Privacy Policy

West Tennessee Bank (“Bank,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, share, and protect information when you use our products, services, websites, and mobile applications.

This policy applies to all individuals who interact with the Bank’s services, including customers, employees, and business partners. By using our services, you agree to the collection and use of information as described in this policy.

This Privacy Policy applies to all personal information collected through any of the following:

• Our websites, online banking portal, and digital banking platforms
• Our mobile applications, including applications distributed through third-party application marketplaces
• Third-party platform integrations and connected services authorized by you
• Branch locations, telephone banking, and written correspondence
• Any other channel through which you interact with the Bank

This policy does not apply to third-party websites or services linked from our platforms. We encourage you to review the privacy policies of any third-party sites you visit.

West Tennessee Bank has designated a Privacy Officer as the point of contact for all privacy-related questions, requests, complaints, and inquiries. You may contact our Privacy Officer by any of the following methods:

Privacy Officer — West Tennessee Bank

Mailing Address: 56 North Pleasant St. Decaturville, TN 38329
Telephone: 731-852-2821
Email: customerservice@westtnbank.com

We will acknowledge your inquiry within 5 business days and provide a substantive response within 30 calendar days, or within the timeframe required by applicable law.

The following sections describe all categories of personal and sensitive data we collect, the purposes for which we collect it, and with whom it may be shared.

Identity and Account Information

What we collect: Full legal name, date of birth, Social Security number or Tax ID, government-issued identification, mother’s maiden name, and account credentials such as username, password, and security questions.

Why we collect it: To open and maintain accounts, verify identity, comply with Know Your Customer (KYC) and Bank Secrecy Act (BSA) requirements, and prevent fraud.

Who we share it with: Regulatory agencies as required by law, identity verification service providers, and credit reporting agencies — all under confidentiality agreements.

Financial Information

What we collect: Account numbers, balances, transaction history, payment card information, loan and mortgage details, and income or asset information provided during applications.

Why we collect it: To provide banking products and services, process transactions, assess creditworthiness for loan applications, and comply with financial regulations.

Who we share it with: Payment networks, correspondent banks, loan servicers, and government agencies as required by law. We do not sell financial information to third parties.

Contact and Demographic Information

What we collect: Home and mailing address, email address, telephone numbers, and, where voluntarily provided, demographic information for product matching purposes.

Why we collect it: To communicate with you about your accounts, deliver statements and disclosures, and tailor product offers where you have consented.

Who we share it with: Service providers such as statement printing and mail delivery vendors, under confidentiality agreements.

Device and Technical Information

What we collect: Device identifiers, IP address, browser type and version, operating system, mobile network information, cookie identifiers, application version, and crash or diagnostic data.

Why we collect it: To secure our applications, detect fraudulent access, troubleshoot technical issues, and improve platform performance.

Who we share it with: Cloud hosting providers, fraud detection vendors, and analytics partners — all under data processing agreements that restrict secondary use.

Location Data

What we collect: We may collect the following types of location information, depending on the features you use and the permissions you grant:

• Precise location (foreground only): Collected when you use the ATM and branch locator feature within our mobile application, and only while the application is in active use. We do not collect precise location data in the background.
• Approximate location (network- or IP-based): Collected passively as part of fraud detection and session security to verify that account access originates from expected geographic areas.
• Self-reported location: Address information you provide when opening accounts or updating your profile.

Why we collect it: Precise location is used solely to display nearby branch and ATM locations at your request. Approximate location is used for fraud detection and regulatory compliance.

Who we share it with: We do not sell or share your precise location data with advertisers or data brokers. Approximate location data may be shared with fraud detection service providers under confidentiality agreements.

How to control it: You may deny or revoke location permission at any time through your device’s application settings. Revoking location permission will disable the ATM and branch locator feature but will not affect other banking functions.

Third-Party Integration Data

When you authorize our applications or services to connect with a third-party platform or service, we access only the specific data necessary to provide the feature you have activated. This may include basic profile or account information used to authenticate your identity, or limited access to files or data you explicitly select for a specific Bank service.

We do not request access to third-party platform data for features we have not implemented. All integration permissions are limited to the minimum data necessary for the specific functionality you have chosen to use.

We do not sell, transfer, or use third-party integration data for advertising or for any purpose not disclosed in this policy.

Sensitive Data — Special Categories

We do not intentionally collect special categories of sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, biometric data, or health information unless required by law. If you voluntarily provide such information, we use it only for the stated purpose and protect it with additional safeguards.

