Data Privacy Notice for Media and Investor Contacts

Last Update: July seventeenth twenty twenty six

This Privacy Notice explains how Bank of America (under legal entity Bank of America, N A) collects, uses, shares and protects personal information for distribution of market research, financial materials, press releases, and S E C filings, as well as general interaction with the media and investors.

This Privacy Notice is in addition to other privacy notices related to products and services that the bank provides to clients and individuals.

Personal information we collect

Personal Information is information that identifies or relates to an identifiable individual. Please refer to Appendix A to see the Personal Information we may collect in relation to the distribution of market research, financial materials, press releases, and S E C filings, as well as general interaction with the media and investors.

How we collect personal information

You provide Personal Information to us in order to receive market research, financial materials, press releases, and S E C filings. We also receive Personal Information from third party service providers or obtain it through public sources where you have made it available for us to interact with members of the media. Please refer to Appendix A for additional information.

Disclosure of personal information

To the extent permitted by applicable law and as appropriate to achieve the purposes described in this Notice, Personal Information may be disclosed by the Company as follows:

  • Given the global nature of the Company’s activities, the Company may (subject to applicable law) transmit Personal Information, to other Bank of America affiliates or operations located in other jurisdictions, including the United States or other jurisdictions where data protection laws may not provide an equivalent level of protection to the laws in the media or investor contact’s home jurisdiction.
  • The Company may disclose in accordance with applicable law relevant Personal Information to certain third parties in connection with the provision of services to the Company. Where the processing of Personal Information is delegated to a third party data processor, such as those listed in Appendix A, the Company will delegate such processing in writing, will choose a data processor that provides sufficient guarantees with respect to technical and organizational security measures, such as data protection and information security requirements, governing the relevant processing and will ensure that the processor acts on the Company’s behalf and under the Company’s instructions.
  • Personal Information also may be disclosed, where permitted by applicable law, in connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of the financial status of the Company or any of its subsidiary or affiliated companies. Personal Information also may be released, to protect the legitimate interests of the Company (unless this would prejudice the rights and freedoms or interests of the media or investor contact), or in the Company’s judgement to comply with applicable legal or regulatory obligations and regulatory inquiries or requests subject to local law.
  • The Company does not use automated decision making on media and investor contacts’ process.

Security

The Company maintains appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing of Personal Information and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage to Personal Information.

Retention period

We will retain Personal Information for as long as it is needed or permitted in light of the purposes for which it was obtained. The criteria used to determine our retention periods include: item one the length of time we have an ongoing relationship with you, item two whether there is a legal claim or complaint to which we are subject; and item three whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations, or a preservation order, subpoena or search warrant).

The appropriate retention period is determined on a case-by-case basis and will depend upon the length of time we need to keep your Personal Information for the purpose(s) for which it was collected. For instance, we may need to retain your Personal Information to provide our client(s) with services, to comply with a legal obligation to which we are subject or in situations where retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations). The retention period may vary between jurisdictions.

We keep information collected using Cookies in accordance with the Cookie Policy (PDF).

Minors

We do not solicit individuals under the age of eighteen (18) and we do not knowingly collect Personal Information from individuals under 18.

Sharing personal information on behalf of another person

If you are sharing information on behalf of another individual, please provide them with a copy of this Notice. When you provide us with Personal Information about members of their family, dependents or friends (for example, individuals provided by a customer as a guarantor), it is your responsibility to inform such individuals and obtain agreement that their information can be shared with us. Should the individual have any questions, please refer them to the Contact Us section in this Notice. By disclosing Personal Information about others to us in connection with our Services, you represent that you have the authority to do so and permit us to use the information in accordance with this Notice.

Jurisdiction specific clauses and cross-border transfer

To the extent permitted by applicable laws and regulations or otherwise allowed by regulators, Personal Information may be stored and processed in any country/territory where we have facilities or in which we engage service providers, including the United States. In certain circumstances, subject to applicable laws, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries/territories may be entitled to access Personal Information.

Where local data protection law requires it we have put in place adequate measures, such as data transfer agreements. Where permitted by applicable laws and regulations or otherwise allowed by regulators, transfers may also be made pursuant to contracts in your interest or at your request.

Given the global nature of the Company’s activities, the Company may transfer your Personal Information to countries located outside of the European Economic Area (“E E A”), the United Kingdom or Switzerland. With regards to transfers from the E E A, United Kingdom or Switzerland to other countries, we have put in place adequate measures, such as standard contractual clauses adopted by the European Commission to protect your information. Where necessary we added the United Kingdom S C C addendum (for transfers from United Kingdom) and/or additional clauses for Switzerland (for transfers from Switzerland). Media and investor contacts in the E E A, United Kingdom or Switzerland may obtain a copy of these measures by going to https://commission.europa.eu/law/law-topic/data-protection_en

Where countries are considered adequate by the European Union, United Kingdom and Switzerland respectively, we rely on this adequacy decision as a safeguard. Countries that are subject to an adequacy decision can be found on the links below.

