PRIVACY NOTICE

PURSUANT TO THE MONTANA DATA PRIVACY AND SECURITY ACT

Effective Date: 07-01-2024

This Montana privacy notice (“Notice”) pursuant to the Montana Consumer Data Privacy Act, Montana Code Section 30-14-2801 et seq., (“MCDPA”), supplements the information contained in the Privacy Policy of Rausch Sturm LLP (“Rausch Sturm,” “we,” “us,” or “our”), and applies solely to visitors, users, and others who reside in the State of Montana (“consumers” or “you”). Rausch Sturm is a debt collector. This Notice applies to both our online and offline practices. We adopt this Notice to comply with the MCDPA. Any terms defined in the MCDPA have the same meaning when used in this Notice. For questions concerning this Notice or to obtain a copy of this Notice in an alternative format or in Spanish, please call us at 855-517-6279.

A. Consumer Rights

The MCDPA provides consumers with specific rights regarding their personal data. This section describes your rights.

  1. Right of Confirmation:

    You have the right to confirm whether we are processing your personal data and to access the personal data, unless such confirmation or access would require us to reveal a trade secret.

  2. Right to Correct:

    You have the right to correct inaccuracies in your personal data, considering the nature of the personal data and the purposes of the processing of the personal data.

  3. Right to Deletion:

    You have the right to delete personal data about you.

  4. Right to Obtain:

    You have the right to delete personal data about you.

  5. Right to Opt Out:

    You have the right to opt out of the processing of your personal data for purposes of: targeted advertising; the sale of personal data; or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning you.

    We do not process your personal data for any of these purposes. If we intend to process your data for any of these purposes, we will provide you with notification of your rights including opt out rights.

B. Our Duties

  1. The MCDPA requires that we provide you with the following information.
    1. Categories of personal data processed by us:
      • Personal identifying information, like name, address and account number, as well as other identifying information, which we obtain from the consumer’s creditor, credit reports and other skip trace tools, and the consumer;
      • Characteristics such as age, gender, etc., which we obtain from the consumer’s creditor and consumer’s credit report;
      • Retail information, which we obtain from the consumer’s creditor and the consumer’s credit report;
      • Commercial information, including records of personal property;
      • Internet activity regarding online payments and account updates, which we collect if the consumer visits our website or payment portal;
      • Geolocation data, which we obtain from process servers;
      • Recordings, which are made when the consumer has a telephone conversation with us;
      • Professional and employment related information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources; and
      • Educational information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources.
    2. Purpose for processing personal data:
      1. Helping to ensure security and integrity to the extent the use of personal data is reasonably necessary and proportionate for these purposes;
      2. Debugging to identify and repair errors that impair existing intended functionality;
      3. Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of consumer’s current interaction with the business, provided that the consumer’s personal data is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with us.
      4. Performing services on our behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
      5. Undertaking internal research for technological development and demonstration.
      6. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufacture for, or controlled by the business.
      7. Other business or business operational purposes as follows:
        • Debt collection.
        • To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal data in order for us to process a payment, we will use that information to process said payment.
        • To provide you with information or services that you request from us.
        • To provide you with email or text alerts and other notices concerning our services.
        • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for collections.
        • To carry out our obligations and enforce our rights arising from any contracts entered into between you and our clients, including for collections.
        • To improve our website and present its contents to you.
        • For testing, research, analysis and service development.
        • As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
        • To respond to law enforcement requests and as required by applicable law, court order, governmental regulations, or comply with a court order or subpoena to provide information.
        • As described to you when collecting your personal data or as otherwise set forth in the Florida collection laws.
    3. How you may exercise your rights, including the process by which you may appeal our decision with regard to your request:
      • When you exercise your rights, we will use commercially reasonable methods for authenticating the identity of the person submitting a request to exercise rights.
      • We will notify you if we cannot, using commercially reasonable methods, authenticate your request without additional information from you.
      • When you exercise your rights, we will respond without undue delay, which may not be later than 45 days after the date of the receipt of the request. We may extend the response period once by an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer’s request, so long as we inform you of the extension within the initial 45 day response period, together with the reason for the extension.
      • If we cannot take action regarding your request, we must inform you without undue delay, which may not be later than 45 days after the date of receipt of the request, of the justification for the inability to take action on the request and provide instructions on how to appeal the decision.
      • We have established an appeal process by which you may appeal any refusal of ours to take action on a request. We will inform you in writing of any action taken or not taken in response to an appeal within 60 days after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision. If we deny the appeal, we will provide or specify information that enables you to contact the Attorney General to submit a complaint.
    4. Categories of personal data that we share with third parties:
      • Personal identifying information
      • Characteristic information
      • Retail information
      • Professional or employment related information
    5. Categories of third parties with whom we share personal data:
      • Service providers and contractors.
      • Third parties to whom you or your agents authorize us to disclose your personal data in connection with products or services we provide to you.
    6. Description of the methods by which consumers can submit requests to exercise their consumer rights or appeal our refusal to take action:
      • Submission: To exercise the rights described above, please submit a verifiable consumer request to us by either:
  2. We do not sell personal data. If in the future, we anticipate selling your personal data, we will provide you required information pursuant to the MCDPA, including any applicable opt out rights.
  3. We limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed
  4. We have established, implemented and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
  5. We do not process personal data that is not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed or disclosed.
  6. We do not discriminate against you for exercising any of your rights as set forth herein.

