customers, employees, and shareholders as well as regulatory requirements to comply with.

One way we fulfill these is to draft our own privacy policies in accordance with applicable regulations and make them readily available to those whose information we collect.

Another way is by selecting third party partners who share our commitment to security, transparency, and compliance.

Potential Enova partners must have a privacy policy that accurately describes their data collection and usage practices and may not verbatim copy any of Enova’s or its subsidiaries’ and/or affiliates’ privacy policies. The remainder of this document will explain and clarify what Enova looks for when evaluating a partner's privacy policy.

Enova Partner Requirements Regarding Privacy

Applicable to all partners

1.1

Each partner must have a Privacy Policy explaining their information collection activities and practices to potential customers.

Ex.

Each partner must have a Privacy Policy explaining their information collection activities and practices to potential customers.

1.2

Privacy Policy must be readily available and easily visible to site visitors on the main website.

Ex.

'Privacy Policy' website footer that hyperlinks to a webpage with your privacy policy content.

Tab in settings menu stating 'Privacy Policy' and hyperlinking to a webpage with your privacy policy content.

Privacy Policy should be visible before a site visitor enters any information into a web form and available to them to review at any time (i.e. not just when applying).

1.3

Privacy Policy content must include:

1.3.1

The name of your business

1.3.2

Date of most recent privacy policy update

Ex.

Effective as of Jan 1 2023, last updated Jan 20 2023s

1.3.3

What information you collect

Ex.

Provide a list of the information you collect from merchants, such as name, address, email, date of birth, Social Security Number, bank statements, photo IDs, etc. as applicable

1.3.4

How and why you use the information you collect

1.3.5

Whether you share information with any other entities, and if so, for what purpose (i.e. why do you share this info?)

1.3.6

How you keep the information you collect safe and secure

1.3.7

Whether your site uses cookie or other tracking tools, and if so how those can be opted out of

1.3.8

What rights a consumer has over the information they provide to you, and how they can request these rights

Ex.

Is it possible to opt out of marketing? Can someone make a request to access, delete, or update information that you've collected about them, and if so, how?

Applicable to partners who interact with California-based merchants

Partners who interact with the information of California residents must have all of the above as well as additional measures in order to comply with the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, and its regulations (collectively, the “CCPA”).

2.1

Privacy Policy must be updated every 12 months

2.2

Privacy Policy link must be 'conspicuously' placed on your website's main page

2.3

Privacy Policy content must include:

2.3.1

Categories of Personal Information You Collect

2.3.2

Categories of Sources You Collect Information From

2.3.3

Your Purposes for Collecting Personal Information

2.3.4

Personal Information You've Sold, Shared, or Disclosed (in the Past 12 Months) and Categories of Recipients

Ex.
The CCPA interpretation of 'selling' or 'sharing' information includes certain third party website activities like cookies, retargeting ads, etc.
2.3.5

How Long You Keep the Personal Information You Collect

2.3.6

List of Rights California Residents Have Under CCPA

2.3.7

How California Residents Can Request Their CCPA Rights Regarding Information You Have About Them or Authorize Another Person to Request on Their Behalf