Additional United States Privacy Disclosures

These disclosures supplement the OneMain Privacy Policy and Privacy Notice. They provide additional information about how OneMain Holdings, Inc. and its subsidiaries process (both online and offline) personal data relating to individual residents of certain states in the United States identified below, as well as about the privacy rights available to those residents. OneMain Holding’s subsidiaries include those that use “OneMain” or “Springleaf” in their name, such as OneMain Financial Group, LLC and OneMain Trim, LLC, as well as American Health and Life Insurance Company, Triton Insurance Company, and CommoLoCo, Inc.

These disclosures do not apply to OneMain personnel. These disclosures also do not apply to information collected, processed or disclosed pursuant to the Gramm-Leach-Bliley Act, its implementing regulations or the California Financial Information Privacy Act.

If you are a resident of the state of Nevada in the United States, you have the right to opt out of the sale of your personal data. Although we do not currently sell personal data of Nevada residents (as defined under Nevada law), you may submit a request to opt-out of the sale of your personal data by clicking the “Do Not Sell or Share My Personal Information” link on our webpage (available 24/7) or calling us at (844) 859-1865 (M-F 5:30 AM – 2:30 PM Pacific, except for holidays).

The following supplementary disclosures apply only to residents of the states of California and Oregon. This section uses certain terms that have the meaning given to them in the Oregon Consumer Privacy Act (the “OCPA”) and California Consumer Privacy Law (“CCPA”), as amended.

We may collect and use (and may have used during the 12-month period prior to the Last Updated date of the Privacy Policy) your personal data for the purposes described in the OneMain Privacy Policy and as further described below.

• Identifiers: identifiers such as a real name, postal address, unique personal identifier (such as a device identifier; cookies, beacons, pixel tags, mobile ad identifiers, and similar technology; unique pseudonym, or user alias; telephone number and other forms of persistent or probabilistic identifiers), online identifier, IP address, email address, and other similar identifiers;
• Commercial Information: commercial information, including products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies;
• Internet/Network Information and Online Activity: Internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with websites, applications or advertisements;
• Geolocation Data: general location information, such as information obtained from your IP address;
• Professional/Employment Information, such as job title, department, employer or business, and trade or professional association membership information;
• Education Information: Information, such as education history, credentials and degrees, that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99);
• Other Personal Data, such as information and content you post to the services and other information you submit to us, including inquiry and communication information when you contact us; and
• Inferences, including information generated from your use of the services reflecting predictions about your interests and preferences.

We may use your personal data for the following business purposes, in addition to those set forth in the Privacy Policy:

• Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytics services, providing storage, or providing similar services;
• Providing advertising and marketing services;
• Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance;
• Short-term, transient use, such as non-personalized advertising shown as part of your current interaction with us;
• Helping to ensure security and integrity;
• Undertaking activities to verify or maintain the quality or safety of our services or devices and to improve, upgrade, or enhance them;
• Debugging to identify and repair errors;
• Undertaking internal research for technological development and demonstration;
• Managing career opportunities with OneMain; and
• Managing our relationships with current or prospective partners, corporate customers and vendors and other business partner personnel.

We do not use or disclose (and have not used or disclosed during the 12-month period prior to the Last Updated date of the Privacy Policy) “sensitive personal data” (as defined under applicable privacy laws).

During the 12-month period prior to the Last Updated date of the Privacy Policy, we may have obtained personal data about you from the following categories of sources:

• You directly, including through your device.
• Our affiliated entities.
• Marketing and business partners, such as consumer data resellers.
• Service providers, contractors and other vendors who provide services on our behalf, such as data analytics providers.
• Your employer, if you are a representative of one of our business partners.
• Government entities from which public records are obtained.

As described in our Privacy Policy, we disclose personal data with a variety of third parties for business purposes or we may sell or share your personal data to third parties for targeted advertising purposes, subject to your right to opt out of selling or sharing (see Your Privacy Rights below).

During the 12-month period prior to the Last Updated date of the Privacy Policy, we may have disclosed the following categories of personal data about you for the business purposes listed above to the following categories of persons:

Category of Personal Data	Categories of Third Parties
Identifiers	Our affiliated entities Vendors who provide services on our behalf Our business partners Your employer, if you are a representative of one of our business partners Online advertising services ISPs and operating systems and platforms
Commercial Information	Our affiliated entities Vendors who provide services on our behalf Data analytics providers
Internet/Network Information and Online Activity	Our affiliated entities Vendors who provide services on our behalf Data analytics providers
Geolocation Data	Our affiliated entities Vendors who provide services on our behalf
Professional/Employment Information	Our affiliated entities Vendors who provide services on our behalf
Education Information	Our affiliated entities Vendors who provide services on our behalf
Other Personal Data	Our affiliated entities Vendors who provide services on our behalf
Inferences	Our affiliated entities Vendors who provide services on our behalf

In addition to the categories of third parties identified above, during the 12-month period prior to the Last Updated date of the Privacy Policy, we may have disclosed personal data about you to government entities and third parties in connection with corporate transactions, such as mergers, acquisitions or divestitures.

We do not sell your personal data in exchange for monetary compensation. We may allow certain third parties (such as online advertising services) to collect personal data via automated technologies for the purpose of displaying advertisements that are selected based on personal data obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications, or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”). This kind of sharing may be considered a “sale” under applicable privacy laws when the personal data is exchanged for non-monetary consideration. You have the right to opt out of these types of disclosures of your information, as further described below.

We may share for targeted advertising purposes (and may have shared during the 12-month period prior to the Last Updated date of the Privacy Policy) the following categories of personal data about you to online advertising services:

• Identifiers
• Commercial Information
• Internet/Network Information and Online Activity
• Inferences

Subject to certain legal limitations and exceptions, you may be able to limit or opt-out of the sale of personal data or the processing of personal data for purposes of targeted advertising (as described in the Your Privacy Rights section below).

