Privacy Statement

FACTS: WHAT DO UNIVERSITY BANK, UNIVERSITY LENDING GROUP, LLC, AND UNIVERSITY INSURANCE AND INVESTMENT SERVICES, INC. DO WITH YOUR PERSONAL INFORMATION?

WHY? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.

What? The types of personal information we collect and share depend on the product or service you have with us. This information can include:

• Social Security number and income
• Credit history, employment history and credit score
• Assets and mortgage rates and payments

When you are no longer our customer, we continue to share your information as described in this notice.

How? All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons the entities listed above choose to share; and whether you can limit this sharing.

Reasons we can share your personal information:

Do University Bank, University Lending Group, LLC, and University Insurance and Investment Services, Inc. share?

For our everyday business purposes— such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus. - Yes, we share.
Can you limit this sharing? NO

For our marketing purposes— to offer our products and services to you. - Yes, we share.
Can you limit this sharing? NO

For joint marketing with other financial companies - NO
Can you limit this sharing? We don’t share

For our affiliates’ everyday business purposes—information about your transactions and experiences. - Yes, we share.
Can you limit this sharing? NO

For our affiliates’ everyday business purposes—information about your creditworthiness - NO
Can you limit this sharing? We don’t share

For our affiliates to market to you - Yes, we share.
Can you limit this sharing? YES

For nonaffiliates to market to you - NO
Can you limit this sharing? We don’t share

To Limit our sharing: Call the phone numbers listed below.
Please note: If you are a new customer, we can begin sharing your information 30 days from the date we sent this notice. When you are no longer our customer, we continue to share your information as described in this notice. However, you can contact us at any time to limit our sharing.

Questions? Call:

University Bank at 734-741-5858 or 800-368-7987
University Lending Group, LLC at 248-254-7100
University Insurance and Investment Services, Inc. at 734-741-5858 or 800-368-7987

Who is providing this notice?
University Bank, University Lending Group, LLC, and University Insurance and Investment Services, Inc.

How do University Bank, University Lending Group, LLC, and University Insurance and Investment Services, Inc. protect my personal information?
To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.

How do University Bank, University Lending Group, LLC, and University Insurance and Investment Services, Inc. collect my personal information?
We collect your personal information, for example, when you open an account or apply for a loan
give us your income information or provide employment information show your government-issued ID. We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.

Why can’t I limit all sharing?
Federal law gives you the right to limit only sharing for affiliates’ everyday business purposes—information about your creditworthiness affiliates from using your information to market to you sharing for nonaffiliates to market to you. State laws and individual companies may give you additional rights to limit sharing.

What happens when I limit sharing for an account I hold jointly with someone else?
Your choices will apply to everyone on your account

Definitions:

Affiliates: Companies related by common ownership or control. They can be financial and nonfinancial companies.
Our affiliates include financial companies such as University Bank and University Insurance and Investment Services, Inc. and nonfinancial companies, such as University Lending Group, LLC, and Midwest Loan Services, Inc.

Nonaffiliates: Companies not related by common ownership or control. They can be financial and nonfinancial companies.
University Bank, University Lending Group, LLC, and University Insurance and Investment Services, Inc. do not share with nonaffiliates so they can market to you.

Joint marketing: A formal agreement between nonaffiliated financial companies that together market financial products or services to you.
University Bank, University Lending Group, LLC, and University Insurance and Investment Services, Inc. do not jointly market.

Security Statement

University Bank employs the latest in Internet Security and User Authentication to ensure that data being transmitted through the Internet Banking System is secure from unauthorized access. The methods are outlined below.

Digital Ids from VeriSign
University Bank's Internet Banking System uses digital IDs certified by VeriSign, an industry leader in digital identification certificates, to authenticate user information and provide access to the data through the system.

How do digital IDs work?
Digital IDs work off of a matched key setup where the server has a "private" key issued only to the server and a "public" key widely distributed to the bank's customers. A digital ID requires a matched pair of keys that are unique to each other to encrypt and decrypt data. With this setup, transactions created, encrypted, and transmitted by bank customers using the public key can only be decrypted by the other key in the pair running on the server.