Individuals may also file a complaint with a supervisory authority competent for their relevant country or region. A list of data protection authorities in the E E A is available at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080. The data protection authority in the United Kingdom is the Information Commissioners Office (the I C O) and in Switzerland it’s the Federal Data Protection and Information Commissioner (F D P I C).

Updates to this privacy notice

We may change this Privacy Notice from time to time. The “LAST UPDATED” legend at the top of the Privacy Notice indicates when it was last revised. Any changes will become effective when we post the revised Privacy Notice and will apply to the use of market research, financial materials, press releases, and S E C filings, as well as general interaction with the media and investors.

How you can access, change or suppress your personal information

Keeping your Personal Information accurate and up to date is very important. If your Personal Information is incomplete, inaccurate, or not current, you may be able to make changes to your information directly in the platforms. You can also notify us of the need for changes in accordance with the “Contacting Us” section below. Depending on the jurisdiction, you may have legal rights under applicable laws which may be subject to limitations and/or restrictions. For further details of which rights you may have, please see the “individual rights” section in your local privacy notice available at Global Privacy Notices (B of A dot com). These rights may include:

  • Right of Access: you have the right to confirm what data is being processed, obtain information about the processing activities and to receive a copy of your Personal Information;
  • Right to Rectification: you have the right to request rectification / correction of your Personal Information where inaccurate or incomplete;
  • Right to Erasure: you have the right to request deletion of your Personal Information;
  • Right to Restriction: you have a right to ask that we restrict or suspend the processing of your Personal Information which means that whilst we are permitted to store the Personal Information, we cannot otherwise use it;
  • Right to Data Portability: you have right to request the transfer of certain Personal Information to a third party, in machine readable format;
  • Right to Object: you have the right to object to the processing of your Personal Information including for any direct marketing purposes;
  • Right to Withdraw Consent: you have the right to withdraw your consent, at any time, without hindrance or cost, to prevent further processing. Please note that withdrawing your consent does not affect the lawfulness of our processing of your Personal Information based on such consent before the withdrawal; and
  • Right to Lodge a Complaint: you have the right to file a complaint concerning our processing of your Personal Information with the competent data protection authority in the relevant jurisdiction.

To make a request or inquire about such rights, please send an email to the appropriate address from the “Contacting Us” section below and include “Attn: Privacy” in the subject line. In your request or complaint, please make clear what information you are inquiring about, as well as the nature of your request (such as whether you would like to access or correct the data) or details of your complaint. For your protection, we may implement requests with respect to only the information associated with the email address you use to send us your request or other agreed-upon identifier, and we may need to verify your identity before implementing your request.

Please note that we may need to retain certain Personal Information for recordkeeping purposes or where required by applicable law. There may also be residual information that will remain within our databases, backups, and other records that cannot be removed.

Contacting us

Should you have any questions, concerns or complaints about this Notice, please contact the Data Protection Officer using the contact details below.

Individuals may also file a complaint with a supervisory authority for their relevant country or region.

APPENDIX A

The table below contains the purpose for which we may process your personal information, the types of processing activities that may take place and the category of personal information that would be used for such processing as well as the legal basis for the processing.

Purpose for personal information
Purpose Examples of Processing Activities Personal Information Categories Legal Basis
Media and investor relations
  • To register to receive market research, financial materials, press releases, and S E C filings
  • To interact as part of our routine media and investor relations work
  • Audits, to verify that our internal processes function as intended and are compliant with legal, regulatory or contractual requirements;
  • Determining the effectiveness of our market research; and
  • Operating and expanding our business activities, for example, understanding which parts of our services are of most interest to our users so we can focus our efforts on meeting our users’ interests.

Personal Details: Name

Professional Details: company name

Contact Information: Postal address, Email address, Phone number

Consent - To obtain consent to use data for media and investor relations activities. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

The categories of unaffiliated third parties with whom we may share personal information

Categories of unaffiliated third parties
Categories of third parties Personal Data Purpose of processing your Personal Information Destination Countries
Media and investor relations vendors

Personal Details: Name

Professional Details: Company name

Contact Information: Postal address, Email address, Phone number

For use in providing market research, financial materials, press releases, and S E C filings, or engaging with media and investor contacts

Globally where we have a presence

Bank of America Locations

Data Privacy Notice for Media and Investor Contacts

Last Update: July seventeenth twenty twenty six

This Privacy Notice explains how Bank of America (under legal entity Bank of America, N A) collects, uses, shares and protects personal information for distribution of market research, financial materials, press releases, and S E C filings, as well as general interaction with the media and investors.

