Online Data Privacy Disclosure

InnoFi Auto Finance, LLC — Online Data Privacy Disclosure

Effective Date: May 22, 2026

Last Updated: May 22, 2026

InnoFi Auto Finance, LLC, a Delaware limited liability company doing business as “InnoFi Auto Finance” and “InnoFi” (“InnoFi,” “Company,” “we,” “our,” or “us”), respects your privacy. This Online Privacy Disclosure (this “Disclosure”) describes how we collect, use, share, and protect personal information collected from or about you (i) when you visit https://www.innofi.com or any other website that links to this Disclosure (collectively, the “Website”); (ii) when you apply for, obtain, or service a consumer financing product offered or serviced by us; (iii) when you communicate with us by telephone, email, postal mail, SMS or text message, or live chat; and (iv) otherwise in connection with the products and services we offer (collectively, the “Services”). This Disclosure applies to residents of the United States only.

By accessing the Website or using the Services, you acknowledge that you have read, understood, and accepted this Disclosure. If you do not agree with this Disclosure, please do not use the Website or the Services.

Contents of This Disclosure

This Disclosure is organized into the following parts:

• Part I: Gramm–Leach–Bliley Act Privacy Notice (the “GLBA Notice”), which describes our collection, use, and disclosure of nonpublic personal information about you as our financial-services consumer or customer.
• Part II: Website Privacy Notice, which describes our collection, use, and disclosure of personal information collected through the Website, including from prospective customers and other website visitors, which is not otherwise governed by the GLBA Notice.
• Part III: Your Privacy Rights, which describes the rights you may have under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), and under the comprehensive consumer privacy statutes of Virginia, Colorado, Utah, Texas, Oregon, Montana, Iowa, Delaware, Minnesota, Indiana, and Kentucky, together with the procedures for exercising those rights.
• Part IV: Notices Concerning Other Federal Laws, which addresses the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Telephone Consumer Protection Act, the CAN-SPAM Act, and the Equal Credit Opportunity Act.
• Part V: Additional Information, which addresses retention, security, children’s privacy, international users, changes to this Disclosure, and how to contact us.

Part I. Gramm–Leach–Bliley Act Privacy Notice

InnoFi is a “financial institution” within the meaning of the Gramm–Leach–Bliley Act (15 U.S.C. §§ 6801–6809) and its implementing regulations (the “GLBA”). The GLBA requires us to provide you with this notice describing how we collect, use, and share the nonpublic personal information we obtain in connection with offering or providing a financial product or service to you, your right (if any) to limit such sharing, and our practices for protecting your nonpublic personal information.

Why?

Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.

What?

The types of personal information we collect, and share depend on the product or service you have with us. This information can include:

• Social Security number and income;
• account balances and payment history;
• credit history and credit scores; and
• employment information and motor vehicle information.

When you are no longer our customer, we continue to share your information as described in this notice.

How?

All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons InnoFi Auto Finance, LLC (“InnoFi”) chooses to share; and whether you can limit this sharing.

Questions?

Call 1-844-536-3446, email compliance@innofi.com, or write to InnoFi Auto Finance, LLC, Attn: Privacy, 11456 S Temple Drive, Suite 201, South Jordan, UT 84095.

Who we are

Who is providing this notice? InnoFi Auto Finance, LLC, a Delaware limited liability company doing business as “InnoFi Auto Finance” and “InnoFi.”

What we do

How does InnoFi protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings. We also maintain a written information security program that is reviewed and updated periodically, conform our practices to SOC 2 Type II controls and the Payment Card Industry Data Security Standard (PCI DSS), and maintain cyber liability insurance.

How does InnoFi collect my personal information? We collect your personal information, for example, when you:

• apply for financing or a loan;
• give us your contact information;
• provide employment information or your income history;
• make a payment on your account; or
• use your debit or credit card.

We also collect your personal information from others, such as credit bureaus, affiliates (if any), or other companies.

