At BND we understand that the protection of consumers' privacy is an important public concern. Accordingly, we have adopted this Privacy Statement to serve as the foundation for our internal privacy policies and procedures. It is our commitment to providing meaningful privacy protection for our customers.

1. Information Quality

   We maintain procedures to assure that the personal information we collect is accurate, up-to-date and as complete as possible. If we obtain information about consumers who are not our current customers, we strive to treat this information in the same manner as we treat information about our existing customers.

2. Use Of Customer Information

   We collect personal information from our customers themselves, from when we provide products or services to our customers, and from consumer reporting agencies and other outside sources. We use personal information only for purposes of administering our business activities, providing service, and making available other products and services to our customers and prospective customers.

3. Do Not Solicit Option

   We recognize that some of our customers do not want to be solicited for offers and promotions from us. So, we provide our customers the option to have their names and addresses removed from our mail and/or telephone solicitation lists. We have procedures that assure a consumer's name, address, and telephone number are removed from our marketing lists.

4. Information Security

   We maintain technical and organizational safeguards to protect the confidentiality of personal information about our customers against (i) unauthorized access or disclosure, and (ii) accidental loss, alteration, or destruction.

5. Maintaining Customer Privacy With Our Business Partners

   We strive to ensure that the companies we use as our business partners support our commitment to privacy protection in their handling of personal data about our customers.

6. Employee Education

   We provide training to our employees about their responsibilities under this Privacy Statement, and we expect them to do their parts in protecting our customers' privacy. We also conduct regular internal audits to support our commitment.

7. Privacy Statement Is Available to Customers

   We want our customers to know about our commitment to providing privacy protection. Therefore, this Privacy Statement is available upon request to customers, shareholders, employees, governmental authorities, and members of the general public.

BND Web Site Privacy

Types of Information

Anytime you visit our Web site, BND may collect and store information about your visit, such as the name of the domain from which you access the Internet (for example, aol.com if you are connected from an America Online account), the date and time of your visit, the Internet address of the Web site you left to visit BND, the names of the pages you visit while at our Web site, and the Internet address of the Web site you then visit. If you are using our online services to access your account information or to complete financial transactions, information about these transactions may be collected and reviewed by BND-authorized individuals.

Collection and Use

When you use various calculators, planners, or questionnaires on our Web site, you may be asked for personal information in order to complete the requested analysis or evaluation. This information may be retained and used by BND.

Electronic technologies assist BND in collecting information when you visit our Web site. The information gained through the use of such technologies may allow us to offer you the kinds of products and services you like and to determine that your visit is in accordance with our Web site Terms of Use.

For example, BND's Web site, like many others, uses "cookies." This small electronic file, which may be written to your hard drive when you visit our Web site, may be used to help BND understand what parts of our Web site visitors find most useful. If you choose, you can set up your Web browser to inform you when cookies are being set or you may choose not to accept cookies. A decision not to accept cookies could limit your access to some of the functionality and services that are available on our Web site.

Online Applications

If you submit an online application, access your personal account information, or send BND an e-mail, BND may enter the information you send into its electronic database. You may also be contacted by BND for additional information. If BND uses a business partner to help it deliver the services to you, your personal information will be retained on either BND's system or its business partner's system in order to provide you with the services you have requested.

Most of the forms on our Web site encrypt the information you send across the Internet to BND and the information we send back to you. If a form requests confidential information, such as your account number, credit card number, or social security number, we will use encryption technology to protect your privacy. If you want to transmit information to BND outside the form, that transmission may not be encrypted and is not necessarily secure against interception. If your communication to BND outside the form is very sensitive or confidential, you may want to call BND or send that communication by regular mail rather than ordinary e-mail.

CALIFORNIA RESIDENTS: PRIVACY POLICY NOTICE

This Privacy Policy Notice is intended for California residents pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), and supplements the information contained in the above Privacy Policy. Any terms defined in the CCPA and applicable California Attorney General regulations have the same meaning as used in this Privacy Policy Notice.

If you have a disability call us as 1-833-397-0311 or write us at Bank of North Dakota 1200 Memorial Highway, PO Box 5509, Bismarck, ND 58506-5509 and we can provide an alternative format for this information.

1. Information We Collect About You

We may collect and use personal information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be directly or indirectly linked, with a consumer, device, or household (“personal information”).

Personal Information does not include:

• Publicly available information from government records.
• Deidentified or aggregated consumer information.
• Information excluded from the CCPA’s scope, such as (but not limited to) information governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the California Confidentiality of Medical Information Act (“CMIA”), the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), California Financial Information Privacy Act (“FIPA”), and the Driver’s Privacy Protection Act of 1994 (“DPPA”).

We regularly collect (and have collected in the past 12 months) several types of personal information about individuals offline regarding accounts we service for other entities, including: name, DOB, address, gender, account number, payment and other financial information, email address, insurance information, Social Security Number, employment information, telephone number, IP address, military or veteran status, audio information, username, commercial information (such as records of property, products, or services purchased, or other purchasing or consuming histories or tendencies), internet activity such as interaction with our website(s) or application(s), inferences drawn from any personal information categories to create a profile about a consumer reflecting the consumer’s preferences, characteristics, aptitudes, or behavior, publicly available information, and information collected or shared pursuant to HIPAA, CMIA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws. We also may collect additional categories of personal information users provide directly to us, our clients, or our vendors.

