Zions Debt Holdings

• Require strong passwords
• Multi-factor authentication
• Secure our physical infrastructure
• Monitor and secure our network
• Update and patch software immediately
  

Encryption methods used for data protection:

We employ industry-standard encryption techniques to protect user data both in transit and at rest:

• AES-256 Encryption (at rest): Sensitive data such as PII (Personally Identifiable Information) is encrypted using AES-256, a symmetric key encryption algorithm widely used in banking and government systems.
• TLS 1.2+ (in transit): All data transmission is protected using TLS 1.2 or higher to prevent man-in-the-middle attacks.
• Hashing Passwords with Bcrypt: User passwords are hashed using Bcrypt, a slow and adaptive hash function that mitigates brute-force attacks.
• HTTPS Everywhere: The application enforces secure HTTPS connections via HSTS.
• Encrypted API Tokens: Authentication tokens and API keys are stored encrypted and rotated periodically.
• Database Encryption: Sensitive fields in the database are encrypted with OpenSSL, using AES-256 and AES-128 encryption algorithms in CBC (Cipher Block Chaining) mode.
• CAPTCHA / reCAPTCHA Integration: To protect against automated abuse and bot attacks, Google reCAPTCHA is used in user-facing forms.
• Encrypted Backups: All system backups are encrypted using AES and stored in secure, access-controlled environments.
• Signed Cookies & CSRF Tokens: The application ensures session data hasn’t been tampered with to protect against cross-site request forgery attacks. These mechanisms validate the authenticity of user requests and help maintain data integrity throughout user sessions.

Limiting data access: 

This Privacy Policy applies solely to ZDH online information gathering and dissemination practices in connection with this website (collectively, the “Site”), and does not apply to any of our practices conducted offline or outside of the U.S. We do not collect any personally identifiable information from you (e.g., name, address, telephone number, email address) when you use the Site. Should you voluntarily choose to submit or otherwise disclose such information to us, including information submitted or disclosed by mail, telephone, fax or electronically, it is not governed by this Privacy Policy. 

ZDH is committed to protecting your privacy. When you use the Site, you consent to the use of your non-personal information by ZDH in the manner specified in this Privacy Policy. This policy may change periodically, so please check back from time to time. By your continued use of the Site, you consent to the terms of the revised policy. For your information, the date of the last update to this Privacy Policy is August 1, 2024. 

If you have any questions or comments about this Privacy Policy or our practices regarding your non-personally identifiable information, please contact us at the following address: PO Box 878, Spanish Fork UT 84660.

WHAT INFORMATION WE COLLECT AND HOW WE USE THAT INFORMATION 

You may use the Site without disclosing to us any personally identifiable information. We do not collect any personally identifiable information from you (e.g., name, address, telephone number, email address) when you use the Site. If you contact us, we may keep a record of your contact information and correspondence, and we reserve the right to use your contact information, and any other information that you provide to us in your message, to respond thereto. If you wish to change any information submitted to us, please do so by contacting us at the address provided above. 

We may use cookies to collect non-personally identifiable information in connection with the Site. Our web pages may incorporate “pixel tags,” “web 

beacons,” or similar tracking technologies (collectively, “pixel tags”) that allow us or our agents to track the actions of users of the Site. Pixel tags are used to collect non-personally identifiable information, such as the name of your Internet service provider, the IP address of the computer you are using, the type of browser software and operating system that you use, the date and time you access the Site, the website address, if any, from which you linked directly to the Site, the website address, if any, to which you travel from the Site and other similar traffic-related information. We may also aggregate your information with similar data collected from other users to help us improve the Site and the services that we provide through the Site. 

Consumer data will not be transferred to external organizations, even in the event of a sale or transfer of assets.

Monitoring, Enforcement and Legal Requests ZDH has no obligation to monitor the Site or the use of the Site or to retain the content of any user session. However, ZDH reserves the right, at all times, to monitor, review, retain and/or disclose any information, as necessary, to satisfy any applicable law, regulation, legal process or governmental request or to cooperate with law enforcement and other authorities in investigating a claim of illegal activity. We may use IP addresses to identify a user when we feel it is necessary to protect the Site, our service, clients, potential clients or others. 

Other Sites Except as otherwise expressly discussed in this Privacy Policy, this policy only addresses our use and disclosure of information we collect from you. Any email messages and associated information that you send to addresses published on the Site are not governed by this policy. To the extent that you disclose personal or non-personal information to other sites, you are subject to the privacy customs and policies of those sites. We encourage you to ask questions before you disclose any personal information.

CALIFORNIA RESIDENTS: PRIVACY POLICY NOTICE

ZDH will not disclose any information to third parties in violation of the Fair Debt Collection Practice Act. 

This Privacy Policy Notice is intended for California residents pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), and supplements the information contained in the above Privacy Policy. Any terms defined in the CCPA and applicable California Attorney General regulations have the same meaning as used in this Privacy Policy Notice. 