Why can’t I limit all sharing? Federal law gives you the right to limit only:

• sharing for affiliates’ everyday business purposes—information about your creditworthiness;
• affiliates from using your information to market to you; and
• sharing for nonaffiliates to market to you.

State laws and individual companies may give you additional rights to limit sharing. See below for more on your rights under state law.

Definitions

Affiliates. Companies related by common ownership or control. They can be financial and non-financial companies. InnoFi has no affiliates.

Nonaffiliates. Companies not related by common ownership or control. They can be financial and non-financial companies. InnoFi does not share with nonaffiliates so they can market to you.

Joint marketing. A formal agreement between nonaffiliated financial companies that together market financial products or services to you. InnoFi does not engage in joint marketing.

Part II. Website Privacy Notice

This Part II describes how we collect, use, and disclose personal information collected through the Website that is not otherwise governed by the GLBA Notice in Part I. This includes personal information collected from prospective customers, general website visitors, and other individuals who interact with us through the Website.

1. Personal Information We Collect

Depending on how you interact with the Website and the Services, we may collect the following categories of personal information about you:

a. Identifiers and Contact Information

Your real name; postal address; email address; telephone number; online identifiers (including IP address, device identifier, and cookie or similar identifier); account name or username; and Social Security number, driver’s license number, passport number, or state identification number.

b. Commercial Information

Records of products or services purchased, obtained, or considered; purchasing or consuming histories and tendencies; and payment card and financial account information.

c. Internet or Other Electronic Network Activity Information

Information regarding your interaction with the Website, the Services, or an advertisement, including page views, clicks, referring URLs, and similar interaction metadata.

d. Approximate Geolocation

Approximate geolocation information at the city or postal code level, derived from your IP address. We do not collect precise geolocation (within a 1,750-foot radius).

e. Sensitive Personal Information

We collect the following categories of sensitive personal information solely for the limited purposes described in this Disclosure: government-issued identification numbers (including Social Security number, driver’s license number, state identification number, and passport number); financial account number, debit card number, or credit card number in combination with the required access code, security code, or password; and account log-in credentials. We do not collect biometric identifiers, genetic information, health information, information about racial or ethnic origin, information about religious or philosophical beliefs, information about sexual orientation or sex life, information about citizenship or immigration status, information about union membership, or the contents of mail, email, or text messages where InnoFi is not the intended recipient.

f. Other Information

Contact and inquiry data, SMS enrollment data, authentication credentials, and technical metadata, in each case as described elsewhere in this Disclosure.

Much of the information described above, when collected from a consumer or customer in connection with a financial product or service, is treated as nonpublic personal information under the GLBA and is governed by Part I above and not by the state comprehensive privacy laws addressed in Part III.

2. Sources of Personal Information

We collect personal information from the following sources:

• Directly from you, including through credit applications, account servicing forms, online forms, account creation, payment transactions, and your communications with us by telephone, email, postal mail, SMS or text message, or live chat;
• Automatically from your device when you visit the Website, through cookies, web beacons, server logs, and similar technologies;
• From service providers and processors that perform services on our behalf;
• From consumer reporting agencies, including TransUnion, Equifax, and Experian; and
• From list providers and similar third-party data sources, where permitted by law.

3. How We Use Personal Information

We use the personal information described above for the following business and commercial purposes:

• To provide, support, and secure the Services that you have requested, including by servicing your account, accepting payments, and responding to your inquiries;
• To create, authenticate, and maintain your online account, and to administer access controls;
• To process payments and to detect, investigate, and prevent fraudulent, unauthorized, or illegal activity;
• To make underwriting, credit, and account-level decisions (subject to the Fair Credit Reporting Act, the Equal Credit Opportunity Act, and related federal and state consumer credit laws), including profiling for decisions that produce legal or similarly significant effects, as further described in Part IV.E below;
• To perform analytics, testing, and product improvement;
• To comply with our legal and regulatory obligations and to respond to lawful requests from public authorities, including law enforcement, courts, and regulators;
• To enforce our terms and conditions and other contractual rights, and to protect the rights, property, or safety of InnoFi, our customers, or others;
• To evaluate, negotiate, and conduct any merger, acquisition, financing, securitization, sale of assets, or similar transaction involving InnoFi (a “Corporate Transaction”); and
• For any other purpose disclosed to you at the time of collection.