This Privacy Notice is in addition to other privacy notices related to products and services that the bank provides to clients and individuals.

Personal information we collect

Personal Information is information that identifies or relates to an identifiable individual. Please refer to Appendix A to see the Personal Information we may collect in relation to the distribution of market research, financial materials, press releases, and S E C filings, as well as general interaction with the media and investors.

How we collect personal information

You provide Personal Information to us in order to receive market research, financial materials, press releases, and S E C filings. We also receive Personal Information from third party service providers or obtain it through public sources where you have made it available for us to interact with members of the media. Please refer to Appendix A for additional information.

Disclosure of personal information

To the extent permitted by applicable law and as appropriate to achieve the purposes described in this Notice, Personal Information may be disclosed by the Company as follows:

  • Given the global nature of the Company’s activities, the Company may (subject to applicable law) transmit Personal Information, to other Bank of America affiliates or operations located in other jurisdictions, including the United States or other jurisdictions where data protection laws may not provide an equivalent level of protection to the laws in the media or investor contact’s home jurisdiction.
  • The Company may disclose in accordance with applicable law relevant Personal Information to certain third parties in connection with the provision of services to the Company. Where the processing of Personal Information is delegated to a third party data processor, such as those listed in Appendix A, the Company will delegate such processing in writing, will choose a data processor that provides sufficient guarantees with respect to technical and organizational security measures, such as data protection and information security requirements, governing the relevant processing and will ensure that the processor acts on the Company’s behalf and under the Company’s instructions.
  • Personal Information also may be disclosed, where permitted by applicable law, in connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of the financial status of the Company or any of its subsidiary or affiliated companies. Personal Information also may be released, to protect the legitimate interests of the Company (unless this would prejudice the rights and freedoms or interests of the media or investor contact), or in the Company’s judgement to comply with applicable legal or regulatory obligations and regulatory inquiries or requests subject to local law.
  • The Company does not use automated decision making on media and investor contacts’ process.

Security

The Company maintains appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing of Personal Information and/or against accidental loss, alteration, disclosure or access, or accidental or unlawful destruction of or damage to Personal Information.

Retention period

We will retain Personal Information for as long as it is needed or permitted in light of the purposes for which it was obtained. The criteria used to determine our retention periods include: item one the length of time we have an ongoing relationship with you, item two whether there is a legal claim or complaint to which we are subject; and item three whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations, or a preservation order, subpoena or search warrant).

The appropriate retention period is determined on a case-by-case basis and will depend upon the length of time we need to keep your Personal Information for the purpose(s) for which it was collected. For instance, we may need to retain your Personal Information to provide our client(s) with services, to comply with a legal obligation to which we are subject or in situations where retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations). The retention period may vary between jurisdictions.

We keep information collected using Cookies in accordance with the Cookie Policy (PDF).

Minors

We do not solicit individuals under the age of eighteen (18) and we do not knowingly collect Personal Information from individuals under 18.

Sharing personal information on behalf of another person

If you are sharing information on behalf of another individual, please provide them with a copy of this Notice. When you provide us with Personal Information about members of their family, dependents or friends (for example, individuals provided by a customer as a guarantor), it is your responsibility to inform such individuals and obtain agreement that their information can be shared with us. Should the individual have any questions, please refer them to the Contact Us section in this Notice. By disclosing Personal Information about others to us in connection with our Services, you represent that you have the authority to do so and permit us to use the information in accordance with this Notice.

Jurisdiction specific clauses and cross-border transfer

To the extent permitted by applicable laws and regulations or otherwise allowed by regulators, Personal Information may be stored and processed in any country/territory where we have facilities or in which we engage service providers, including the United States. In certain circumstances, subject to applicable laws, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries/territories may be entitled to access Personal Information.

Where local data protection law requires it we have put in place adequate measures, such as data transfer agreements. Where permitted by applicable laws and regulations or otherwise allowed by regulators, transfers may also be made pursuant to contracts in your interest or at your request.

Given the global nature of the Company’s activities, the Company may transfer your Personal Information to countries located outside of the European Economic Area (“E E A”), the United Kingdom or Switzerland. With regards to transfers from the E E A, United Kingdom or Switzerland to other countries, we have put in place adequate measures, such as standard contractual clauses adopted by the European Commission to protect your information. Where necessary we added the United Kingdom S C C addendum (for transfers from United Kingdom) and/or additional clauses for Switzerland (for transfers from Switzerland). Media and investor contacts in the E E A, United Kingdom or Switzerland may obtain a copy of these measures by going to https://commission.europa.eu/law/law-topic/data-protection_en

Where countries are considered adequate by the European Union, United Kingdom and Switzerland respectively, we rely on this adequacy decision as a safeguard. Countries that are subject to an adequacy decision can be found on the links below.

