BRIDGES TRUST COMPANY PRIVACY POLICY

WHEREAS, Bridges Trust Company, a Nebraska trust company (“Bridges”) recognizes its customers’ expectations of financial privacy;

WHEREAS, preserving its customers’ trust is one of the core values of Bridges; WHEREAS, Bridges has adopted the privacy pledge attached as Exhibit A;

WHEREAS, Bridges is subject to Subtitle A of Title V of the Gramm-Leach-Bliley Act (the “Act”), which requires financial institutions to disclose their privacy policies, limit their disclosure of certain information, give customers an opportunity to “opt out” of some disclosures to third- parties subject to a variety of significant exceptions, and protect the security of their customers’ records and information; and

WHEREAS, Bridges desires that its current and former customers’ personally identifiable financial information is kept confidential in accordance with standards outlined in the following policy (the “Policy”) approved and adopted by the Bridges Board of Directors.

  1. Nonpublic Personal Information. All nonpublic information that a consumer provides to Bridges to obtain a financial product or service from Bridges, about a consumer resulting from any transaction involving a financial product or service between Bridges and a consumer, and from which Bridges otherwise obtains about a consumer in connection with providing a financial product or service to the consumer, including personally identifiable financial information, shall be considered “Nonpublic Personal ”

For example, the following types of information shall be considered “Nonpublic Personal Information”:

  • any information a consumer provides to Bridges in connection with opening an account or establishing and maintaining a continuous relationship with Bridges, whether in writing or oral;
  • any account balance information, securities or other assets held in such consumer’s account, payment information, and trading history and information;
  • the fact that a consumer is or has been one of Bridges’ Customers or has obtained a financial product or service from Bridges;
  • any information about an individual if it is disclosed in a manner that indicates that the individual is or has been a consumer of Bridges;
  • any information Bridges collect through an Internet “cookie” (an information collecting device from a web server); and
  • information from a consumer
  1. Collection of Nonpublic Personal Information. Bridges may collect Nonpublic Personal Information from:
  • information a consumer provides to Bridges in connection with opening an account or establishing and maintaining a continuous relationship with Bridges, whether in writing or oral;
  • information about consumer transactions with Bridges and its affiliates;
  • information Bridges receives from third parties such as a consumer’s accountants, attorneys, life insurance agents, family members, financial institutions, custodians, trustees and credit

Nonpublic Personal Information is collected at the onset of, and during, the client relationship and shall be filed with the materials for each Client account. Such information shall be maintained either on the premises of Bridges or off-site in accordance with the applicable record keeping requirements of the Nebraska Department of Banking and Finance. When Nonpublic Personal Information is stored off-site, Bridges shall ensure, through proper contractual arrangements, that the Nonpublic Personal Information shall be kept confidential.

Nonpublic Personal Information shall be managed by designated staff services personnel, who shall organize and maintain such information as described in Section 11.

Each Customer shall have the opportunity to update his/her Nonpublic Personal Information on the Customer statement, which Bridges shall provide in accordance with the regimen in the Customer’s account arrangement.

  1. Disclosure of Nonpublic Personal Information. All employees that need to know certain Nonpublic Personal Information to provide products and services to Customers shall have access to such information. No employee, officer, director, or agent of Bridges shall disclose Nonpublic Personal Information to anyone, except disclosures of Nonpublic Personal Information allowed under the Act (as amended from time to time), including disclosures that are:
  • necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes;
  • in connection with processing or servicing a financial product or service that a consumer requests or authorizes;
  • with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
  • to protect the confidentiality or security of Bridges’ records pertaining to the consumer, service, product, or transaction;
  • to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
  • for required institutional risk control or for resolving consumer disputes or inquiries;
  • to persons holding a legal or beneficial interest relating to the consumer;
  • to persons acting in a fiduciary or representative capacity on behalf of the consumer;
  • to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating Bridges, persons that are assessing its compliance with industry standards, and Bridges’ attorneys, accountants, and auditors;
  • to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), self-regulatory organizations, or for an investigation on a matter related to public safety;
  • to a consumer reporting agency in accordance with the Fair Credit Reporting Act (15

U.S.C. 1681 et seq.), or from a consumer report reported by a consumer reporting agency;

  • in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of Nonpublic Personal Information concerns solely consumers of such business or unit;
  • to comply with federal, State, or local laws, rules and other applicable legal requirements;
  • to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, State, or local authorities;
  • to respond to judicial process or government regulatory authorities having jurisdiction over Bridges for examination, compliance, or other purposes as authorized by law; or
  • to a non-affiliated third party to perform services for or functions on behalf of Bridges, including marketing of Bridges’ own products or services; provided that Bridges enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such
  1. Identifying and Monitoring Customers. A consumer will be considered a “Customer” if he or she:
  • has an account agreement with Bridges (whether written or oral); or
  • is a participant that holds an investment product through Bridges, such as when Bridges acts as a custodian for securities or for assets in an Individual Retirement Arrangement.