Secured Data Transmission
The Internet Banking System combined with digital ID authentication through VeriSign allow the server to implement Secure Sockets Layer (SSL) protocol, the standard technology for secure web-based communications. With SSL, data traveling between the bank and customer is encrypted and can only be decrypted through the pairing of the public and private key pair. SSL capability is built into server hardware and browsers, but requires a digital ID to be functional.

Server Access
Server access is protected using a firewall computer and the leading firewall software, Axent's Raptor. Firewall computers provide secure access to the Web Server and Axent's software by only allowing authorized traffic to hit the Server.

By combining the latest technology with authenticated access to the web server, University Bank makes your Internet Banking transactions secure.

Our Security Procedures

We also take steps to safeguard customer information. We restrict access to your personal and account information to those employees who need to know that information to provide products and services to you. We maintain physical, electronic and procedural safeguards that comply with federal standards to guard your nonpublic personal information.

University Bank may provide access to information, products or services offered on websites that are owned or operated by other companies ("third party websites"). We provide this access through the use of hyperlinks that automatically move you from the University Bank website to the third party site. While we do our best to provide you with helpful, trustworthy resources, University Bank cannot endorse, approve or guarantee information, products, services or recommendations provided at a third party website. Because we may not always know when information on a linked site changes, University Bank is not responsible for the content or accuracy of any third party website. University Bank shall not be responsible for any loss or damage of any sort resulting from the use of a link on its websites nor will it be liable for any failure of products or services advertised or provided on these linked sites.

University Bank offers links to you on an "as is" basis. When you visit a third party website by using a link on a University Bank site, you will no longer be protected by University Bank’s privacy policy or security practices. The data collection, use and protection practices of the linked site may differ from the practices of University Bank sites. You should familiarize yourself with the privacy policy and security practices of the linked website. Those are the policies and practices that will apply to your use of the linked website, NOT University Bank's policies and practices. Here are some tips to help you tell if you have left University Bank website:

- Instead of a University Bank address, the URL of the linked website appears in the location box (or address field) of your web browser.
- The linked website is shown in a new browser window. The appearance of the linked site, including its colors and graphic design, is significantly different from the University Bank site.
- The linked site or page does not appear in a new browser, but you find one or more of the following:
- The logo of a different company in the upper right hand corner or other prominent location on the linked website, along with the words "Powered by", "Brought to you by", or "Provided by".
- The layout and content of the navigation tools on the left-hand side of the linked site or in the header at the top of the new webpage are different from University Bank’s navigation.
- The first navigation link refers to a description of the company that sponsors the website. It may be titled "About (Third Party’s Name)".
- A third party’s privacy policy and terms of use statement are identified instead of University Bank’s. Information in the footer at the bottom of the webpage contains information about a company other than University Bank.

You may not copy, give or sell copies to members of the public; perform or display this work to the public; or modify this work without the copyright owner's prior written permission. University Bank owns the copyrights for all information appearing on this website. If you have any questions, please direct them to information@university-bank.com, or the Copyright Office website at http://www.loc.gov/copyright/.

University Bank® is a registered Trademark of University Bank.

Kids B'Cause™ is a Trademark owned by University Bank and all rights are reserved without University Bank's prior written permission. Respecting the intellectual property on the University Bank website is a condition of visiting.

It is the policy of University Bank that no employee, director, or agent of the bank shall accept anything of value from a customer of the bank or a vendor to the bank other than:

• Gifts of a reasonable value based on a family or personal relationship where that relationship is the obvious motivating factor for the gift.
• Meals, refreshments, entertainment, accommodations, or travel arrangements of a reasonable value provided they are in the course of a meeting or occasion, the purpose of which is to hold bona fide business discussions or to foster better relations, and provided that the expense would be paid for by the bank if not paid for by another party.
• Advertising or promotional material with a value of less than $25.00
• Gifts with a value of less than $50.00 related to commonly recognized events, such as a promotion, religious holiday, wedding or retirement
• Discounts or rebates on merchandise or services that do not exceed those available to other customers of the merchant
• Awards for recognition of service or accomplishment from civic, charitable, educational, or religious organizations
No employee, director, or agent of the bank shall solicit anything of value from any customer of the bank or vendor to the bank.