2. How Your Personal Information is Collected

We collect most of this personal information from our creditor clients or from you or your authorized representative if you provide it to us. However, we may also collect information:

• From publicly accessible sources (e.g., property or other government records);
• From our vendors (e.g., call analytics, information source, skip-tracing, payment processing, mailing, and other vendors)

3. Why We Use or Disclose Your Personal Information

We regularly use or disclose personal information for one or more of the following business purposes:

• Fulfill the reason you provided the information. For example, if you share your personal information to make a payment, we will use that information to process your payment.
• Perform services on behalf of a business or service provider, including maintaining or servicing accounts, providing customer service, processing transactions, verifying customer information, processing payments, providing analytic services, or providing similar services on behalf of the business or service provider
• Provide you with information or services that you request from us
• Auditing related to consumer interactions
• Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
• Debugging to identify and repair errors that impair existing intended functionality
• Short-term, transient use, where the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction
• Undertaking activities to verify or maintain the quality of a service or device that is owned, made by or for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, made by or for, or controlled by us
• Respond to law enforcement requests and as required by applicable law or court order
• As appropriate to protect the rights, property, or safety of us, our clients, or others
• As described to you when collecting your personal information or as otherwise set forth in the CCPA.

We will not collect additional categories of personal information or use the personal information we collected for materially different purposes without providing you notice.

We regularly disclose (and have disclosed in the past 12 months) several types of personal information about individuals for one or more business purposes, including: name, DOB, address, gender, account number, previous payment and other financial information, email address, insurance information, Social Security Number, employment information, telephone number, IP address, military or veteran status, audio information, username, commercial information (such as records of property, products, or services purchased, or other purchasing or consuming histories or tendencies), internet activity such as interaction with our website(s) or application(s), inferences drawn from any personal information categories to create a profile about a consumer reflecting the consumer’s preferences, characteristics, aptitudes, or behavior, publicly available information, and information collected or shared pursuant to HIPAA, CMIA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws.

We have not sold your personal information over the last 12 months and will not sell your personal information under the CCPA.

4. Verifiable Consumer Requests for Information

Upon verification of identity, California residents may in some cases request that a business:

• Disclose the categories of personal information the business collected about the consumer;
• Disclose the categories of sources from which the personal information is collected
• Disclose the categories of personal information that the business sold about the consumer;
• Disclose the categories of personal information that the business disclosed about the consumer for a business purpose;
• Disclose the categories of third parties with whom the business shares personal information
• Disclose specific pieces of personal information the business has collected about the consumer
• Disclose any financial incentives offered by the business for collection, sale, or deletion of personal information

Businesses that provide information requested pursuant to the CCPA must provide such information in a readily useable format and allow consumers to transmit the information from one entity to another without hindrance.

A business may charge a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to you by your personal information.

Please note that we are not required to:

• Carry out information access requests we receive from you if acting as a service provider to another entity regarding such information
• Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
• Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or
• Provide requested information if a CCPA or applicable exception applies.

5. Right to Request Deletion of Personal Information

Upon verification of identity, California residents may in some cases request that a business delete personal information collected from them, subject to certain exceptions.

We may deny your deletion request if we are acting in the role of a service provider to another business regarding the applicable personal information. If we deny your request on that basis, we will generally refer you to the relevant business. In addition, we may deny your deletion request if retaining the information is necessary for us or our client to:

• Complete the transaction for which the personal information was collected, provide a good or service requested by you, as reasonably anticipated within the context of your relationship with the relevant business, or otherwise perform a contract between you and the business.
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
• Debug to identify and repair errors that impair existing intended functionality.
• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
• Comply with the California Electronic Communications Privacy Act.
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent.
• Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with the relevant business.
• Comply with a legal obligation.
• Otherwise use your personal information internally in a lawful manner that is compatible with the context in which you provided the information; or
• If another CCPA or applicable exception applies.

California residents may obtain more information about verifiable requests pursuant to the CCPA by contacting us at UASconnect@tsico.com or calling 1-844-870-8701 or write us at University Accounting Service, LLC P.O. 4099 McEwen Road Suite 700 B Farmers Branch, TX 75244.

6. Verifying Your Identity If You Submit CCPA Requests

If you choose to contact us directly via the designated methods described above to exercise your CCPA rights, you will need to:

• Provide enough information to reasonably identify you [(e.g., your full name, account number if applicable, and potentially other identifying information]; and
• Describe your request with sufficient detail to allow us to properly process and respond to your request.

In addition to the exceptions described in this Notice, we are not obligated to make an information disclosure or carry out a deletion request pursuant to the CCPA if we cannot sufficiently verify the identity of the requestor.

If seeking to make a verifiable request under the CCPA on behalf of someone else, we require enough information to reasonably identify the subject of the request (including name and other identifying information) and the subject’s written consent to make the CCPA request on his or her behalf, as consistent with applicable law.

Any personal information we collect from you in order to verify your identity in connection with your CCPA request will be used solely for the purposes of verification.

---