Privacy Policy

MFH, LLC and Affiliates Personally Identifiable Information and Privacy Policy

Personally Identifiable Information (PII) is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers. We restrict access to personal information to our employees, our affiliates' employees, or others who need to know that information to service the account or in the course of conducting our normal business operations. The identification, service, notice and training associated with information of this nature is identified below in accordance with the California Consumer Privacy and Protection Act effective January 1, 2020. The policy herein as identified will be broadly applied to all jurisdictions.

Identification and Storage

The identification of PII begins at or before the time of data collection. When materials are identified, we make every effort to secure them by restricting access to only those individuals approved to handle the PII. All documentation where PII has been identified AND is needed in the regular course of business, shall be identified and subject to the terms and conditions of this policy. MFH, LLC and Affiliates do not sell personally identifiable information.

Notices to Consumers

At or before the time of data collection consumers and stakeholders are directed to our website for notifications of rights. Specific notices are sent out departmentally as required.

Consumer Opt-Out, Right to Know, Delete Requests

We do not sell your personal information. Consumer requests may be made by clicking here "Opt-Out Do Not Sell or Share My Personal Information-Right to Know-Delete Request". A request to opt-out, right to know, or request to delete should include pertinent details for consideration. To verify your identity, we may request information from the consumer in evaluating and responding to a request. Depending on the nature, all requests are routed to the relevant department and escalated to the senior manager. We will respond to opt-out requests within 15 business days from the date of receipt and 90 calendar days for right to know and delete requests. Please refer to the links below that provide additional details on your rights and FAQ's.

Legal Service of Records

Where records are being subpoenaed, documents containing PII should not be disclosed unless one of the following conditions applies:

  • Verification of the legality of the request and requesting parties has been confirmed as an approved third party

  • Records have been reviewed and authorized by counsel

  • PII is most often contained in documents that are considered to be Confidential Work Product and these would not be discoverable. Counsel should be consulted for creating that layer of protection (insulation) in response to the subpoena and in supporting the Work-Product Doctrine

The CCPA shall not apply where compliance by the business would violate evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by evidentiary privilege under California as part of a privileged communication. In accordance with CCPA sections 1798.110 to 1798.135 the CCPA shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law.


Companywide PII training is completed annually by all staff.

Service Providers

All Midwest service providers are required to provide immediate notification in the event of a breach. If a breach is identified, we require the vendor to complete a prompt and thorough investigation. We require that the service providers effectively exercise good faith practices involving PII, CCPA, Gramm Leach Bliley, HIPAA and NAIC.

All Midwest service providers shall defend and indemnify Midwest and hold its officers, directors, employees and agents harmless from any and all damages resulting from or arising out of the negligent acts, errors, omissions, or willful misconduct of the service provider or their partners. Service providers shall promptly notify Midwest of any damages or threatened damages.

All Midwest service providers, at their sole cost and expense, will maintain general and professional liability insurance, cyber insurance covering data loss and data breach response and other insurance as necessary or required by law to insure them and their employees against any claims for damages arising out of or resulting from services provided by said provider under agreement, with limits of not less than $1 million per occurrence unless otherwise specifically requested at a higher limit. All service providers shall provide Midwest with a Certificate of Insurance verifying existence of this coverage upon execution of an agreement and every subsequent anniversary, including the one-year period following the agreements termination.


In accordance with CCPA 1798.130. (a)(5) this policy is reviewed annually for efficacy and updating to evolving standards.

Any data breach is handled in accordance with our existing Information Systems Security and Enterprise Risk Policy.

Helpful Links: