OUR COLLECTION, USE AND RETENTION OF PERSONALLY IDENTIFIABLE FINANCIAL INFORMATION. We collect public and nonpublic information from a variety of sources. This information may include name, address, social security number, telephone number, income, debts, record of paying debts, assets, etc. This information may come directly from our customer through a credit or deposit account application, from a consumer credit report or from transaction information.

We do not ask for, nor do we collect, information that is not useful to us in the administration of an account relationship or the provision of a particular product or service. We use information we collect solely to complete the financial transactions requested.

Once customer information is collected, it is normally retained as part of our record retention program. Federal and state laws prescribe how long information must be retained. Once the federal and state retention requirements have been satisfied, if an account has been paid off or closed, such information is deleted from active computer files at year-end. Paid-off, closed or inactive paper files are maintained for the retention period. Most are destroyed after the retention period has elapsed, but some may be maintained indefinitely. The information stored in these paid-off, closed or inactive files is not shared with third parties.

RESTRICTIONS ON THE DISCLOSURE OF ACCOUNT INFORMATION. We do not share any personally identifiable information with any third parties except:

• As might be required by law;
• As may be necessary to effect, administer or enforce a transaction by our customer;
• At our customer’s specific request; and
• o With other nonaffiliated third parties as permitted by law. Third parties with access to customer information as permitted by law include external auditors, bank examiners, outside counsel, consumer credit reporting agencies and service providers which process or service a financial product or service requested or authorized by the customer.

OUR MAINTENANCE OF ACCURATE INFORMATION. We have established procedures to update information if our customer informs us of a change of information or of inaccurate or incomplete information. We will research all concerns and correct inaccuracies to the extent that we are able. If we discover an inaccuracy or need more information, we will contact our customer to update and verify the information.

NEGATIVE INFORMATION. We may report information about customer account(s) to consumer reporting agencies. Late payments, missed payments or other defaults on an account may be reflected in the customer's credit report.

NOTICE OF DISPUTE REGARDING INFORMATION SUPPLIED TO CONSUMER REPORTING AGENCIES. We do our best to ensure that credit information about our customer account(s) is reported promptly and accurately to consumer reporting agencies. Should a customer ever think that any information being reported is inaccurate, they should let us know. A written notice to us should identify the specific information felt to be inaccurate, supply an explanation as to why it is inaccurate and include all supporting documentation. This information should be sent to: Burke & Herbert Bank & Trust Co., Attn: Credit Administration, Box 268, Alexandria, Virginia 22313-0268. We will advise the outcome of our investigation within 30 days of receiving the inquiry.

LIMITED EMPLOYEE ACCESS TO INFORMATION. The entire Burke & Herbert staff has received training regarding respect for the confidentiality of customer information. Employee access is based on a business need to know. Violation of the principal of confidentiality is grounds for disciplinary action.

SECURITY PROCEDURES TO PROTECT INFORMATION. We are dedicated to protecting customer information. Our processing systems operate in a secure environment that protects customer information from being accessed by unauthorized parties. We evaluate all new technology in terms of customer information security.

MAINTAINING CUSTOMER PRIVACY IN BUSINESS RELATIONSHIPS WITH THIRD PARTIES. We do not provide customer account information or personally identifiable information to third parties for the purpose of independent telemarketing or direct mail marketing or for other purpose than is noted in Item #2. If, in the future, we determine it necessary or advisable to share information with a third party, our customers will be provided with an opportunity to "opt-out". An "opt-out" gives our customers the right to prevent disclosure of personal information to a third party.

INTERNET PRIVACY CONSIDERATIONS. If someone is visiting our website, they will travel through our pages anonymously. We track only the fact that someone has entered the site and has visited certain pages. Someone may use our calculating tools freely as there is no data captured from them. If anyone chooses to participate anonymously in an online survey, the results will be used only for internal marketing purposes. That is, we may use the results to revise a web page or develop a new product or add a service. Our software does not place "cookies" on anyone's PC if they are simply visiting our website.

Customers using "Burke and Herbert Online" and "B&H Pay e" will find that their personal financial information is secured by state-of-the-industry technology, which, as of this writing, is Secure Socket Layer technology (SSL). This encryption process scrambles transferred data into an unrecognizable string of numbers. Burke & Herbert Bank and your computer unscramble the data.

For customers signed up for "Burke & Herbert Online" and "B&H Pay e", we will place three cookies on their PC to verify that the user at the PC has entered a valid ID and PIN. No personal information (such as account number) is stored in a cookie. The first two cookies are merely a string of sequentially assigned numbers. The third is a large random string that allows us to verify that someone isn't trying to impersonate a legitimate user. These cookies are valid for only one session and are discarded when the user logs off. They are replaced the next time the user logs on.

CHILDREN ON THE INTERNET. We respect the privacy of children and do not knowingly solicit or personally collect identifiable information from children. Understanding that children may access our website, we request that minors (defined in the Children's Online Privacy Protection Act as under the age of 13) do not submit any personal information to us online.

DISCLOSING OUR "PRIVACY POLICY" PLEDGE TO OUR CUSTOMERS. We want our customers to be informed about and to understand our commitment to responsible collection, use and retention of confidential information. Our "Privacy Policy Notice" will be provided to every new individual account-holder or loan applicant prior to their establishing a customer relationship. It will be provided to all current customers on an annual basis and in the event of any changes in the policy.

This policy applies only to individuals obtaining financial products or services primarily for personal, family, or household use. We reserve the right to change it, or any supporting or related policies or procedures at any time.