1. Scope of This Policy

This Privacy Policy applies to all personal information collected by C&F Bank through our branch locations, CFFC online banking platform (cffc.co.com), the C&F Bank mobile app, telephone interactions, loan applications, account opening documentation, ATM transactions and any other means of customer interaction. It covers current customers, former customers and visitors to our website who have not yet established an account relationship. This policy does not apply to third-party websites linked from cffc.co.com, which are governed by their own privacy policies.

2. Information We Collect

C&F Bank collects information necessary to provide banking services, comply with regulatory requirements and improve your experience. The categories of information we collect include:

2.1 Information You Provide Directly

When you open an account, apply for a loan, enrol in online banking, or contact us, you provide information including: full legal name, date of birth, Social Security number or Tax Identification Number, physical address, email address, telephone number, employment information, income documentation, government-issued identification and beneficiary designations. For business accounts, we also collect business formation documents, Employer Identification Numbers (EIN) and ownership structure information.

2.2 Information from Transactions

We collect information generated through your use of C&F Bank products and services: account balances, transaction history, bill pay records, wire transfer details, loan payment history, debit card purchases, ATM activity, mobile deposit images and alert preferences. This transactional data is essential for account maintenance, fraud detection and regulatory compliance.

2.3 Information from Third Parties

We may receive information about you from consumer reporting agencies (credit reports, credit scores), identity verification services, public records, mortgage insurance companies and, with your authorisation, from other financial institutions during loan processing or account transfers.

2.4 Information Collected Automatically

When you visit cffc.co.com or use the C&F Bank mobile app, we automatically collect: IP address, browser type and version, device type and operating system, pages visited, time spent on pages, referring URLs, and session identifiers. We use cookies and similar technologies for session management, security (fraud detection) and website analytics. You can manage cookie preferences through your browser settings, though disabling cookies may affect CFFC online banking functionality.

3. How We Use Your Information

C&F Bank uses your personal and financial information for the following purposes:

• Account administration: opening and maintaining deposit accounts, processing transactions, servicing loans and mortgages, and communicating about your accounts.
• Service delivery: providing online banking, mobile banking, bill pay, wire transfers, eStatements and other digital services.
• Credit decisions: evaluating loan and credit applications, including mortgage underwriting and SBA loan processing.
• Fraud prevention and security: monitoring transactions for suspicious activity, verifying identity during login, and protecting against unauthorised access to accounts.
• Regulatory compliance: meeting requirements under the Bank Secrecy Act, USA PATRIOT Act, Fair Credit Reporting Act, Community Reinvestment Act, and other applicable laws.
• Communication: sending account alerts, statement notifications, rate change notices, and service updates.
• Improvement of services: analysing usage patterns to improve our website, mobile app and banking products.

4. Information Sharing and Disclosure

C&F Bank does not sell your personal information to third parties. We share information only in the following circumstances as permitted or required by law:

4.1 Within the C&F Financial Corporation Family

We may share information among C&F Financial Corporation affiliates for purposes including servicing your accounts, offering products and services, and risk management. You may opt out of marketing-related affiliate sharing by contacting us (see Section 8).

4.2 Service Providers

We share information with third-party service providers who perform functions on our behalf, including: data processing, cheque printing, debit card manufacturing, credit reporting, loan servicing, bill pay processing, mobile app development and customer communication delivery. All service providers are contractually obligated to protect your information and use it only for the purposes specified by C&F Bank.

4.3 As Required by Law

We disclose information when required by law, regulation, court order or subpoena. This includes reporting to the IRS, responding to regulatory examinations by the Federal Reserve and Consumer Financial Protection Bureau (CFPB), filing Currency Transaction Reports and Suspicious Activity Reports under the Bank Secrecy Act, and responding to lawful law enforcement requests.

4.4 With Your Consent

We may share information with third parties when you provide explicit consent, such as when you authorise a third-party financial app to access your account data through secure APIs.

5. Gramm-Leach-Bliley Act (GLBA) Compliance

C&F Bank complies with the privacy provisions of the Gramm-Leach-Bliley Act of 1999, which requires financial institutions to explain their information-sharing practices and provide customers with the right to opt out of certain sharing. Under GLBA:

• We provide this Privacy Policy to all new customers at the time of account opening and annually thereafter.
• We describe the categories of nonpublic personal information we collect and the circumstances under which it may be disclosed.
• We offer you the right to opt out of information sharing with non-affiliated third parties for marketing purposes.
• We maintain administrative, technical and physical safeguards to protect your information as required by the GLBA Safeguards Rule.

For more information about your rights under GLBA, visit the Federal Trade Commission (FTC).