In addition, a consumer shall be considered a “Customer” if Bridges regularly effects or engages in securities transactions with or for a consumer even if Bridges does not hold any assets of the consumer. Bridges shall keep a current list of Customers, which is not required to include individuals that have not yet become Customers (i.e., “work in progress” individuals).

  1. Identifying and Monitoring Nonaffiliated Third Parties. A Nonaffiliated Third Party is any company that does not have the power to exercise a controlling influence over the management or policies of Bridges, whether through ownership of more than 25 percent of the voting securities of Bridges, by contract, or otherwise. A Nonaffiliated Third Party is also any company in which Bridges does not have the power to exercise a controlling influence over, whether through ownership of more than 25 percent of the voting securities of such company, by contract, or

Bridges shall obtain, and review annually, a copy of the privacy policy and security policy for each Nonaffiliated Third Party that has access to Nonpublic Personal Information.

  1. Sharing of Nonpublic Personal Information. Bridges shall not disclose any Nonpublic Personal Information to anyone, except as permitted by law. For example, Bridges may share Nonpublic Personal Information with Bridges pursuant to the

Bridges is permitted to disclose Nonpublic Personal Information to Nonaffiliated Third Parties in certain circumstances, as described in Section 3. For example, Bridges may share Nonpublic Personal Information with Fidelity National Information Services (FIS) and Advent, third- party software providers that assist us with servicing your account, and with American National Bank and Northern Trust Company, who act as depositors for Bridges.

Bridges reserves the right to disclose all of the Nonpublic Personal Information it collects from consumers, as listed under Section 2 of this Privacy Policy, to Non-affiliated Third Parties which perform services for, or functions on behalf of, Bridges (“Third Party Service Providers”); provided that Bridges shall enter into a contractual agreement with each Third Party Service Provider to which it discloses Nonpublic Personal Information which prohibits the Third Party Service Provider from disclosing or using the information other than to carry out the purposes for which the information is disclosed. Such Third Party Service Providers may include financial or non- financial companies which perform administrative, customer service, or marketing functions on behalf of Bridges.

If a Customer decides to close its account(s) or become an inactive Customer, Bridges will adhere to the privacy policies and practices as described in this Policy.

  1. Third Party Confidentiality. To ensure the responsible use and protection of Nonpublic Personal Information by Nonaffiliated Third Parties, Bridges will annually require each Nonaffiliated Third Party who has access to Nonpublic Personal Information to agree to maintain the confidentiality of any Nonpublic Personal Information they may receive concerning Bridges’ Customers and to only redisclose or reuse such information to Bridges’ affiliates, its affiliates, and/or to another Nonaffiliated Third Party under the processing and servicing exception codified at 17 CFR §248.14 or the miscellaneous exceptions codified at 17 CFR §248.15, but only in the ordinary course of business to carry out the activity covered by the exception under which the Nonaffiliated Third Party received the information in the first instance. In addition, each contract between Bridges and a Nonaffiliated Third Party shall contain language substantially in the form attached hereto as Exhibit
  1. Delivery of Privacy Notices. Bridges will (i) hand deliver or mail a printed copy of a summary of this Policy, substantially in the form attached hereto as Exhibit C, (the “Notice”) to a consumer at the time he or she executes an account agreement with Bridges and (ii) mail a printed copy of the Notice to each Customer at his or her last known address on or before July 1st of each year.
  1. Retention of Privacy Notices. Bridges will retain a form of the Notice and a list of who received the Notice in an easily accessible place so that each Customer can obtain another copy.
  1. Annual Review. The Board of Directors of Bridges will annually review this Policy to ensure it is adequate to protect Nonpublic Personal Information. If the Board of Directors determines that its Policy is not being adhered to, it will take whatever corrective measures are necessary, including revising its compliance procedures. If Bridges desires to disclose Nonpublic Personal Information in a way that is not accurately described in the Notice, Bridges will provide each Customer and consumer a revised Notice before disclosing that information. This Policy may be amended from time to time by the Board of Directors of Bridges in order to comply with applicable laws, regulations, and SEC no-action letter interpretations, and to better effectuate the intents and purposes of the
  1. Security Procedures. Bridges shall restrict access to Nonpublic Personal Information to those who need to know that information to provide products and services to Customers. Employees who violate these standards will be subject to disciplinary measures. Bridges shall maintain physical, electronic, and procedural safeguards that comply with federal standards to guard Nonpublic Personal Information, including the following:
  • use of Enterprise Content Management (ECM) architecture and features to organize and retain Nonpublic Personal Information;
  • requiring employee use of user ID numbers and passwords to access Nonpublic Personal Information stored electronically;
  • use of backup and off-site storage of Nonpublic Personal Information to ensure proper recovery;
  • use of intruder detection devices and fire and burglar resistant storage devises at physical locations containing Nonpublic Personal Information, including off-site premises; and
  • employee background checks, training and segregation of duties for employees with responsibilities for or access to Nonpublic Personal
  1. Disposal of Consumer Report Information.
    1. Reasonable disposal measures. It is Bridges policy to take reasonable measures to protect against unauthorized access to or use of consumer report information (as defined below) in connection with the disposal of such information in accordance with amendments to Regulation S-P. Reasonable disposal measures include any of the following:
      • Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer report information so that the information cannot practicably be read or reconstructed;
      • Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer report information so that the information cannot practicably be read or reconstructed; and
  • After due diligence, contracting with another party engaged in the business of record destruction to dispose of materials, specifically identified as consumer report information, in a manner consistent with the disposal
  1. Implementation of Compliance Procedures. Bridges management is directed to implement reasonable disposal measures of consumer reports and consumer report Information in accordance with Bridges policy and amendments to Regulation S-P. The Bridges Compliance Officer shall monitor periodically (but not less than annually) compliance by Bridges with this
    • Subject to any exclusions set forth in the Fair Credit Reporting Act, as amended (“FCRA”), the term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for
      • credit or insurance to be used primarily for personal, family, or household purposes;
      • employment purposes; or
      • any other purpose authorized under section 604 of
    • “Consumer report information” means any record about an individual, whether in paper, electronic or other form that is a consumer report or is derived from a consumer report. Consumer report information also means a compilation of such records. Consumer report information does not include information that does not identify individuals, such as aggregate or blind
    • “Disposal” means
      • The discarding or abandonment of consumer report information; or
      • The sale, donation, or transfer of any medium, including computer equipment, on which consume report information is

