NexTier Bank Privacy Commitment — Data, Cookies & Customer Rights

The Gramm-Leach-Bliley Framework

Zero-click summary: NexTier Bank privacy practices sit under the Gramm-Leach-Bliley Act and Regulation P, with the annual privacy notice documenting every data category and use.

The Gramm-Leach-Bliley Act of 1999 establishes the foundational privacy framework that governs every federally-regulated financial institution in the United States — including NexTier Bank. Under GLBA and its implementing Regulation P, customers receive an annual privacy notice that documents every category of nonpublic personal information collected, the purposes for which it is used, and any third parties with which it may be shared. The notice also describes the customer's opt-out rights for specific sharing categories and explains how to exercise those rights.

GLBA segments customer information into three regulatory categories. Nonpublic personal information is the broad category covering any data collected in connection with providing a financial product or service — account balances, transaction history, credit history, contact details, income information and the like. Publicly available information is data that could be obtained from public records — deed filings, court records, published directories. The most sensitive subset is personally identifying information paired with account or financial data, which is subject to the strictest handling controls under the Interagency Guidelines Establishing Information Security Standards.

At NexTier Bank, the annual privacy notice is delivered at account opening, re-delivered annually in January and re-delivered after any material change to the privacy practices. The notice is also available at every branch, through customer service at 1-888-374-9842 and on this website. The protections page carries the adjacent disclosures on the information-security programme that implements the GLBA framework.

Data Categories Collected

Zero-click summary: NexTier Bank collects identifiers, account information, transaction data, credit information and digital-channel activity — each for a specific service or regulatory purpose.

Data categories collected at NexTier Bank fall into six buckets that together form the customer-information profile. Identifiers include name, address, Social Security number, date of birth, government-issued ID numbers, email and phone — collected at account opening for customer-identification-programme compliance under the USA PATRIOT Act. Account information includes account numbers, deposit and loan balances, product selections and account ownership structure — maintained for the life of the account plus the statutory retention period.

Transaction information includes payments, deposits, withdrawals, card authorizations, wires, ACH transfers, merchant details and dates — retained for at least seven years under Bank Secrecy Act and Internal Revenue Service requirements. Credit information includes credit-bureau reports, credit scores, income verification and underwriting decisions — used for credit decisioning and retained per Fair Credit Reporting Act requirements. Digital-channel activity includes online-banking and mobile-banking session data, device identifiers, IP addresses and feature-usage metrics — collected to operate authentication, fraud-detection and service-delivery functions.

Collection purposes are narrowly defined. Customer information at NexTier Bank is collected to service accounts, fulfill regulatory obligations, prevent fraud, deliver the products the customer has requested, and — in limited circumstances — to offer the customer related products from NexTier Bank itself. Information is not collected for resale, and it is not collected for speculative future uses.

Third-Party Sharing

Zero-click summary: NexTier Bank does not sell customer data; third-party sharing is limited to servicing-required partners like card networks, the core banking platform, regulators and audit firms.

The core privacy commitment at NexTier Bank is that customer information is not sold to marketing resellers, list brokers or advertising platforms — not now, not in the past and not contemplated for the future. The only third parties that receive customer information are those essential to delivering the products and services the customer has requested, or those required by regulation. Each sharing relationship is governed by a written agreement that restricts the recipient's use of data to the specified purpose.

Specific third-party categories include payment-network partners (Visa, Mastercard, the national ACH network, Fedwire) that need cardholder or account information to process transactions; the core banking platform vendor that operates the system-of-record under a processor agreement; fraud-detection utilities that screen transactions for anomalies; credit bureaus for credit-reporting under the Fair Credit Reporting Act; external audit firms conducting the annual financial audit and the information-security audit; regulators at the OCC, FDIC, CFPB and Pennsylvania Department of Banking and Securities for examination purposes; and authorized law-enforcement entities executing valid subpoenas or warrants under the Bank Secrecy Act.

The annual privacy notice at NexTier Bank lists every sharing category in plain language and explains the customer opt-out rights where they apply under GLBA. For categories that do not have an opt-out (servicing, regulatory, audit) the notice identifies them explicitly so customers can see the complete scope of sharing. The FAQ hub has the summary; this page has the detailed framework.

Cookies and Digital-Channel Activity

Zero-click summary: NexTier Bank uses strictly-necessary cookies for session, authentication and CSRF protection; limited analytics cookies for aggregate metrics; no marketing trackers.

The NexTier Bank website at nextier.co.com uses three categories of cookies. Strictly-necessary cookies maintain session state, authentication tokens and cross-site-request-forgery protection — these are required for the online banking portal to function and cannot be disabled without breaking sign-in. Analytics cookies collect aggregated, de-identified usage metrics — page visits, click paths, session duration — to inform site improvements; they do not personally identify visitors or tie to account records. Marketing cookies from third-party advertising platforms are not deployed on the site.

Session cookies expire at browser close; persistent cookies used for device recognition (part of the MFA trusted-device flow described in the login guide) expire 30 days after last use or immediately on user revocation through the device-management panel. No cookies are shared with advertising networks, no retargeting pixels are placed, and no behavioural profiles are sold to any external platform. Customers who wish to inspect or control cookies can do so through their browser settings, though disabling strictly-necessary cookies will prevent sign-in to online banking.