C. Limitations

The above rights and duties may be limited if any of the following apply:

  1. We are both a controller and a processor as those terms are defined by the MCDPA. A processor that is a controller shall comply with the MCDPA with regard to any personal data that it collects or maintains outside of its role as a processor. Most of the personal data that we collect or maintain is done in context of our role as a processor. If we deny your verified request pursuant to this notice because all of the information collected or maintained about you has been pursuant to our role as a processor, we will provide you with the contact information of the business on whose behalf we collect or maintain the information.
  2. The MCDPA does not apply to:
    • A body, authority, board, bureau, commission, district or agency of this state or any political subdivision of the state;
    • A nonprofit organization;
    • An institution of higher education;
    • A national securities association that is registered under 15 USC 78o-3 of the federal Securities Exchange Act of 1934, as amended;
    • A Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Graham Leach Bliley act 15 USC 6801, et seq; or
    • A covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 160.103
    • Protected health information under the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996;
    • Patient-identifying information for the purposes of 42 USC 290dd-2;
    • Identifiable private information for the purposes of the federal policy for the protection of human subjects of 1991, 45 CFR, part 46;
    • Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization of technical requirements for pharmaceuticals for human use;
    • The protection of human subjects under 21 CFR, parts 6, 50, and 56, or personal data used or shared in research as defined in the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 164.501, that is conducted in accordance with research conducted in accordance with applicable law;
    • Information and documents created for the purposes of the Health Care Quality Improvement Act of 1986, 42 USC 11101, et seq.;
    • Patient safety work products for the purposes of the Patient Safety and Quality Improvement Act of 2005, 42 USC 299b-21, et seq., as amended;
    • Information derived from any of the healthcare related information that is:
      • Deidentified in accordance with the requirements for deidentification pursuant to the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996; or
      • Included in a limited data set as described in 45 CFR 164.514 (e), to the extent that the information is used, disclosed, and maintained in a manner specified in 45 CFR 164.514 (e).
    • Information originating from and intermingled to be indistinguishable with or information treated in the same manner as exempt information that is maintained by a covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 160.6.103, or a program or qualified service organization, as specified in 42 USC 290dd-2, as amended;
    • Information used for public health activities and purposes as authorized by the federal Health Insurance Portability and Accountability Act of 1996, community health activities, and population health activities;
    • The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 USC 1681, as amended;
    • Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 USC 2721, et seq., as amended;
    • Personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 USC 1232g, et seq., as amended;
    • Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1993, 12 USC 2001, et seq., as amended;
    • Data processed or maintained:
      • By an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party to the extent that the data is collected and used within the context of that role;
      • As the emergency contact information of an individual and used for emergency contact purposes only; Or
      • That is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information and is used for the purpose of administering the benefits; and
    • Personal data collected, process, sold, or disclosed in relation to price, route, or service, as those terms are used in the Airline Deregulation Act of 1978, 49 USC 40101, et seq., as amended, by an air carrier subject to the Airline Deregulation Act of 1978, to the extent preempted by the Airline Deregulation Act of 1978, 49 USC 41713, as amended.
  3. Compliance would restrict our ability to:
    • Comply with federal, state, or municipal ordinances or regulations;
    • Comply with the civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, municipal, or other government authorities;
    • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or regulations;
    • Investigate, establish, exercise, prepare for, or defend legal claims;
    • Provide a product or service specifically requested by a consumer;
    • Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;
    • Take steps at the request of a consumer prior to entering a contract;
    • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual and when the processing cannot be manifestly based on other legal basis;
    • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity of security of systems, or investigate, report, or prosecute those responsible for any of these actions;
    • Engage in public or peer reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines or similar independent oversight entities that determine:
      • Whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
      • The expected benefits of the research outweigh the privacy risks; And
      • Whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification;
    • Assist other controllers, processor, or third party with any of their obligations; or
    • Process personal data for reasons of public interest in public health, community health, or population health, but solely to the extent that the processing is:
      • Subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and
      • Under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.
  4. Compliance would adversely affects the right rights or freedoms of any person, including the right of free speech;
    • Conduct internal research to develop, improve, or repair products, services, or technology;
    • Effectuate a product recall;
    • Identify and repair technical errors that impair existing or intended functionality; Or
    • Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with us or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
  5. Compliance would violate an evidentiary privilege under the laws of this state;
  6. Compliance would:
    • Impose any obligation on us that adversely affects the rights or freedoms of any person, including but not limited to the rights of any person:
      • to freedom of speech or freedom of the press guaranteed in the first amendment to the United States constitution; or
      • Under rule 504 of the Montana Rules of Evidence; or
    • Apply to a person's processing of personal data during the person's personal or household activities.
  7. Compliance would prevent us from processing to the extent that the processing is:
    • Reasonably necessary and proportionate to the purposes allowed by MCDPA; and
    • Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed allowable under the MCDPA.

D. Changes To Our Privacy Notice

This Notice was last updated on 10-01-2024. We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will notify you by updating the “last updated” date on this notice.

This communication is from a debt collector.