The categories of personal information we collect depend on how you interact with us, our Services, and the requirements of applicable law. We collect information that you provide to us, including information we collect in our business-to-business relationships, information we obtain automatically when you use our Services, and information from other sources such as third-party service providers, our business partners, and other organizations, as described below. We limit our collection of personal information to only the personal information that is adequate, relevant, and reasonably necessary to serve the purposes specified in this Policy.

A. Personal Information You Provide to Us Directly

We collect the following personal information that you provide to us when engaging with our Services or enter into a business relationship with us (e.g., when you register on our website, use our website or Services, or apply for a financial product; from your transactions with us, including your financial product purchases, repayments, and disbursements; and your communications with us):

Identifiers

• name
• email address
• home address
• telephone number
• date of birth
• Social Security number
• driver’s license or passport number

Commercial Information

• commercial information regarding the solar or home improvement agreement in relation to your financial product or any other business relationship with us

Geographic Information

• Such as the city and state where you are located

Sensitive Personal Information

• bank account information
• driver’s license or passport number
• Social Security number
• U.S. residency and/or immigration status

Other Identifying Information That May Be Collected

• digital signature
• bank account information
• income information

B. Personal Information Collected Automatically

Internet or Other Electronic Activity

• information about your visits to and use of the Services to help us maintain the appropriate features, functionality, and user experience
• IP address, browser type, referral source, length of visit, and page views, through the use of log files
• cookies, pixel tags, local shared objects, or other similar technologies

Audio Information

• voice recordings of telephone conversations with customer service agents

C. Personal Information Collected from Third Parties

Commercial Information

• commercial information from our business partners regarding the solar or home improvement agreement in relation to your financial product or any other business relationship with us

Other Identifying Information Collected

• credit report, credit score, and credit related information from credit bureaus
• public records and other information from service providers for identity verification

We may process your personal information for the following business purposes:

• Transactional: We use your contact information and other identifying information, to provide you with the services and products you request or otherwise maintain our business relationship with you, including:
  • providing and managing Services you have requested making offers of credit on behalf of Mosaic and/or Mosaic’s successors, assignees, affiliates, partners, vendors, representatives, third party lending partners, financial partners, loan brokers, or loan servicing providers
  • assessing your eligibility to invest on the Mosaic platform
  • creating borrower profiles on our website
  • tailoring our services
  • otherwise enhancing features, functionality, and customer experience

• Security: We use your contact information and other identifying information, to provide you with the services and products you request or otherwise maintain our business relationship with you, including:
  • protecting against fraud and security threats, and otherwise managing risks
  • verifying your identity and authenticating your identity

• Marketing: We use your contact information, other identifying information, and internet or other electronic activity for:
  • communicating with you regarding services that may be of interest
  • communicating with other financial companies for joint marketing purposes
  • evaluating and improving the Services and other offerings

• Legal: We use your contact information, other identifying information, demographic information, and inferences for:
  • satisfying legal or regulatory requirements or law enforcement requests
  • detecting and preventing fraud

We use aggregated information in the administration of the Services to improve its usability and to evaluate the success of particular marketing and advertising campaigns, search engine optimization strategies and other marketing activities, as well as for security purposes. We use non-identifying and aggregated information to help optimize the Services based on the needs of our users.

We may also use your personal information for the following business purposes:

• Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
• Helping to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for these purposes.
• Debugging to identify and repair errors that impair existing intended functionality.
• Performing services on behalf of Mosaic, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
• Undertaking internal research for technological development and demonstration.
• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

• Service Providers: From time to time, we may establish a business relationship with other businesses to provide services to our company (“Service Providers”). For example, we may contract with Service Providers to provide certain services, such as hosting and maintenance, data storage and management, and marketing and promotions. We only provide our Service Providers with the information necessary for them to perform these services on our behalf. Each Service Provider must agree to use reasonable security procedures and practices, appropriate to the nature of the information involved, in order to protect your personal information from unauthorized access, use, or disclosure. Service Providers are prohibited from using personal information other than as specified by us.
• Our Affiliates: We may disclose information with businesses controlling, controlled by, or under common control with Mosaic. If Mosaic is merged, acquired, or sold, or in the event of a transfer of some or all of our assets, we may disclose or transfer your information in connection with such transaction.
• Non-Affiliates: We may disclose your contact information with certain non-affiliated businesses.
• Legal Process: We cooperate with government and law enforcement officials and private parties to enforce and comply with the law. We may disclose information about you to government or law enforcement officials or private parties if, in our discretion, we believe it is necessary or appropriate in order to respond to legal requests (including court orders and subpoenas), to protect the safety, property, or rights of our company or of any third party, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law.
• Secondary Market Transactions: We may disclose information with businesses in relation to financial transactions on the secondary market including but not limited to whole loan sales and securitizations.
• Other Legitimate Business Purposes: We may disclose your information with third parties as appropriate to carry our legitimate business purposes.

