VIRGINIA PRIVACY NOTICE PURSUANT TO
VIRGINIA CONSUMER DATA PRIVACY ACT (VCDPA)

EFFECTIVE DATE: February 16, 2024

THIS VIRGINIA PRIVACY NOTICE SUPPLEMENTS OUR GENERAL PRIVACY POLICY AND ONLY APPLIES TO USERS WHO ARE RESIDENTS OF THE STATE OF VIRGINIA AND WHO EITHER (A) RECEIVE SERVICES DIRECTLY FROM USA FUNDING APPLICATIONS (TOGETHER WITH ITS AFFILIATES AND SUBSIDIARIES, “COMPANY,” “WE,” or “US”), OR (B) ARE USERS OF THE SITES.

This Virginia Privacy Notice has been adopted to comply with the Virginia Consumer Data Privacy Act, as amended (together with all applicable regulations, “VCDPA”), and terms defined in the VCDPA have the same meaning when used in this Notice, unless those terms have been otherwise defined in the general Privacy Policy. Accordingly, this Privacy Notice should be reviewed in conjunction with our general Privacy Policy. 3

We do not sell the personal information we collect. However, we share your personal information with our affiliates for purposes of cross-contextual behavioral advertising.

Special Note: The Sites are general audience sites and are not designed or intended to target children younger than 16. We do not knowingly target or collect personal information from any person younger than 16.

What Information Do We Collect and Disclose?

We collect information that identifies or is linked, or could reasonably be linked, directly or indirectly, with a particular consumer (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category Examples Collected
A. Personal Information and Identifiers. Real name, postal address, email address, telephone numbers, account name, education, bank account number, credit card number, debit card number, or any other financial information. YES
B. Commercial Information. Information or records for commercial purposes or on behalf of entities, including business plans, financial information, records of personal property, products or services purchased, obtained, or considered, account or other purchasing or consuming histories or tendencies. YES
C. Internet and Network Information. Internet protocol (IP) address, registration date, and one or more cookies that may uniquely identify a user’s browser; internet domain and the specific path, actions and navigation choices; the internet address of the site from which Sites were linked, the time and date the Sites were accessed, and the frequency and duration of visits to the Sites; browsing history, search history, information on users interaction with the Sites or other websites and applications or advertisements; and browser software, operating system and browser language, and information about location and mobile device, including a unique identifier for the mobile device. YES
D. Non-Public Education Information Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
E. Miscellaneous Information Marital status, veteran or military status, gender information, physical or digital photographs, video or audio recordings or data generated therefrom. YES

For the previous 12 months, we have collected the following categories of sensitive personal information:

Category Examples Collected
F. Protected Class Information Personal data revealing mental or physical health condition, or medical treatment or diagnosis by a health care professional, citizenship or immigration status. YES
G. Genetic and Biometric Information. Fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual, or other data generated by automatic measurements of an individual’s biological characteristics. NO
H. Specific Geolocation Information. Physical location or movements or other information derived from technology regarding location or movements. YES

Please Note: Personal data, as defined by the VCDPA, does not include publicly available information from government records, de-identified or aggregated consumer information, or information excluded from the VCDPA’s scope, such as (i) Protected health information (PHI), defined and regulated under HIPAA; (ii) substance use disorder patient records, defined and regulated under the federal substance use disorder data confidentiality statute and rules (42 U.S.C. § 290dd-2; 42 C.F.R. §§ 2.1 to 2.67); (iii) health records, defined and regulated under Virginia's health records privacy law (Va. Code Ann. § 32.1-127.1:03); (iv) clinical trial data governed by human subject research rules; (v) Data derived from PHI or other data processed in the same manner as either (a) PHI processed by a HIPAA-covered entity or business associate; or (b)substance use patient records processed by a program or a qualified service organization as defined by 42 C.F.R. §§ 2.1 to 2.67; (vi) personal data used for public health activities, as authorized by HIPAA; (vii) personal data governed by the Health Care Quality Improvement Act of 1986; (vii) personal data governed by the Patient Safety and Quality Improvement Act; (viii) Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994; (ix) personal data regulated by the Family Educational Rights and Privacy Act; (x) personal data regulated by the Farm Credit Act; (xi) Emergency contact information used for emergency contact purposes; (xii) personal data necessary to administer benefits; (xiv) Personal data governed by the federal Fair Credit Reporting Act

Employment Information: Please note that, under the VCDPA, personal data does not include personal data of persons acting in a commercial or employment context. VCDPA further excludes data collected or used within the context of an individual’s role as an employee, an applicant, independent contractor, or as an agent.