To the extent we process deidentified information, we will maintain and use the information in deidentified form and will not attempt to reidentify the information unless required or permitted by applicable law.

We retain personal data only for as long as is reasonably necessary to fulfill the purpose for which it was collected in accordance with our legitimate business interests, as described in the OneMain Privacy Policy and these Additional United States Privacy Disclosures, or any other notice provided at the time of collection, taking into account applicable statutes of limitation and records retention requirements under applicable law. However, if necessary, we may retain personal data for longer periods of time as required under applicable law or as needed to resolve disputes or protect our legal rights.

To determine the appropriate duration of the retention of personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of personal data and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting, and other applicable obligations.

Once retention of the personal data is no longer reasonably necessary for the purposes outlined above, we will either delete or deidentify the personal data or, if that is not possible (for example, because personal data has been stored in backup archives), we will securely store the personal data and isolate it from further active processing until deletion or deidentification is possible.

Subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights:

• Right to Know: The right to confirm whether we are processing personal data about you and the categories of personal data collected, and, under applicable law only, the right to obtain certain personalized details about the personal data we have collected about you, including:
  • The categories of sources of the personal data;
  • The purposes for which the personal data were collected;
  • The categories of personal data disclosed to third parties (if any), and the categories of recipients to whom this personal data were disclosed;
  • The categories of personal data shared for targeted advertising purposes (if any), and the categories of recipients to whom the personal data were disclosed for these purposes; and
  • The categories of personal data sold (if any) and the categories of third parties to whom the personal data were sold.
• Right to Access & Portability: The right to obtain access to the personal data we have collected about you and, where required by law, the right to obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
• Right to Correction: The right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.
• Right to Opt-Out of Sharing for Targeted Advertising: The right to direct us not to use or share personal data with third parties for certain targeted advertising purposes.
• Right to Opt-Out of Sales: The right to direct us not to sell personal data to third parties.
• Right to Deletion: The right to have us delete personal data we maintain about you.

You may also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, the exercise of the rights described above may result in a different price, rate or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.

To submit a request, please visit our Online Request Portal (available 24/7) or call us at (844) 859-1865 (M-F 5:30 AM – 2:30 PM Pacific, except for holidays). These Additional United States Privacy Disclosures do not apply to OneMain personnel.

You can opt-out of the sale of your Personal Data for targeted advertising purposes by clicking the "Do Not Sell or Share My Personal Data" link in the footer of our website or using the Global Privacy Control (“GPC”) signal through your web browser. Like with other types of browser-specific controls, if you use the GPC, we will process it for the browser from which you submit the request, but the opt-out request will not apply outside of the browser to your device. After using the GPC, if you clear your cookies in your browser, you will need to use the GPC again for us to process your opt-out for that browser. In addition, you can also opt out of cookie-based sales by businesses that participate in the Digital Advertising Alliance’s CCPA Opt-Out Tool by visiting https://www.privacyrights.info/.

In certain circumstances, you are permitted to use an authorized agent to submit requests on your behalf through the designated methods set forth above where we can verify the authorized agent’s authority to act on your behalf. In order to verify the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement of authorization for the request. Depending on the evidence provided and your state of residency, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to verify your identity in connection with the request.

To submit a request as an authorized agent on behalf of a consumer, please follow these authorized agent instructions for submitting a request. For questions or concerns about our privacy policies and practices, please call us at (844) 859-1865 (M-F 5:30 AM – 2:30 PM Pacific, except for holidays).

To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal data or complying with your request. We use a third-party identity verification service to verify your identity. If you request access to, correction of or deletion of your personal data, we may ask you to provide your: first name, middle initial, last name, current mailing address, date of birth, Social Security number or individual taxpayer identification number. We also will ask questions to verify your identity.

Oregon residents have the right to appeal our decision regarding their privacy rights listed above. If your request is denied, we will provide you with a communication detailing the reason for the denial and a method for appealing our decision. If you wish to appeal our decision, you will be required to fill out a webform to confirm your identity and provide the reason(s) for your appeal. Within 45 days of receipt of your request, we will provide you with a communication indicating whether we approved or denied your appeal and the reason(s) for our decision. If your appeal is denied, we will provide you with the requisite contact information for the Office of the Attorney General so that you may submit a complaint if you so choose.

We do not sell the personal data of consumers we know to be less than 16 years of age. Please contact us at executive.customercare@omf.com to inform us if you, or your minor child, are under the age of 16.

We do not provide your personal data to third parties for their direct marketing purposes, as described in California’s “Shine the Light” law (Civil Code Section §1798.83).

We will update these Disclosures from time to time. When we make changes to these Disclosures, we will change the “Last Updated” date at the beginning of these Disclosures. If we make material changes to these Disclosures, we will notify you by updating the “Last Updated” date above or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided in the notification.

If you have any questions or requests in connection with these disclosures or other privacy-related matters, please send an email to executive.customercare@omf.com

The following chart reflects the California privacy rights requests that we processed in the 2024 calendar year (1/1/24 – 12/31/24):

Type of Consumer Request	Requests Received	Requests Fulfilled in Whole or Part	Requests Denied	Mean Number of Days to a Substantive Response
Requests to Delete	30	0	30	8.33 days
Requests to Correct	2	1	1	21 days
Requests to Know	8	0	8	12.38 days
Requests to Opt Out of Sale / Sharing	0	Not applicable	Not applicable	Not applicable
Requests to Limit	Not applicable	Not applicable	Not applicable	Not applicable