• Information We Collect About You 

We may collect and use personal information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be directly or indirectly linked, with a consumer, device, or household (“personal information”). 

Personal Information does not include: 

• Publicly available information from government records. 
• Deidentified or aggregated consumer information. 
• Information excluded from the CCPA’s scope, such as (but not limited to) information governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the California Confidentiality of Medical Information Act (“CMIA”), the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), California Financial Information Privacy Act (“FIPA”), and the Driver’s Privacy Protection Act of 1994 (“DPPA”). 

We regularly collect (and have collected in the past 12 months) several types of personal information about individuals offline regarding accounts we service, including: name, DOB, address, gender, account number, payment and other financial information, email address, insurance information, SSN, employment information, telephone number, IP address, military or veteran status, audio information, username, publicly available information, and information collected or shared pursuant to HIPAA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws. We also may collect additional categories of personal information users provide directly to us or our service providers. 

• How Your Personal Information is Collected 

We collect most of this personal information from creditor/clients of accounts receivable or from you or your authorized representative by telephone or written communications. However, we may also collect information: 

• From publicly accessible sources (e.g., property or other government records); 
• From our service providers (e.g., call analytics, information source, skip- tracing, payment processing, mailing, and other vendors) 

• Why We Use or Disclose Your Personal Information 

We regularly use or disclose personal information for one or more of the following business purposes: 

• Fulfill the reason you provided the information. For example, if you share your personal information to make a payment, we will use that information to process your payment. 
• Perform services on behalf of a business or service provider, including maintaining or servicing accounts, providing customer service, processing transactions, verifying customer information, processing payments, providing analytic services, or providing similar services on behalf of the business or service provider 
• Provide you with information or services that you request from us 
• Auditing related to consumer interactions 
• Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity 
• Debugging to identify and repair errors that impair existing intended functionality 
• Short-term, transient use, where the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction 
• Undertaking activities to verify or maintain the quality of a service or device that is owned, made by or for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, made by or for, or controlled by us 
• Respond to law enforcement requests and as required by applicable law or court order 
• As appropriate to protect the rights, property, or safety of us, our clients, or others 
• As described to you when collecting your personal information or as otherwise set forth in the CCPA. 

We will not collect additional categories of personal information or use the personal information we collected for materially different purposes without providing you notice. 

We regularly disclose (and have disclosed in the past 12 months ) several types of personal information about individuals for one or more business purposes, including: name, DOB, address, gender, account number, previous payment and other financial information, email address, insurance information, SSN, employment information, telephone number, IP address, military or veteran status, audio information, username, and information collected or shared pursuant to HIPAA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws. 

We have not sold your personal information over the last 12 months and will not sell your personal information under the CCPA. 

• Verifiable Consumer Requests for Information 

Upon verification of identity, California residents may in some cases request that a business: 

• Disclose the categories of personal information the business collected about the consumer; 
• Disclose the categories of sources from which the personal information is collected 
• Disclose the categories of personal information that the business sold about the consumer; 
• Disclose the categories of personal information that the business disclosed about the consumer for a business purpose; 
• Disclose the categories of third parties with whom the business shares personal information 
• Disclose specific pieces of personal information the business has collected about the consumer 

A business may charge a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to you by your personal information. 

For applicable personal information access and portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. 

Please note that we are not required to: 

• Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained; 
• Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; 
• Provide the requested information disclosure to you more than twice in a 12-month period. 
• Provide the requested information disclosure if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf; or 
• Provide the requested information disclosure if a CCPA or applicable exception applies. 

• Right to Request Deletion of Personal Information 

Upon verification of identity, California residents may in some cases request that we delete personal information about you that we collected from you and retained, subject to certain exceptions. 

We may deny your deletion request if we are acting in the role of a service provider to another business regarding the applicable personal information. If we deny your request on that basis, we will generally refer you to the relevant business. In addition, we may deny your deletion request if retaining the information is necessary for us or our service providers to: 

• Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us. 
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. 
• Debug to identify and repair errors that impair existing intended functionality. 
• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. 
• Comply with the California Electronic Communications Privacy Act. 
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent. 
• Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us. 
• Comply with a legal obligation. 
• Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information; or 
• If another CCPA or applicable exception applies. 

• Verifying Your Identity If You Submit CCPA Requests 

If you choose to contact us directly via the designated methods described above to exercise your CCPA rights, you will need to: 

• Provide enough information to reasonably identify you [(e.g., your full name, account number if applicable, and potentially other identifying information]; and 
• Describe your request with sufficient detail to allow us to properly process and respond to your request. 

We are not obligated to make an information disclosure or carry out a deletion request pursuant to the CCPA if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf. 

Any personal information we collect from you in order to verify your identity in connection with your CCPA request will be used solely for the purposes of verification. 

Zions Debt Holdings specializes in purchasing non-performing receivables in all industries.

• Credit Card
• PDL’S
• Installment Loans
• Medical
• Utilities
• Service Agreements

We also participate in the sales of non-performing receivables.