Modifying or deleting information about you:

Customers can access information about themselves (such as name, email address, and mailing address) that we collect and maintain by visiting their borrower portal. You can access and review the personal contact information you submit by accessing the borrower portal provided by your loan servicer who may be Mosaic and/or any of Mosaic’s successors, assignees, affiliates, partners, vendors, representatives, third party lending partners, financial partners, or loan servicing providers. To update your personal profile information on Mosaic’s platform, you can log in to your account using your email address and password specified at the time of registration. Click on the “Settings” section of “My Account” and make changes to your profile as necessary. Please note that if the servicing of your loan is transferred to an entity other than Mosaic, then you will have to update your personal profile with your new loan servicer, not Mosaic. You will be provided with notice of any loan servicing transfer in writing. If you believe that information reported by the credit bureau is inaccurate, please contact the credit bureau to make any changes.

All other requests to change or remove information we collect about you can be sent to us at support@joinmosaic.com. We will respond to your request within a reasonable timeframe. We may not be able to modify or delete information in all circumstances. Due to the regulated nature of our industry, we are under legal requirements to retain certain data and are generally not able to delete consumer transactional data upon request. Certain regulations issued by state and/or federal government agencies may require us to maintain and report demographic information on the collective activities of our customers. We may also be required to maintain information about you for at least seven years to be in compliance with applicable federal and state laws regarding recordkeeping, reporting, and audits.

Opt-out of any sharing of your personal information:

Customers may opt-out of any sharing of their personal information, such as name, email address, and mailing address, that we may share with certain non-affiliates from time to time. Any requests to opt-out of any sharing can be sent to us by email at: optout@joinmosaic.com or by calling (810) 678-6881.

We may collect information automatically when you use our Services.

• Automatic Collection of Personal Information. We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile advertising and other unique identifiers, browser or device information, and location information (including approximate location derived from IP address). We may also automatically collect information regarding your use of our Services, such as pages that you visit before, during and after using our Services, information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services.
• Cookie Policy (and Other Technologies). We, as well as third parties that provide content, advertising, or other functionality on our Services, may use cookies, pixel tags, session replay, and other technologies (“Technologies”) to automatically collect information through your use of our Services. For example:
  • Cookies. Cookies are small text files placed in device browsers that store preferences and facilitate and enhance your experience.
  • Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in our Services that collects information about engagement on our Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

Our uses of these Technologies fall into the following general categories:

• • Operationally Necessary. This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity, improve security, or allow you to make use of our functionality;
  • Performance-Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services (see Analytics below);
  • Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed;
  • Advertising- or Targeting-Related. We may use first party or third-party Technologies to deliver content, including ads relevant to your interests, on our Services or on third-party digital properties. See “Your Privacy Choices and Rights” below to understand your choices regarding these Technologies.
  • Analytics. We may use Technologies and other third-party tools to process analytics information on our Services. These Technologies allow us to better understand how our digital Services are used and to continually improve and personalize our Services. Our analytics partners include:
    • Google Analytics. For more information about how Google uses your personal information (including for its own purposes, e.g., for profiling or linking it to other data), please visit Google Analytics’ Privacy Policy. To learn more about how to opt-out of Google Analytics’ use of your information, please click here.
    • LinkedIn Analytics. For more information about how LinkedIn uses your personal information, please visit LinkedIn Analytics’ Privacy Policy. To learn more about how to opt-out of LinkedIn’s use of your information, please click here.

“Do Not Track” and other Opt-Out Preference Signals

Certain laws require that operators of websites disclose how they respond to a “Do Not Track” signal. However, because there is not yet a common understanding of how to interpret Do Not Track signals, we do not currently respond to Do Not Track signals, if any, that we might receive from browsers. We also do not currently respond to other opt-out preference signals, such as the Global Privacy Control (“GPC”). If you have any questions about cookies and other technologies, please visit http://www.allaboutcookies.org/ or http://networkadvertising.org/, or contact us as indicated in the How You Can Contact Us section below.