How Do We Collect Information? We collect this information from you through information you submit to us or passively by observing your actions relative to the Sites and Services and through cookies and related technologies. We also collect information by gathering, obtaining, receiving, and accessing the information from third parties, including customers, service providers and vendors, auditors, and advisors. For more information regarding our data collection practices please read our general Privacy Policy.

Why Do We Collect and Process Information? We collect and process personal information for business and commercial purposes. To learn more about why we collect and process information, please review our general Privacy Policy.

Why Do We Collect and Process Sensitive Data? We only collect and process Sensitive Personal Data for those exempt purposes set forth in Section 582 of the VCDPA, specifically:

  • comply with federal, state, or local laws, rules, or regulations;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • cooperate with law-enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state, or local laws, rules, or regulations;
  • investigate, establish, exercise, prepare for, or defend legal claims;
  • provide the Services specifically requested by you, perform a contract to which you are a party, including fulfilling the terms of a written warranty, or take steps at your request prior to entering into a contract;
  • take immediate steps to protect an interest that is essential for the life or physical safety of either you or another person;
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
  • assist another controller, processor, or third party with any of the obligations set forth in Section 582;
  • conduct internal research to develop, improve, or repair our Sites, Services, or technology;
  • effectuate a product recall;
  • identify and repair technical errors that impair existing or intended functionality; and
  • perform internal operations that are reasonably aligned with your expectations or reasonably anticipated based on your existing relationship with us or are otherwise compatible with processing data in furtherance of the provision of the Services specifically requested by you or the performance of a contract to which you are a party.

Do We Share Information With Third Parties? Yes. We take reasonable precautions to be sure that affiliates and non-affiliated third party service providers, to whom we disclose your personally identifiable information are aware of our privacy policies and will treat the information in a similarly responsible manner. Our contracts and written agreements with non-affiliated third party service providers that receive information from us about you prohibit those parties from transferring the information other than to provide the Services that you obtain from us. To learn more about why we share information with third parties please see our general Privacy Policy.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose those corresponding third parties listed below:

Categories of Personal Information Third Parties Disclosed To:
Category A: Personal Information and Identifiers. Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category B: Commercial Information Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category C: Internet and Network Information Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category D: Non-Public Education Information Not Applicable.
Category E: Miscellaneous Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category F: Protected Class Information Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category G: Genetic and Biometric Information Not Applicable.
Category H: Specific Geolocation Information Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.

To learn more about why we share information with third parties, please see our general Privacy Policy.

Do We Sell Your Information? No. Although we share data with third parties as outlined in in the Privacy Policy, we do not sell any of your personal information to any third party.

Do We Share Your Information for Behavioral Advertising Purposes or Otherwise Engage In Behavioural Advertising? Yes. With your consent, we share your personal information for cross-contextual behavioural advertising purposes.

How Do We Protect Personal Data? We protect data using administrative, technical, and physical safeguards. When we use third-party service providers, we ask those providers to implement similar safeguards. However, we cannot guaranty that your information is completely secure either within Company or on the systems of third party service providers.

How Long Do We Keep Your Personal Data? We retain personal data we collect from you when we have an ongoing legitimate business need to do so (i.e., to provide you with the Services you have requested or to comply with applicable legal requirements). When we no longer have an ongoing legitimate business need to process your personal information, we will physically destroy, delete or anonymize it or, if this is not possible, then we will securely store your personal data and isolate it from any further processing until deletion is possible.

What Are My Virginia Consumer Privacy Rights? If you are a Virginia resident and are engaged in a direct business relationship with Company as a consumer for provision of the Sites or Services, you may have the following rights:

  • Right to Access and Data Portability. You may request that we provide to you certain information about our collection and use of your personal information for the 12 month period preceding your request, such as (i) requesting confirmation as to whether or not we collect your personal data and process your personal data, and (ii) accessing or otherwise receiving a copy of your personal data collected by the Company (data portability request), including the categories of personal information we collected about you.

    Though you may request specific pieces of your personal information that we have collected, we may not provide certain information in order to protect the security of such information.