We use sensitive personal information only for the limited business purposes permitted under California Civil Code § 1798.121(d) and Cal. Code Regs. tit. 11, § 7027(m), including: (i) performing the services or providing the goods reasonably expected by an average consumer who requests them; (ii) detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity; (iii) verifying or maintaining the quality or safety of our Services; and (iv) complying with federal, state, or local laws.

4. How We Share Personal Information

We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. We do not engage in targeted advertising as defined under the Virginia Consumer Data Protection Act, the Colorado Privacy Act, or other analogous state laws.

We disclose personal information to the following categories of recipients, in each case for the business purposes described above:

a. Service Providers and Processors

We disclose personal information to service providers and processors that perform services on our behalf and that are contractually restricted from using your personal information for any purpose other than performing the services we have engaged them to perform. Our principal service providers and the categories of services they provide are:

• Consumer reporting agencies (TransUnion, Equifax, and Experian) — furnishing account information and obtaining consumer reports;
• Bloom — credit reporting and Fair Credit Reporting Act compliance support;
• Loanpro — loan servicing, account management, and recordkeeping;
• Repay — payment processing;
• Amazon Web Services — cloud hosting and infrastructure services;
• MongoDB, Inc. — database services;
• Twilio and Workato — SMS and other messaging services;
• Microsoft and Amazon SES — transactional and account-servicing email; and
• A live chat or chatbot widget provider, for handling customer-service inquiries submitted through the Website.

b. Government Authorities, Courts, and Other Legal Recipients

We disclose personal information to regulators, courts, law enforcement, and other government authorities in response to lawful requests, subpoenas, court orders, or other legal process; to comply with applicable law; or to exercise or defend our legal rights.

c. Professional Advisors

We disclose personal information to our auditors, attorneys, consultants, and other professional advisors, subject to obligations of confidentiality.

d. Corporate Transactions

We disclose personal information to actual or prospective counterparties, financing sources, advisors, and their respective representatives in connection with a Corporate Transaction.

e. With Your Consent

We disclose personal information to any other person or entity to whom you have directed or consented to such disclosure.

5. Cookies and Other Tracking Technologies

The Website uses cookies and similar technologies to operate and deliver the Services, to facilitate customer service through a live chat or chatbot widget, and to record certain interaction metadata. The Website does not currently deploy advertising pixels, session replay tools, or cross-context behavioral advertising tags. The Website does not currently deploy a consent management platform.

Most web browsers automatically accept cookies. You may set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of the Website may then be inaccessible or not function properly.

InnoFi recognizes the Global Privacy Control (“GPC”) as a valid opt-out preference signal under the California Consumer Privacy Act, the Colorado Privacy Act, the Texas Data Privacy and Security Act, and other applicable state laws to the extent the data in question falls within the scope of those laws (i.e., is not GLBA-regulated nonpublic personal information). Because we do not sell or share personal information for cross-context behavioral advertising, however, the GPC signal will have limited practical effect on our processing.

6. SMS and Text Messaging

If you provide your mobile telephone number to us as part of a credit application or otherwise, you may receive SMS or text messages from us for account-servicing purposes; including payment reminders, account status updates, and other communications related to your account or application. SMS messages are sent through Twilio and Workato. We rely on the prior express written consent you provide in your executed retail installment sales contract for purposes of the Telephone Consumer Protection Act (47 U.S.C. § 227) and its implementing regulations.