We are committed to maintaining the security, integrity, accessibility, and confidentiality of your personal information to the extent appropriate for the volume and nature of the personal information. We maintain physical, electronic, and procedural safeguards that meet or exceed industry standards for financial institutions.

We protect your sensitive account information by storing it in encrypted form on computers not publicly accessible via the Internet. We control access to this information via secure web pages and limit access to employees and third parties on a need-to-know basis. We do not allow visibility to Social Security numbers or bank account information via the Services.

We employ firewalls and other security technologies to protect our servers from external attack. We enable our servers with Secure Socket Layer (SSL) technology to establish a secure connection between your computer and our servers, creating a private “conversation” that cannot be viewed or accessed by other parties. We test our systems regularly to ensure that our security mechanisms are up to date.

We also employ session time-outs to protect your account. You will be logged out of the Services automatically after a specified period of inactivity. This time-out feature reduces the risk of others being able to access your account if you leave your computer unattended.

NOTICE TO NEVADA RESIDENTS/YOUR NEVADA PRIVACY RIGHTS

Mosaic currently only shares your personal information as detailed in this Privacy Policy. If you would like to request to opt out from any future exchange of your personal information for money with anyone so that they can license or sell the personal information to additional parties, should Mosaic change its practices and engage them in the future, please email optout@joinmosaic.com. Please title your email “Nevada Opt Out from Sale” and include your full name and email address for the account you are contacting us about. Please only include one request per email message.

NOTICE TO CALIFORNIA RESIDENTS / YOUR CALIFORNIA PRIVACY RIGHTS

Shine the Light

The “Shine the Light” law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their personal information (if any) for the direct marketing purposes of such third parties in the prior calendar year, as well as the types of personal information disclosed to those parties. To obtain this list, please contact us as set forth below.

CALIFORNIA CONSUMER PRIVACY ACT

If you are a California resident, you have certain privacy rights under the California Consumer Privacy Act (“CCPA Rights”) regarding the types of personal information we have collected. This section describes what personal information we have collected, your CCPA Rights, and how you can exercise them with Mosaic. Certain information that Mosaic collects and uses is not subject to CCPA Rights. For example, information that you provide to us or that we otherwise collect when you obtain a financial product as well as information we obtain from or provide to credit reporting agencies is excluded from the CCPA Rights, and this section does not apply to that information.

The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth in “What Information We Collect” and “Why We Collect Information” above, respectively.

Category of Personal Information Collected by Mosaic	Category of Third Parties Personal Information is Disclosed to for a Business Purpose
Identifiers. For example, your name, email address, mailing address, etc.	Service providers Business partners Affiliates Data analytics providers Government entities
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) For example, your passport number, digital signature, etc.	Service providers Business partners Affiliates
Commercial information For example, this may include the purchase history and information from documents related to such purchases.	Service providers Business partners Affiliates
Internet or other electronic network activity For example, this may include your IP address	Advertising Providers
Geolocation data For example, this may include the city and state you live in	Service Providers Business Partners
Audio Data For example, voice recordings of telephone conversations with customer service agents	Service providers
Inference information For example, profile reflecting a consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Service providers
Sensitive personal information For example, this includes social security, driver’s license, state identification card, or passport number, etc.	Affiliates Service providers

CCPA Rights

A. Right to Access

You have the right to request, free of charge, that we disclose to you the following information:

• The categories of personal information and sensitive personal information we have collected about you;
• The categories of sources from which the personal information is collected;
• The business or commercial purpose for collection or selling personal information;
• The categories of third parties with whom we share your personal information;
• The specific pieces of personal information we have collected about you; and
• The length of time we intend to retain each category of personal information, or the criteria used to determine such period.

B. Right to Delete

You have the right to request that we delete any personal information about you which we have collected from you. The CCPA provides certain exceptions to the right to have personal information deleted, which may prevent us from honoring such requests. We may not delete all of your personal information if an exception applies, such as one of the following:

• Transactional: to complete a transaction for which the personal information was collected, provide a good or service requested by you, or perform a contract we have with you;
• Security: to detect data security incidents;
• Error Correction: to debug or repair any errors;
• Legal: to protect against fraud or illegal activity or to comply with applicable law or a legal obligation, or exercise rights under the law, such as the right to free speech; or
• Internal Use: to use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information (i.e., to improve our services).