We use the information we collect to:

• Open, maintain, and service your accounts and financial products
• Process transactions and send related notices or confirmations
• Comply with legal and regulatory requirements, including the Bank Secrecy Act, USA PATRIOT Act, GLBA, and applicable state banking laws
• Detect, prevent, and investigate fraud, security incidents, and unauthorized access
• Respond to your inquiries and provide customer service
• Improve our products, services, and digital platforms
• Send you communications about your accounts, services, or policy updates
• Provide location-based features when you have granted location permission

Information obtained through third-party integrations is used exclusively for the authorized purpose at the time of collection. We will not use such data for any new or different purpose without updating this policy and obtaining your renewed consent.

Permitted Sharing

We may share your information in the following limited circumstances:

• Service providers: Vendors and partners who assist us in operating our business and providing services to you, subject to confidentiality and data processing agreements that prohibit secondary use
• Legal requirements: Government agencies, regulators, or law enforcement as required by law, court order, or regulatory obligation
• Business transfers: In connection with a merger, acquisition, or sale of Bank assets, subject to applicable privacy protections and advance notice to you
• With your consent: For any other purpose for which you have provided explicit, affirmative authorization

Prohibited Uses and Sharing

Regardless of the platform or integration involved, we expressly prohibit the following:

• Selling or transferring your personal information to third parties, including data brokers, advertising networks, or information resellers
• Using your information to serve advertisements of any kind, including targeted, personalized, or interest-based advertising
• Using third-party integration data for any purpose beyond the specific feature for which you granted access
• Using your information to create, train, or improve machine learning or artificial intelligence models beyond a personalized feature for your own account
• Any use not expressly described in this Privacy Policy

How We Obtain Consent

When our services request access to your device capabilities or third-party platform account data, we will:

• Present a clear, prominent disclosure explaining what data is being requested and why, prior to requesting access
• Require your affirmative action to grant access — we do not interpret navigating away from the consent screen as consent
• Request only the minimum permissions necessary for the features you are using
• Notify you and request renewed consent before using your data for any new or expanded purpose

Revoking Access

You may revoke our application’s access to any connected third-party platform at any time through that platform’s account settings.

You may revoke device permissions such as location access at any time through your device’s application settings.

Revoking access will not affect transactions or services already completed, but will prevent future collection of that data. Some features may be unavailable after revocation.

We retain personal information only as long as necessary to fulfill the purposes described in this policy, or as required by applicable law and regulation.

Retention Schedule

• Account and transaction records: Minimum 5 years after account closure, in compliance with the Bank Secrecy Act and applicable federal banking regulations
• Loan and mortgage records: Life of the loan plus 7 years, or as required by applicable federal or state law
• Identity verification records (KYC/AML): 5 years after the end of the customer relationship, per BSA requirements (31 C.F.R. § 1020.220)
• Third-party integration data: Retained only for the duration of the session or feature use for which access was granted; not stored beyond the immediate transaction unless required by law
• Precise location data: Not retained after the locator session ends; not stored on Bank servers
• Approximate or IP-based location: Retained up to 90 days as part of fraud detection logs, then deleted or anonymized
• Marketing and communication preferences: Retained until you opt out or request deletion
• Device and technical log data: Retained up to 12 months for security and diagnostic purposes, then deleted or anonymized

How to Request Deletion

You may request deletion of your personal data at any time by:

• Submitting a written request to our Privacy Officer at the contact information in Section 3
• Using the “Delete My Data” option within our mobile application settings
• Submitting an online deletion request at customerservice@westtnbank.com

We will acknowledge your deletion request within 5 business days and complete the deletion — or provide a written explanation of any legal retention requirements that prevent full deletion — within 30 calendar days. Data that we are required by law to retain will be flagged as restricted and will not be used for any other purpose.