Message and data rates may apply. Message frequency varies. You may revoke your consent and opt out of SMS messages at any time by replying “STOP” to any message, by emailing customercare@innofi.com, or by calling 1-800-892-9925. We will honor revocations of consent in accordance with 47 C.F.R. § 64.1200(a)(10) (FCC 24-24). For help, reply “HELP.” Additional SMS terms are available at https://innofi.com/sms-terms.

We do not share or sell SMS opt-in data or consent with any third party for marketing or promotional purposes. All categories of recipients identified elsewhere in this Disclosure exclude SMS originator opt-in data and consent.

7. Commercial Email

If we send you commercial email messages, we will do so in compliance with the CAN-SPAM Act of 2003 (15 U.S.C. §§ 7701–7713). You may opt out of receiving commercial email messages from us at any time by following the unsubscribe instructions contained in any such message or by contacting us using the information in Part V.6 below.

8. Outbound Telephone Calls

We, or service providers acting on our behalf, may place outbound telephone calls to consumers in connection with the Services. Such calls may be placed by a live agent or, in some cases, with the assistance of soundboard technology. In the future, we may place calls using artificial intelligence-generated voice or simulated voice technology, in which case those calls will be treated as calls using an “artificial or prerecorded voice” for purposes of the Telephone Consumer Protection Act and FCC Declaratory Ruling 24-17 (Feb. 8, 2024), and we will obtain the consents required by 47 U.S.C. § 227(b) and 47 C.F.R. § 64.1200 prior to any such use.

Part III. Your Privacy Rights Under State Law

This Part III describes the rights that you may have under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), and under the comprehensive consumer privacy statutes of Virginia, Colorado, Utah, Texas, Oregon, Montana, Iowa, Delaware, Minnesota, Indiana, and Kentucky.

Each of these statutes contains either an entity-level exemption applicable to financial institutions regulated by the GLBA, or a data-level exemption applicable to personal information collected, processed, sold, or disclosed pursuant to the GLBA, or both. Accordingly, this Part III does not apply to nonpublic personal information addressed in the GLBA Notice in Part I. This Part III applies only to personal information collected through the Website that is outside the scope of those GLBA exemptions, including, for example, personal information collected from prospective customers who do not enter a financial-services relationship with us, information collected from general website visitors, and similar non-GLBA personal information.

1. Notice to California Residents

This Section 1 supplements the rest of this Disclosure and applies solely to natural persons who reside in the State of California.

a. Categories of Personal Information Collected, Disclosed, and Sold

The following table identifies the categories of personal information enumerated in California Civil Code § 1798.140(v) and identifies the categories that we have collected, disclosed for a business purpose, or sold or shared in the preceding 12 months. As noted above, this table excludes nonpublic personal information addressed in the GLBA Notice in Part I.

b. Sources of Personal Information

We collect the foregoing categories of personal information from the sources described in Part II.2 above.

c. Business and Commercial Purposes for Collection

We collect and use the foregoing categories of personal information for the business and commercial purposes described in Part II.3 above.

d. Sale or Sharing of Personal Information; Sensitive Personal Information

We have not sold the personal information of any California consumer in the preceding 12 months. We have not shared the personal information of any California consumer for cross-context behavioral advertising in the preceding 12 months. We do not knowingly sell or share the personal information of any California consumer under the age of 16. We use and disclose sensitive personal information only for the limited purposes described in Part II.3 above.

e. Your California Rights

Subject to verification of your identity and to the limitations described in this Disclosure (including the GLBA data-level exemption), you have the following rights with respect to your personal information:

• Right to know. The right to request that we disclose to you the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the personal information, the business or commercial purposes for which we collected, sold, or shared the personal information, and the categories of third parties to which we disclosed, sold, or shared the personal information.
• Right to delete. The right to request that we delete the personal information we have collected from you, subject to certain exceptions specified in California Civil Code § 1798.105(d), including exceptions for completing a transaction, detecting security incidents, complying with legal obligations, and other internal uses reasonably aligned with the consumer’s expectations.
• Right to correct. The right to request that we correct inaccurate personal information that we maintain about you.
• Right to opt out of sale or sharing. The right to direct us not to sell or share your personal information. As stated above, we do not sell or share personal information.
• Right to limit use and disclosure of sensitive personal information. The right to limit our use and disclosure of your sensitive personal information to the purposes specified in California Civil Code § 1798.121(a). As stated above, we use sensitive personal information only for purposes permitted under that provision.
• Right of non-discrimination. The right not to receive discriminatory treatment for the exercise of any of the foregoing rights.

f. Shine the Light

California Civil Code § 1798.83 entitles California residents to request once per year and free of charge information about whether we have disclosed certain categories of personal information to third parties for the third parties’ direct marketing purposes in the preceding calendar year. We do not disclose personal information to third parties for the third parties’ direct marketing purposes.

2. Notice to Residents of Other States with Comprehensive Privacy Laws

This Section 2 supplements the rest of this Disclosure and applies to natural persons who reside in the States of Virginia, Colorado, Utah, Texas, Oregon, Montana, Iowa, Delaware, Minnesota, Indiana, or Kentucky.

Subject to verification of your identity, to the limitations described in this Disclosure (including the GLBA entity-level or data-level exemption applicable in your state), and to the specific scope and effective date of the privacy law in your state, you may have the following rights with respect to personal information that we have collected about you:

• The right to confirm whether we are processing your personal information and to access that personal information;
• The right to correct inaccuracies in your personal information, considering the nature of the personal information and the purposes of processing;
• The right to delete personal information that we maintain about you;
• The right to obtain a copy of your personal information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance; and
• The right to opt out of (i) the processing of your personal information for purposes of targeted advertising; (ii) the sale of your personal information; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. As stated above, we do not engage in targeted advertising, we do not sell personal information, and our use of profiling is described in Part IV.E below.

Where required by the law of your state of residence, we will also recognize a universal opt-out mechanism such as the Global Privacy Control, in accordance with applicable law.

3. How to Submit a Consumer Privacy Rights Request

You may submit a consumer privacy rights request through any of the following channels:

• Webform: a consumer privacy rights request form available on the Website;
• Email: customercare@innofi.com;
• Toll-free telephone: 1-800-892-9925; or
• Postal mail: InnoFi Auto Finance, LLC, Attn: Privacy Rights, 11456 S Temple Drive, Suite 201, South Jordan, UT 84095.

4. Verification

We will take reasonable steps to verify your identity before responding to a consumer privacy rights request. Depending on the nature of the request and the personal information requested, verification may include matching the information you provide with the information we maintain about you, verifying your email address or telephone number, requiring you to log in to your account, or requesting additional documentation where legally permitted. We will use the personal information you provide in connection with a verification request solely for verification purposes.

5. Authorized Agents

You may designate an authorized agent to submit a consumer privacy rights request on your behalf. We will require the authorized agent to (i) submit written authorization signed by you; (ii) verify the agent’s own identity; and (iii) provide proof of the agent’s authority to act on your behalf. We may also require you to verify your own identity directly with us and to confirm directly that you provided the agent with permission to submit the request.

6. Response Time

We will confirm receipt of a verifiable consumer privacy rights request within ten (10) business days and will respond to the request within forty-five (45) days of receipt. We may extend the response period one time by an additional forty-five (45) days when reasonably necessary, in which case we will provide you with written notice of the extension and the reason for the extension within the initial forty-five-day period.

7. Appeals

If we deny your request in whole or in part, you may appeal that decision by sending a written appeal to compliance@innofi.com or to the postal address set forth above, with the subject line or notation “Privacy Request Appeal.” We will respond to your appeal within sixty (60) days of receipt and will explain our decision. If the appeal is denied in whole or in part, we will provide you with a method to submit a complaint to the Attorney General of your state of residence.