University Bank has adopted a Code of Ethics, which forbids an employee, director or agent of University to use their bank positions for personal gain.

Newly hired employees will be given a copy of a Code of Ethics that includes guidelines for compliance with the Bank Bribery Act Policy. This Code of Ethics is included in the University Bank Employee Handbook. Employees will sign acknowledgment of receipt of this handbook.

Ethics and Employee Conduct for Personnel Using Data Processing Resources

STATEMENT OF NEED AND DEFINITION
This policy is designed for University Bank and it’s subsidiary companies, including but not limited to Midwest Loan Services and University Insurance and Investment Services, referred to individually and collectively as “University Bank” or “the bank.”
The board of directors recognizes that it is essential to develop standards for ethical employee conduct to protect the bank from possible legal claims, computer crimes, and overall breaches of security policy and procedure.
PURPOSE
The purpose of this policy is to provide guidelines for and to encourage ethical employee conduct with respect to certain data processing related activities. Defining these expectations is essential to the success of the overall security program for University Bank. In addition, the board of directors expects that implementation of this policy will reduce the incidence of computer related crime and protect the bank should a legal claim be made against it.
GENERAL GOAL
The general goal of this policy is to provide guidelines for ethical employee conduct with respect to certain data processing activities. Since many of the issues discussed in this policy affect employees in other departments, it should be shared with all affected departments.

SPECIFIC GOALS
This policy has the following goals:
• Establish guidelines for proper use of electronic mail by employees and for proper monitoring of electronic mail activity by management.
• Develop a classification system for information and define related policy for controlling such information.
• Establish guidelines for proper use of copyrighted and licensed software.
• Establish policy to educate employees on computer viruses and on the use of anti-virus software.
• Establish home computer requirements for certain data processing positions.
• Establish policy on alternative work arrangements.
• Provide a sample employee acknowledgment form to help document employee awareness of policy issues.