Individuals may also file a complaint with a supervisory authority competent for their relevant country or region. A list of data protection authorities in the E E A is available at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080. The data protection authority in the United Kingdom is the Information Commissioners Office (the I C O) and in Switzerland it’s the Federal Data Protection and Information Commissioner (F D P I C).

Updates to this privacy notice

We may change this Privacy Notice from time to time. The “LAST UPDATED” legend at the top of the Privacy Notice indicates when it was last revised. Any changes will become effective when we post the revised Privacy Notice and will apply to the use of market research, financial materials, press releases, and S E C filings, as well as general interaction with the media and investors.

How you can access, change or suppress your personal information

Keeping your Personal Information accurate and up to date is very important. If your Personal Information is incomplete, inaccurate, or not current, you may be able to make changes to your information directly in the platforms. You can also notify us of the need for changes in accordance with the “Contacting Us” section below. Depending on the jurisdiction, you may have legal rights under applicable laws which may be subject to limitations and/or restrictions. For further details of which rights you may have, please see the “individual rights” section in your local privacy notice available at Global Privacy Notices (B of A dot com). These rights may include:

  • Right of Access: you have the right to confirm what data is being processed, obtain information about the processing activities and to receive a copy of your Personal Information;
  • Right to Rectification: you have the right to request rectification / correction of your Personal Information where inaccurate or incomplete;
  • Right to Erasure: you have the right to request deletion of your Personal Information;
  • Right to Restriction: you have a right to ask that we restrict or suspend the processing of your Personal Information which means that whilst we are permitted to store the Personal Information, we cannot otherwise use it;
  • Right to Data Portability: you have right to request the transfer of certain Personal Information to a third party, in machine readable format;
  • Right to Object: you have the right to object to the processing of your Personal Information including for any direct marketing purposes;
  • Right to Withdraw Consent: you have the right to withdraw your consent, at any time, without hindrance or cost, to prevent further processing. Please note that withdrawing your consent does not affect the lawfulness of our processing of your Personal Information based on such consent before the withdrawal; and
  • Right to Lodge a Complaint: you have the right to file a complaint concerning our processing of your Personal Information with the competent data protection authority in the relevant jurisdiction.

To make a request or inquire about such rights, please send an email to the appropriate address from the “Contacting Us” section below and include “Attn: Privacy” in the subject line. In your request or complaint, please make clear what information you are inquiring about, as well as the nature of your request (such as whether you would like to access or correct the data) or details of your complaint. For your protection, we may implement requests with respect to only the information associated with the email address you use to send us your request or other agreed-upon identifier, and we may need to verify your identity before implementing your request.

Please note that we may need to retain certain Personal Information for recordkeeping purposes or where required by applicable law. There may also be residual information that will remain within our databases, backups, and other records that cannot be removed.

Contacting us

Should you have any questions, concerns or complaints about this Notice, please contact the Data Protection Officer using the contact details below.

Individuals may also file a complaint with a supervisory authority for their relevant country or region.

APPENDIX A

The table below contains the purpose for which we may process your personal information, the types of processing activities that may take place and the category of personal information that would be used for such processing as well as the legal basis for the processing.

Purpose for personal information
Purpose Examples of Processing Activities Personal Information Categories Legal Basis
Media and investor relations
  • To register to receive market research, financial materials, press releases, and S E C filings
  • To interact as part of our routine media and investor relations work
  • Audits, to verify that our internal processes function as intended and are compliant with legal, regulatory or contractual requirements;
  • Determining the effectiveness of our market research; and
  • Operating and expanding our business activities, for example, understanding which parts of our services are of most interest to our users so we can focus our efforts on meeting our users’ interests.

Personal Details: Name

Professional Details: company name

Contact Information: Postal address, Email address, Phone number

Consent - To obtain consent to use data for media and investor relations activities. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

The categories of unaffiliated third parties with whom we may share personal information

Categories of unaffiliated third parties
Categories of third parties Personal Data Purpose of processing your Personal Information Destination Countries
Media and investor relations vendors

Personal Details: Name

Professional Details: Company name

Contact Information: Postal address, Email address, Phone number

For use in providing market research, financial materials, press releases, and S E C filings, or engaging with media and investor contacts

Globally where we have a presence

Bank of America Locations

What would you like the power to do?