8. Non-Discrimination

We will not discriminate against you for exercising any of the rights described in this Disclosure. We will not deny you goods or services, charge you different prices, provide a different level or quality of goods or services, or suggest that you will receive a different price or level or quality of goods or services, because you exercised any of your rights under this Disclosure.

Part IV. Notices Concerning Other Federal Laws

A. Fair Credit Reporting Act

InnoFi is a furnisher of information to consumer reporting agencies and a user of consumer reports within the meaning of the Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.) (the “FCRA”). We furnish information about your account, including payment history, to one or more of the nationwide consumer reporting agencies (TransUnion, Equifax, and Experian), and we engage Bloom to support our FCRA compliance program.

As required by 15 U.S.C. § 1681s-2(a)(7), we hereby notify you that we may report information about your account to the nationwide consumer reporting agencies. Late payments, missed payments, or other defaults on your account may be reflected in your credit report.

If you believe that information we have furnished to a consumer reporting agency about you is inaccurate or incomplete, you have the right to dispute that information by submitting a written dispute, together with all supporting documentation, to: InnoFi Auto Finance, LLC, Attn: FCRA Dispute, 11456 S Temple Drive, Suite 201, South Jordan, UT 84095. Your written dispute should identify the specific information that you contend is inaccurate or incomplete, the basis for your belief that the information is inaccurate or incomplete, and any supporting documentation. We will investigate your dispute as required by 15 U.S.C. § 1681s-2(b) and the implementing regulations at 12 C.F.R. Part 1022.

If we take adverse action against you based in whole or in part on information contained in a consumer report, we will provide you with the adverse action notice required by 15 U.S.C. § 1681m and, where applicable, the notice required by the Equal Credit Opportunity Act, 15 U.S.C. § 1691(d).

B. Driver’s Privacy Protection Act

To the extent we obtain or use motor vehicle record information about you, including information drawn from records held by state departments of motor vehicles, we use and disclose such information only for purposes permitted under the Driver’s Privacy Protection Act (18 U.S.C. §§ 2721–2725) and any applicable state analog, including for use by InnoFi in the normal course of business to verify the accuracy of personal information submitted by you, and, if such information is incorrect, to obtain the correct information, but only in order to prevent fraud by, pursue legal remedies against, or recover a debt or security interest against, you.

C. Telephone Consumer Protection Act

Our use of automated telephone dialing systems, prerecorded or artificial voice (including any future use of AI-generated or simulated voice), and SMS or text messages is governed by the Telephone Consumer Protection Act (47 U.S.C. § 227) and its implementing regulations (47 C.F.R. § 64.1200). The consents you provide to us, and the rules for revoking those consents, are described in Parts II.6 and II.8 above. You may revoke any TCPA consent you have previously provided to us by any reasonable method, including by replying “STOP” to any SMS message, by stating verbally during any call that you do not consent to further calls or messages, or by contacting us using the information in Part V.6 below.

D. CAN-SPAM Act

Our use of commercial email is governed by the CAN-SPAM Act of 2003 (15 U.S.C. §§ 7701–7713). You may opt out of receiving commercial email from us as described in Part II.7 above. Transactional and relationship messages (within the meaning of 15 U.S.C. § 7702(17)) are not subject to the opt-out requirements of the CAN-SPAM Act and may continue to be sent to you in connection with your account and the Services.

E. Equal Credit Opportunity Act and Automated Decision-Making

We may use automated systems to assist in making underwriting, credit, account-level, and similar decisions concerning you (“Automated Decisions”). Automated Decisions may produce legal or similarly significant effects, such as approval or denial of credit, modifications to the terms of a financing product, or other actions that affect your access to financial products and services.