C. Right to Correct

You have the right to request the correction of your personal information where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your personal information. This includes the changes made via the “My Account” feature where you can make changes to your profile as necessary.

D. Right to Limit Processing/Opt-Out

You also have the right, at any time, to opt-out if we (i) sell personal information about you to third parties or (ii) share information with third parties for purposes of cross context behavioral advertising. We currently do not sell personal information, including the personal information of consumers under the age of 16; however, our use of tracking online advertising/tracking technologies may constitute sharing for purposes of targeted advertising. Please note that this sharing is limited to the “Internet or Other Electronic Activity” information described above.

In some instances, you also have the right to limit the use and disclosure of certain sensitive personal information. Examples of sensitive personal information include your: precise geolocation, genetic data, ethnic origin, and religious background. Our collection of sensitive personal information is limited to Social Security numbers, driver’s licenses, state identification cards, and passport numbers, and this information is only disclosed to service providers involved in providing the Services. The right to limit the processing of sensitive personal information only applies if the information is being used for certain purposes. We currently do not engage in such processing, and do not use your sensitive personal information to infer characteristics about you.

E. Right to Non-Discrimination

We shall not discriminate or retaliate against you because you exercised any of your CCPA Rights under the law.

Please note that these CCPA Rights may not extend to financial information to the extent such information is subject to the federal Gramm-Leach-Bliley Act (GLBA).

Submitting a Request

To submit a request, please send an email to support@joinmosaic.com with the details of your request. We will verify your identity through our email confirmation procedures. Alternatively, you may call (855) 746-7849 to submit a request.

We will verify your identity through our standard verbal authentication procedures, which includes verification of the following information: account holder’s or applicant’s first and last name, the last four digits of the account holder’s or applicant’s Social Security number, and the account holder’s or applicant’s date of birth.

In order to designate an authorized agent to act on your behalf, written or verbal authorization must be provided through our standard process for accepting third party representation. This process can be initiated by emailing us at support@joinmosaic.com or by calling (855) 746-7849.

If you wish to make multiple requests under this section, we recommend sending the deletion request last, as we will not be able to fulfill your other requests once we have deleted your information.

OTHER STATE PRIVACY LAWS

Based on your state of residence, you may have additional privacy rights, including the right to appeal any action we take in response to your privacy requests by contacting us using the contact information below.

Each time you use our Services, you are indicating your acknowledgment and consent to the collection, use, and disclosure of information about you collected through our Services as set forth in this Policy. This Policy may be updated from time to time. We may revise this Policy without advance notice to you, but we will let you know of any material changes by posting the new Privacy Policy on our website or within the Services with a new effective date. We may obtain any necessary consent from you if so required under applicable law to the extent that we seek to collect, use, or disclose personal information for purposes other than those for which prior consent has been obtained.

Except as stated above, all changes will apply to the personal information that is already collected and to the personal information that is collected after the effective date of the revised Policy. If any proposed change is unacceptable to you, you have the right to revoke your consent and terminate your relationship with us. You are advised to consult this Policy regularly for any changes.

If you use Mosaic’s blog or any other social media feature on Mosaic’s website or Services, you should be aware that any personal information you submit there can be read, collected, or used by other users of such forum, and could be used to send you unsolicited messages. We are not responsible for the personal information you choose to submit in any such forum.

Mosaic’s website and Services may contain links to other sites that we do not own or operate (“third-party websites”). When you use a link online to visit a third-party website, you will be subject to that website’s privacy and security practices, which may differ from ours. You should familiarize yourself with the privacy policy, terms of use, and security practices of the linked third-party website before providing any information on that website. By providing a link to third-party websites, Mosaic does not endorse or accept any liability for the practices of such third-party websites.

We do not knowingly solicit from, and the Services are not intended for, children under 13, and children under 13 should not provide personal information online. If a parent or guardian becomes aware that his or her child under the age of 13 has provided us with information without their consent, he or she should contact us. We will delete such information from our files.

If you have questions or concerns regarding this Policy, please contact:

Solar Mosaic LLC
Attention: Customer Service Department
601 12th Street, Suite 325
Oakland, CA 94607
support@joinmosaic.com