POLICY ELEMENTS
Authority
The personal computer/local area network (PC/LAN) administrator and the data processing manager have overall responsibility for monitoring compliance with this policy. However, certain responsibilities may be delegated to middle management personnel who are immediately supervising an employee. In addition, the security administrator has responsibility for enforcing and monitoring compliance with certain portions of this policy. Employees found to be in noncompliance with this policy will be subject to disciplinary action, up to and including suspension or dismissal.
Risk Management
The information systems (IS) steering committee, in managing data processing resources including PC/LAN systems, must have an awareness of various or different types of internal risks, particularly those related to staff conduct and ethics. The board of directors and senior management must be aware of the potential risks that may arise. Disruption to operations due to internal fraud, criminal activities, etc., will impact the organization both in the short term as well as in the future. Different types of risk management techniques should be considered. Not only should management policies and procedures address data processing staff code of conduct issues, but also internal monitoring should offer sufficient scope and coverage to detect risks. In managing the data processing function by establishing the IS steering committee, the board has evaluated various risks. These risks, and their related management techniques, include:
• Compliance risk. Maintaining legal compliance with various appropriate regulations as well as compliance with the organization’s data processing policies and procedures.
• Transaction risk. Impacting earnings or capital due to problems with service or product delivery. Transaction or operational risk occurs in the delivery of all products and services, and it may be addressed through consideration of all aspects of information management, including data input, data processing, and data output. Effective management of people, equipment, forms, data files, and other significant elements of data processing to ensure the integrity and viability of data processing are critical to customers of the organization and the viability of the institution.
• Reputation risk. Developing and retaining marketplace confidence in handling customers’ financial transactions in an appropriate manner, within an acceptable time frame, as well as meeting the emerging needs of the customer base and community, are important to protecting the safety and soundness of the organization.
Definitions
Definitions used in this policy are consistent with terms and acronyms recognized in the data processing industry. It is incumbent on directors and management of the organization to have a familiarity with and understanding of the terms and acronyms to successfully manage the data processing function.
Electronic Mail Practices
Use of electronic mail (e-mail) at University Bank should primarily be for work-related messages. The bank considers all data developed on its systems, including e-mail data, to be property of the bank. Improper use of the e-mail system is a misuse of bank resources.
Executive management may, at their discretion, have access to messages on the e-mail system and may periodically monitor select e-mail transactions. This written policy serves to inform employees that e-mail messages may be monitored.
Classification of Information
University Bank personnel are responsible for the security and control of information belonging to the bank. To define these responsibilities, University Bank has established a classification program for certain classes of information, as discussed below. The originator, or owner of the information, must categorize the data within the following classes:
• University Bank Internal Use Only
Electronic data and information in this category are restricted to use within the bank. Such information may be disclosed or discussed with any University Bank employee. Any intended disclosure outside the bank must receive prior approval by the department manager.
• University Bank Confidential — Sensitive
Electronic data and information in this category are restricted to use by employees who need to know the information to perform their job or assignment. Employees may disclose or discuss this class of information only with other bank employees who also need the information to perform their jobs.
• University Bank Confidential — Classified
Electronic data and information in this category are afforded the highest level of control. This type of information generally has high business sensitivity and disclosure outside the bank could be extremely detrimental to the bank. Employees with access to this information must have a need to know that is predetermined by the originator or owner of the information. Disclosure to other employees requires prior approval by the originator. .Information in this category sent via e-mail should be marked “FOR YOUR EYES ONLY” or some similar statement indicating the high level of security required. Software Copyrights and License Agreements
University Bank uses various purchased software packages, from complex mainframe packages to programs purchased for use on personal computers. This section of the policy generally refers to software packages purchased for use on personal computers. Software used on mainframe systems is subject to similar restrictions, although the practice of copying such software is not as easy or as common.
Packaged software is generally licensed for use rather than sold outright and is normally protected by copyright laws. All employees must be aware of and conform to copyright laws and software licensing agreements for software packages purchased by the bank, particularly in the case of software packages for personal computers. University Bank has adopted a policy of conforming to the restrictions of the copyright laws and licensing agreements of the software vendors. University Bank does not condone the unauthorized duplication of purchased software. Management considers the practice of illegally copying software to be plagiarism and to be ethically wrong. In general, University Bank restricts use of the software package to the particular computer for which it was purchased.
Employees should be guided by software licensing agreements or contracts, which are often attached to the envelope containing the disks. Such agreements generally allow only a single copy for backup purposes. In other words, the software is limited to one user. Employees should also be aware that although the bank purchases software under stand-alone licenses, it might also purchase a network license, which allows more than one user, such as on the local area network operated at the bank.
University Bank management recognizes the seriousness of violating this policy and those penalties for noncompliance, with respect to both legal settlements and negative publicity, continue to increase. The bank also understands that a violation of this policy, breach of a licensing agreement, or copyright infringement could expose it to possibly costly litigation. Further, such outside groups as the Software Publishers Association, the Business Software Alliance, and the Federation Against Software Theft, which may prosecute offenders on behalf of their members, may police enforcement of software licensing. Internally, the security administrator bears responsibility for enforcing and monitoring compliance with this section of the policy.
The PC/LAN administrator will perform periodic compliance reviews, which may include the following actions:
• Comparing software inventory records to physical inventory
• Reviewing physical storage of original, licensed software disks
• Reviewing employee awareness and recognition of this policy
• Reviewing software purchasing, inventory, and controls

Computer Viruses
The proliferation of computer viruses, or malicious logic infecting corporate computer systems, continues to increase. It is the policy of University Bank to educate employees on the potential for spreading computer viruses and to ensure that the bank guards against such viruses. The development of a computer virus is considered an unethical activity. These viruses can have various results on computer systems, ranging from harmless changes to severely damaged files or data. University Bank makes available virus detection software packages to scan a computer system for any suspected virus, should any unusual activity occur on a system. Further, anti-virus protection software should be installed on those systems that access other on line systems outside the bank, such as electronic bulletin board services.