Automated Decisions concerning consumer credit are subject to (i) the Equal Credit Opportunity Act (15 U.S.C. § 1691 et seq.) and Regulation B (12 C.F.R. Part 1002), which prohibit discrimination on the basis of certain protected characteristics and require, in many cases, notification of action taken on a credit application and provision of a statement of the specific reasons for adverse action; and (ii) the Fair Credit Reporting Act, which requires adverse action notices where adverse action is taken based in whole or in part on a consumer report. If you receive an adverse action decision from us, you will receive the notices required under those statutes, which will identify your right to obtain a free copy of the consumer report on which the decision was based, your right to dispute the accuracy or completeness of the report, and the specific reasons for the adverse action.

Part V. Additional Information

1. Retention of Personal Information

We retain personal information for the period necessary to fulfill the purposes described in this Disclosure or as required by applicable federal or state law, regulation, or legal process. Personal information related to a consumer financing account is retained for a period of seven (7) years following the date the account is closed, subject to longer retention required by applicable law (including, without limitation, applicable consumer finance recordkeeping requirements, federal tax recordkeeping requirements, and the books-and-records requirements of state regulators).

In limited circumstances and subject to applicable law, we may retain certain personal information indefinitely where mandated by federal or state law (for example, information required to be retained pursuant to military lending or Servicemembers Civil Relief Act compliance, or information subject to a litigation hold).

2. Information Security

We maintain a written information security program designed to protect the confidentiality, integrity, and availability of personal information. Our program conforms our practices to the Service Organization Control 2 Type II (SOC 2 Type II) framework, the Payment Card Industry Data Security Standard (PCI DSS), and the safeguards required by the Gramm–Leach–Bliley Act Safeguards Rule (16 C.F.R. Part 314) and Regulation P (12 C.F.R. § 1016.13). Our security measures include encryption of personal information in transit and at rest, secure servers and firewalls, access controls, vulnerability assessments, and incident response procedures.

Notwithstanding the foregoing, no security system is impenetrable, and we cannot guarantee that personal information will not be lost, misused, or accessed by unauthorized persons.

3. Children’s Privacy

The Website and the Services are not directed to children under the age of eighteen (18). We do not knowingly collect personal information from children under eighteen (18). If we learn that we have collected personal information from a child under eighteen (18) without verifiable parental consent, we will promptly delete that information. If you believe that we may have collected personal information from a child under eighteen (18), please contact us using the information in Part V.6 below.

4. International Users

The Website and the Services are intended for use by residents of the United States only. We do not knowingly collect personal information from individuals located in the European Union, the European Economic Area, the United Kingdom, Canada, Brazil, or any other jurisdiction outside the United States. If you are accessing the Website or the Services from outside the United States, please note that your information will be transferred to, stored, and processed in the United States.

5. Third-Party Links

The Website may contain links to websites and services operated by third parties. We are not responsible for the privacy practices of any third party, and this Disclosure does not apply to any third-party websites or services. We encourage you to review the privacy policies of any third-party website or service before providing any personal information.

6. Contact Information

If you have any questions or concerns about this Disclosure or our privacy practices, or if you wish to exercise any of the rights described in this Disclosure, please contact us at:

• Privacy Office Email: compliance@innofi.com;
• Privacy Office Toll-Free Telephone: 1-844-536-3446;
• Customer Care Email: customercare@innofi.com;
• Customer Care Telephone: 1-800-892-9925; and
• Postal Mail: InnoFi Auto Finance, LLC, Attn: Privacy, 11456 S Temple Drive, Suite 201, South Jordan, UT 84095.

7. Changes to This Disclosure

We may update this Disclosure from time to time to reflect changes in our privacy practices, changes in applicable law, or for other operational, legal, or regulatory reasons. When we make material changes to this Disclosure, we will update the “Effective Date” and “Last Updated” fields at the top of this Disclosure and will notify you of the material changes by posting a notice on the Website or by other means required by applicable law. Your continued use of the Website or the Services after the effective date of any updated version of this Disclosure will constitute your acceptance of the updated Disclosure to the extent permitted by law.

8. Acknowledgment

By accessing the Website or using the Services, you acknowledge that you have read, understood, and agreed with this Disclosure.