  • Right to Correct Inaccurate Data. Under certain circumstances, you may request that we correct your personal data to the extent that it is inaccurate. We may deny your request depending on factors relating to the nature of the personal data and the processing purposes.
  • Right to Request Deletion. Under certain, limited circumstances, you may request that we delete personal information that we have collected from you or maintain about you. Once we receive your request and confirm your identity, we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining such information is necessary for us or our service providers to:

    • Comply with federal, state, or local laws, rules, or regulations;
    • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
    • Cooperate with law-enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
    • Investigate, establish, exercise, prepare for, or defend legal claims;
    • Provide a product or service specifically requested by a consumer;
    • Perform a contract to which you are a party, including fulfilling the terms of a written warranty, or take steps at your request prior to entering into a contract;
    • Take immediate steps to protect an interest that is essential for the life or physical safety of you or of another natural person;
    • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
    • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities;
    • Assist another controller, processor, or third party with any of the obligations under the VCDPA. Make other internal and lawful uses of that information that are compatible with the context in which you provided it; or
    • We obtained the personal data from a source other than you and we either (i) maintain a record of the deletion request and retain only the minimum data necessary to ensure your personal data remains deleted, or (ii) stop processing your personal data subject to the deletion request, other than processing for purposes excluded by VCDPA from application.

How Do I Submit a Virginia Privacy Rights Request? If you are a Virginia resident and you have a direct business relationship with Company or you otherwise use the Sites, you may make a request pertaining to the rights described above by clicking here for a Request for Disclosure and emailing or sending the Request to the email address or mailing address listed below:

Email Address: support@usafundingapplications.org

Mailing Address: 29L Atlantic Ave #11, Ocean View, DE 19970

PLEASE NOTE THAT YOUR REQUEST WILL NOT BE PROCESSED UNTIL YOUR IDENTITY HAS BEEN VERIFIED. ONCE YOUR IDENTITY HAS BEEN VERIFIED, YOUR REQUEST WILL BE PROCESSED IN ACCORDANCE WITH THE VCDPA. IF NECESSARY, WE WILL PROVIDE ADDITIONAL DETAILS AND DIRECTIONS ON IDENTITY VERIFICATION, AND AS APPROPRIATE, UPON RECEIVING YOUR REQUEST.

With respect to your Virginia Privacy Rights Request, please also note the following:

  • If you choose to email or mail your request, please include “Virginia Privacy Rights Request” in the subject line.
  • We will confirm receipt of your request within 10 business days. If you do not receive confirmation with the 10 business day timeframe, please contact support@usafundingapplications.org.
  • Once we have verified your identity, we will respond to your request within 45 days. If we require more time (up to an additional 45 days), we will notify you in writing of the reason and the extension period.
  • Making a verifiable consumer request does not require you to create an account with us, and we will only use personal information provided in a verifiable consumer request to verify your identity or authority to make the request.
  • Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, as applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from entity to another entity without hindrance, specifically CSV format.
  • We, at our option, may not respond to more than two requests in a 12 month period.
  • We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

What are My Personal Information Sales Opt-Out? We do not sell personal information as defined under the VCDPA.

What are My Personal Information Sharing Opt-Out Rights? To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting Do Not Share My Personal Information. Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information. However, you may change your mind and opt back into personal information sharing at any time by visiting Opting Into Sharing of My Personal Information. You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

What are My Profiling Opt-Out Rights? We do not engage in the automated processing of personal data for purposes of profiling our consumers as defined under the VCDPA.

What are My Sensitive Personal Information Opt-Out Rights? We do not collect or process your sensitive personal data for any purpose except (i) as necessary to perform or otherwise provide the Services to you, and (ii) for those exempt purposes set forth in Section 1304 of the VCDPA.

Do I have Right to Non-Discrimination? We will not discriminate against any consumer who has chosen to exercise their rights under the VCDPA. Unless permitted by the VCDPA, we will not deny you the Services, charge you different prices/rates for the Services (including through granting discounts or other benefit or imposing penalties), provide you a different level of quality of service, or suggest that you may receive a different price or rate for the Services or a different level or quality of Services. However, we can deny you access to our Services if such Services require your personal data that we do not collect or maintain.

However, we may offer you certain financial incentives permitted by the VCDPA that can result in different prices, rates, or quality levels. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. We currently do not provide any financial incentives.

Changes To This Privacy Notice: We reserve the right to amend this Privacy Notice at our discretion and at any time. We may make changes to the Privacy Policy without providing you prior notice. However, after we make any changes to this Privacy Policy, we will give notice to you via (i) the Sites or (ii), where feasible, and at our discretion, contact information available to us. We encourage you to periodically review this Privacy Policy so as to remain informed on how we are protecting your information. YOUR CONTINUED USE OF OUR SITES AND SERVICES FOLLOWING THE POSTING OF CHANGES CONSTITUTES YOUR ACCEPTANCE OF SUCH CHANGES.

How To Contact Us. If you have any questions regarding this Privacy Policy or exercising any of your privacy rights, please contact us at the email address or mailing address listed below:

Email Address: support@usafundingapplications.org

Mailing Address: 29L Atlantic Ave #11, Ocean View, DE 19970