West Tennessee Bank maintains a formal, comprehensive information security program designed to protect the confidentiality, integrity, and availability of customer data. Our security measures include:

Technical Safeguards

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: Sensitive data stored on our servers and in databases is encrypted using AES-256 or equivalent standards
• Multi-factor authentication (MFA): Required for all customer logins to online and mobile banking, and for all employee access to systems containing customer data
• Tokenization: Payment card data is tokenized and never stored in full on our systems; we use PCI DSS-compliant payment processors
• Intrusion detection: Automated systems monitor our networks 24 hours a day, 7 days a week for unauthorized access, anomalous activity, and potential threats

Organizational Safeguards

• Access controls: Customer data is accessible only to employees and contractors with a documented business need; access is reviewed quarterly and revoked promptly upon role change or termination
• Employee training: All employees with access to customer data receive annual privacy and security training covering applicable platform and regulatory requirements
• Vendor management: All third-party service providers who process customer data are subject to written data processing agreements that require equivalent security standards
• Security assessments: We conduct annual third-party security assessments and regular internal vulnerability scans and penetration tests

Incident Response

In the event of a data breach or security incident affecting your personal information, we will:

• Notify affected individuals within the timeframe required by applicable state and federal law
• Notify relevant regulatory agencies as required
• Provide clear information about what data was affected, what we are doing to address the incident, and what steps you can take to protect yourself

Despite our security measures, no system is completely secure. We encourage you to use strong, unique passwords, enable multi-factor authentication, and contact us immediately if you suspect unauthorized access to your account.

West Tennessee Bank takes children’s privacy seriously and complies with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and the FTC’s COPPA Rule, 16 C.F.R. Part 312.

Our Services Are Not Directed to Children Under 13

Our websites, mobile applications, and digital banking services are not directed to children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 through any channel or service.

Third-Party Integrations and Children

In compliance with COPPA and applicable third-party platform data policies, we do not enable single sign-on authentication, third-party platform integrations, or any service that accesses data from a connected external account in any application or service directed primarily at children under 13, or where we have reason to know the user is under 13.

Parental Rights

If you are a parent or guardian and believe your child under 13 has provided personal information to us without your consent, please contact our Privacy Officer immediately using the contact information in Section 3. Upon verified request, we will:

• Review whether the child’s information was collected
• Delete any such information from our records as promptly as practicable
• Decline to collect further information from that child

Minors Ages 13–17

Certain banking products, such as custodial savings accounts or student checking accounts, may be used by minors ages 13–17 with parental or guardian co-ownership and consent. In these cases, we collect only the minimum information necessary, apply the same security standards as adult accounts, and do not use the minor’s information for marketing purposes without parental consent.

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal retention requirements (see Section 8)
• Data portability: Receive your data in a structured, machine-readable format
• Opt-out of certain sharing: Under GLBA, you have the right to opt out of certain information-sharing with non-affiliated third parties
• Objection: Object to certain processing of your personal information where permitted by law

To exercise any of these rights, contact our Privacy Officer using the information in Section 3. We will respond within the timeframe required by applicable law.

This section provides disclosures relevant to users who access our services through mobile applications or digital platforms.

Data Summary

• Data shared with third parties: Account data may be shared with regulated service providers as described in Section 6. No data is sold or shared for advertising purposes.
• Data collected: Identity, financial, device, location (where permission is granted), and third-party integration data as described in Section 4
• Security practices: Data is encrypted in transit and at rest; you may request data deletion as described in Section 8
• Children’s data: No personal data is collected from children under 13 (see Section 10)

Application Permissions

Our mobile application may request the following device permissions. Each permission is used only for the purpose described, and only with your explicit grant:

• Location: Used only for the ATM and branch locator feature while the application is in active use (foreground only)
• Camera: Used only to capture check images for mobile deposit
• Biometric authentication: Used only for optional biometric login; biometric data is processed on-device and is not transmitted to or stored by the Bank
• Internet access: Required for all banking functionality
• Notification access: Used to deliver account alerts and service updates

You may review and revoke any permission at any time through your device’s application settings.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or applicable platform policies. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy
• Post the updated policy prominently on our website and within our mobile applications
• Notify you by email or in-app notification for significant changes
• Where required by applicable law, obtain your affirmative consent before applying changes to how we use your data

We encourage you to review this policy periodically. Your continued use of our services after notice of material changes constitutes your acceptance, to the extent permitted by law.

This Privacy Policy is governed by and construed in accordance with applicable federal law and the laws of the State of Tennessee. Our privacy practices are designed to comply with:

• Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801–6809, and the Privacy of Consumer Financial Information Rule (12 C.F.R. Part 1016)
• Bank Secrecy Act (BSA) and its implementing regulations
• Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and 16 C.F.R. Part 312
• Applicable third-party platform and application marketplace data policies
• Applicable Tennessee state privacy and banking laws
• Applicable federal banking regulations issued by the FDIC, Federal Reserve, OCC, and CFPB