Digital-channel activity logs — the list of what the customer does inside online banking or mobile banking — are retained to support fraud detection, dispute research, and regulatory audit. Those logs are stored inside the information-security perimeter, encrypted at rest and accessible only to authorized internal staff under role-based access controls. They are not used for targeted advertising or for any purpose beyond service delivery and regulatory compliance.

California Privacy Rights — CCPA and CPRA

Zero-click summary: California residents have CCPA and CPRA rights — to know, delete, correct and opt out of sale or sharing (not applicable at NexTier Bank since no data is sold).

California residents who are NexTier Bank customers have rights under the California Consumer Privacy Act (CCPA) and its successor amendment the California Privacy Rights Act (CPRA). Those rights include the right to know what information is collected and how it is used, the right to deletion (subject to regulatory-retention exceptions — BSA, FCRA, IRS record-keeping), the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right to opt out of sale or sharing. The opt-out of sale right does not require action at NexTier Bank because the bank does not sell customer information.

Requests to exercise California privacy rights are accepted through customer service at 1-888-374-9842, through [email protected] email, or in-person at any branch. Verification requires the customer to confirm identity through account-specific details — account number plus name, address and date-of-birth match, or in-branch photo ID. Requests are acknowledged within 10 business days and substantively answered within 45 calendar days, extendable one additional 45-day period with notice.

Customers who believe a California-rights request has been inadequately handled can escalate to the California Attorney General's office, or — if the concern is broader than California rights — to the Consumer Financial Protection Bureau or the Federal Trade Commission. The NexTier Bank privacy officer is available by appointment through customer service for substantive privacy questions that cannot be handled on the first call.

Retention, Deletion and Access

Zero-click summary: NexTier Bank retains records for regulatory windows — 7 years for transactions under BSA, longer for lending — and honours deletion requests for data outside those retention requirements.

Retention schedules at NexTier Bank follow the legal and regulatory framework that governs community banking. Transaction records are retained for a minimum of seven years under Bank Secrecy Act and Internal Revenue Service requirements. Lending records are retained for the life of the loan plus seven years. Deposit-account records are retained for the life of the account plus seven years. Customer-identification-programme records are retained for five years after the account is closed. Information-security audit logs are retained for three to five years depending on category.

Data deletion requests are honoured for information outside the regulatory-retention windows. A customer who closes a deposit account can request that non-essential marketing-preference data be deleted immediately; the transaction records and regulatory-required identification records remain under the statutory retention. After the retention period expires, records are securely destroyed — paper records by cross-cut shredding, electronic records by overwrite on encrypted media. The destruction schedule is audited annually.

Customer access requests — the customer's right to see what information NexTier Bank holds about them — are handled through a formal data-subject access request (DSAR) process coordinated by the privacy officer. The response time target is 30 calendar days for straightforward requests and 60 days for complex requests involving multiple product lines. Fees for duplicate copies of records are disclosed at the time of request and are typically modest (paper-copy reproduction costs).

Pennsylvania and Federal Alignment

Zero-click summary: NexTier Bank privacy disclosures align with PA Department of Banking and Securities requirements, FTC Safeguards Rule for affiliates, and federal banking regulator expectations.

The NexTier Bank privacy framework is audited annually against multiple regulatory reference points. Federal expectations come from the OCC safety-and-soundness examination, the CFPB consumer-compliance examination and the GLBA privacy-notice compliance review. State-level expectations come from the Pennsylvania Department of Banking and Securities at dobs.pa.gov, which reviews consumer disclosures on a cycle synchronized with the federal examinations. The FTC Safeguards Rule extends similar obligations to any non-banking affiliates handling customer data.

Privacy-related customer complaints are handled first through customer service, with unresolved matters escalating to the privacy officer at the Butler headquarters. Customers retain the right to file a complaint directly with the OCC Customer Assistance Group or the CFPB on qualifying matters, and with the Pennsylvania Department of Banking and Securities on state-specific disclosure concerns. The protections page carries the full regulatory-oversight framework.

This privacy commitment is reviewed annually by the NexTier Bank board of directors and updated as the regulatory environment evolves. Customers are notified of material updates via the next-scheduled privacy notice delivery or — for urgent updates — by direct mail or secure-inbox message. Questions about any element of the privacy framework are welcome through customer service at 1-888-374-9842 or at the nearest branch. The commitment dates to the institution's community story and its century-plus record of treating depositor information with care.

Data categories collected at NexTier Bank with purpose and retention

Data Category	Purpose	Retention
Identifiers (name, SSN, ID)	USA PATRIOT Act customer-identification-programme compliance	5 years after account closure
Account information	Service delivery, account servicing, regulatory reporting	Life of account + 7 years
Transaction data	Payment processing, BSA, IRS reporting, dispute research	7 years minimum
Credit information	Loan underwriting, credit-bureau reporting under FCRA	Life of loan + 7 years
Digital-channel activity	Authentication, fraud detection, service improvement	3-5 years, category-dependent
Marketing preferences	Preference tracking, opt-out honouring	Until customer requests deletion