6. Virginia Consumer Data Protection Act (VCDPA)

While GLBA provides the primary framework for financial institution privacy practices, C&F Bank also respects the principles of the Virginia Consumer Data Protection Act (VCDPA). Although financial institutions subject to GLBA have certain exemptions under VCDPA, we voluntarily extend the following rights to Virginia residents where not already covered by GLBA:

• Right to know: you can request confirmation of whether we process your personal data and access the specific data we hold.
• Right to correction: you can request correction of inaccurate personal data in our records.
• Right to deletion: you can request deletion of personal data, subject to regulatory retention requirements (banking records are typically retained for 5-7 years minimum).
• Right to opt out: you can opt out of the processing of personal data for targeted advertising (C&F Bank does not engage in targeted advertising based on personal banking data).

To exercise these rights, contact C&F Bank using the information in Section 8. We will respond within 45 days of receiving a verifiable request.

7. Data Security

C&F Bank implements comprehensive security measures to protect your information:

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit across CFFC online banking and the mobile app.
• Authentication: adaptive multi-factor authentication for all online banking access, with biometric options on mobile devices.
• Access controls: role-based access for employees, with least-privilege principles and regular access reviews.
• Monitoring: real-time transaction monitoring, intrusion detection systems, and 24/7 security operations centre monitoring.
• Testing: annual penetration testing by independent security firms, quarterly vulnerability assessments, and regular employee security awareness training.
• Physical security: access-controlled data centres, branch security systems, and secure document destruction procedures.

While no system is completely invulnerable, C&F Bank's security programme meets or exceeds FFIEC guidance for information security and has maintained zero data breaches since the inception of our digital banking platform.

8. Your Choices and How to Contact Us

You have the following choices regarding your personal information:

• Opt out of affiliate marketing sharing: call 804-843-2360 or visit any C&F Bank branch to request that we not share your information among C&F Financial Corporation affiliates for marketing purposes.
• Manage communication preferences: update your email, SMS and push notification preferences through account alert settings in CFFC online banking.
• Request data access, correction or deletion: contact us using any method below. Identity verification is required for all requests.
• Manage cookies: adjust cookie settings through your web browser preferences.

Contact information for privacy-related requests:

• Phone: 804-843-2360 (Monday-Friday 8am-5pm ET, Saturday 9am-12pm ET)
• Email: privacy@cffc.co.com
• Mail: C&F Bank, Attn: Privacy Officer, West Point, VA 23181
• In person: any of our 30 Virginia branch locations

9. Children's Privacy

C&F Bank does not knowingly collect personal information from children under the age of 13 through our website or mobile app. Our online banking services are intended for adults and emancipated minors who hold accounts. If we become aware that we have inadvertently collected information from a child under 13, we will delete it promptly.

10. Cookies and Tracking Technologies

C&F Bank uses the following types of cookies on cffc.co.com:

• Essential cookies: required for CFFC online banking session management, authentication and security. These cannot be disabled without losing access to online banking.
• Analytics cookies: used to understand how visitors use our website, including page views, session duration and navigation patterns. This data is aggregated and anonymised. No personal banking information is included in analytics data.
• Preference cookies: remember your settings, such as language preference and accessibility options, to improve your experience on return visits.

C&F Bank does not use advertising or tracking cookies. We do not participate in cross-site tracking networks. We do not share cookie data with third-party advertisers.

11. Data Retention

C&F Bank retains personal and financial information for as long as necessary to provide services, comply with legal and regulatory requirements, and resolve disputes. General retention periods include:

• Account records: 7 years after account closure
• Loan records: 7 years after loan payoff
• Tax documents: as required by IRS regulations
• Transaction records: 7 years
• Website analytics: 26 months (aggregated and anonymised)
• Customer communications: 5 years

After the applicable retention period, records are securely destroyed using methods appropriate to the data format (shredding for paper, cryptographic erasure for electronic records).

12. Changes to This Privacy Policy

C&F Bank may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or regulatory guidance. Material changes will be communicated through account notifications, posted on cffc.co.com and, where required by law, sent via mail or email. The "Last updated" date at the top of this policy indicates the most recent revision. We encourage you to review this policy periodically.

13. Regulatory Disclosures

C&F Bank (Citizens and Farmers Bank) is a Virginia state-chartered bank, member FDIC, NMLS #399805. Equal Housing Lender. C&F Bank is regulated by the Virginia Bureau of Financial Institutions and the Federal Reserve. For questions or complaints about C&F Bank's privacy practices, you may also contact:

• Consumer Financial Protection Bureau (CFPB) — for federal consumer financial protection matters
• Federal Trade Commission (FTC) — for general consumer privacy matters
• Virginia Bureau of Financial Institutions — for state banking regulatory matters

This policy is effective as of March 29, 2026. If you have questions about this Privacy Policy, contact our Privacy Officer at 804-843-2360 or privacy@cffc.co.com.