Home Computers
For certain employees in the organization, including individuals who perform systems and programming assignments, University Bank considers home computers to be essential for the proper performance of their jobs. Such employees, and those that become subject to such requirements, will receive letters from the PC/LAN administrator or data processing manager notifying them of this requirement and describing the reasons why the purchase and maintenance of a home computer is considered a condition of employment for that position. The letter will include specifications for the required hardware and software systems. University Bank has drafted this section of the policy in such a way as to enable employees to claim tax deductions for the equipment purchased as a required condition of employment.

Work at Home Arrangements
University Bank supports flexible alternative work programs and currently offers work at home arrangements for select positions in the data processing department. Employees participating in these programs are subject to individualized employment arrangements, which will be reviewed on at least an annual basis. These arrangements will cover such items as the following:
• Equipment needs (e.g., computers and phone lines)
• Supervisory monitoring techniques
• Requirements for periodic in bank workdays and meetings
• Minimum and maximum number of work hours
• Agreements covering on site employer visits to the home work site
Employees with on line access to the bank’s computer systems must adhere to University Bank’s security policy regarding on line activity. The policy governing the installation and on line use of microcomputers from employees’ homes includes the following elements:
• Screening employees who have this privilege
• Limiting the types of activities employees may perform on line from home computers
• Ensuring strict adherence to separation procedures (e.g., returning equipment and terminating access and passwords)

Consequence for Failure to Follow Policy Guidelines
Inappropriate use or misuse of the Internet privileges afforded a bank employee may ultimately expose the organization to civil and criminal penalties and/or liability. While disciplinary actions may take the form of warnings and reminders, depending on the significance of the abuse of privileges, misuse may result in loss of Internet access privileges. Depending on the level of misuse or severity of the abuse, employment probation or even termination may be a consequence.
Examples of inappropriate or abusive activities include:
• Sending message that contain computer viruses
• Using data from any system, internal or external, when the employee does not have authority to access the information
• Using another person’s password
• Allowing another person to use your personal password
• Entering other individuals’ e-mail boxes or reading another person’s e-mail without authorization
• Breaking or attempting to break into systems when the employee does not have authorization to access (also commonly referred to as hacking)
• Sending fictitious messages that could be mistaken for bank official statements, marketing, or materials
• Sending fictitious messages representing to be someone else
• Sending or posting confidential bank information outside the bank or forwarding to unauthorized individuals
• Causing copyright violations
• Using abusive or objectionable language in private or public messages
• Sending or posting libelous statements
• Using the bank’s property and Internet access for personal gain, in non job-related activities or entertainment
• Sending chain letters or participating in betting pools, schemes, etc.
• Sending threats, harassing messages, or other inappropriate or illegal materials, including materials promoting hate, violence, discrimination, or pornography
• Refusing to cooperate with bank management conducting an authorized, reasonable internal security investigation

If bank employees question whether an action or activity via the Internet would violate this policy, then the employee is required to first request supervisor guidance or directions from the electronic banking coordinator.

Attachment A
Employee Acknowledgment

DP Ethics/Security Responsibilities
I hereby acknowledge that as an employee of University Bank, and by using my user ID and password for any University Bank’s on line system, I am responsible for understanding and adhering to ethical and security policies established by the bank. I understand that violations of this policy may be cause for dismissal from the bank. My responsibilities include:
1. Proper control over my password, including:
• Preventing unauthorized use or disclosure of my password
• Changing my password at least every 30 days, as required by University Bank’s security policy
• Randomly selecting passwords that cannot be easily identified with me (e.g., names or initials of family members)
2. Notifying other users if I should learn their password
3. Notifying my manager when I leave employment with University Bank, so that my user ID can be deleted promptly
4. Limiting e-mail use to primarily work-related messages, and being aware that e-mail data are considered bank property and that management may monitor e-mail use
5. Adhering to the policy of control over classified University Bank information
6. Making no unauthorized copies of copyrighted software purchased under a licensing agreement
7. Being aware of computer virus activity and the bank’s policy on the use of anti-virus software

Signature ____________________________ Date ________________________
Name (please print)____________________ Department___________________