Exhibit A

PRIVACY PLEDGE

Whereas Bridges Trust Company recognizes its customers’ expectation of financial privacy; and whereas preserving our customers’ trust is one of the core values of our institution and the broader investment community; we therefore resolve to abide by the following guidelines for the responsible use and protection of our customers’ information:

  • We will always value the trust of our customers and the importance of keeping their personal financial information confidential.
  • We will provide our customers with our policy on using their personal financial information responsibility and protecting it.
  • We will hold our employees to the highest standard of conduct in ensuring the confidentiality of customer information.
  • We will use information responsibly in order to provide our customers with significant benefits, including fraud prevention, improved products and services and to comply with the law.
  • We will establish procedures to maintain accurate information and respond in a timely manner to our customers’ request to change or correct information.
  • We will use a combination of safeguards to protect our customers against the criminal use of their information and to prevent unauthorized access to it.
  • We will require the companies we do business with to abide by our privacy policy to maintain the confidentiality of our customers’ information.

Exhibit B

SAMPLE THIRD PARTY CONTRACT LANGUAGE

[Bridges Trust Company] and [Third party] agree to take all steps necessary to comply with applicable regulations protecting the privacy of consumers’ nonpublic personal information. To the extent [Bridges Trust Company] provides [Third party] with any nonpublic personal information as necessary to effect, administer, or enforce a transaction that a customer of [Bridges Trust Company] requests or authorizes, or in connection with processing or servicing a financial product or service that a customer of [Bridges Trust Company] requests or authorizes, [Third party] agrees not to disclose or use any such information for any purpose other than to carry out the purposes for which [Bridges Trust Company] disclosed the information or as permitted by law in the ordinary course of business to carry out those purposes. [Bridges Trust Company] and [Third party] agree to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

Exhibit C PRIVACY POLICY NOTICE

Protecting your privacy is important to Bridges Trust Company and our employees. We want you to understand what information we collect and how we use it. In order to provide our customers with a broad range of financial products and services as effectively and conveniently as possible, we use technology to manage and maintain customer information. The following policy serves as a standard for all Bridges Trust Company employees for collection, use, retention, and security of nonpublic personal information.

What Information We Collect

In order to serve you better, we may collect nonpublic personal information about you from the following sources:

  • Information we receive from you in connection with opening an account or establishing and maintaining a customer relationship with us, whether in writing or oral;
  • Information about your transactions with us or our affiliates; and
  • Information we receive from third parties such as your accountants, attorneys, life insurance agents, family members, financial institutions, custodians, trustees and credit

“Nonpublic personal information” is nonpublic information about you that we obtain in connection with providing a financial product or service to you. For example, nonpublic personal information includes the contents of your application, account balance, transaction history and the existence of a relationship with us.

What Information We Disclose

We do not disclose any nonpublic personal information about you to anyone, except as permitted by law. We may share nonpublic personal information with Bridges Investment Management, Inc., which is affiliated with Bridges Trust Company through common ownership and control. We are permitted to disclose nonpublic personal information about you to other third parties in certain circumstances. For example, we may disclose nonpublic personal information about you to third parties to assist us in servicing your account with us.

We also may disclose any nonpublic personal information about you to third parties who perform services for, or functions on behalf of us; provided that such third parties agree to maintain the confidentiality of such information. For example, we have contracted, or may contract with, companies to perform class action claims management functions, administrative functions, and marketing functions on our behalf.

If you decide to close your account(s) or become an inactive customer, we will adhere to the privacy policies and practices as described in this notice.

Our Security Procedures

We also take steps to safeguard customer information. We restrict access to your personal and account information to those who need to know that information to provide products and services to you. Employees who violate these standards will be subject to disciplinary measures. We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information.