Last Updated: October 2025
This online Privacy Policy (the “Policy”) describes how Two Harbors Investment Corp. d/b/a TWO and its affiliates and subsidiaries (collectively “TWO,” “we,” “us,” or “our”) collect, use, disclose, and secure the personal information we gather about you through our website, https://www.twoinv.com/ (the “Site”), when you sign up for our Investor Alerts, when you submit a job application on our Careers page, and when you otherwise interact with us (collectively, the “Services”).
For purposes of this Policy, personal information means data that classifies as personal information, personal data, personally identifiable information, or similar terms under applicable data privacy and security laws and regulations. It does not include data excluded or exempted from those laws and regulations, such as aggregated, anonymized, or deidentified data. Nothing in this Policy will constitute an admission or evidence that any particular data privacy or information security law or regulation applies to TWO generally or in any specific context.
In providing our Services, TWO may collect personal information on behalf of and as a service provider for third parties. This Policy does not govern any information we collect on behalf of third parties, and you should consult their privacy policies to become familiar with their data collection and usage practices.
Notice at Collection: At or before the time of collection, California residents have a right to receive notice of our practices, including the categories of personal information to be collected, the purposes for which such information is collected or used, whether such information is sold or shared and how to opt-out of such uses, and how long such information is retained. You can find those details in this statement by clicking on the foregoing links.
1. YOU CONSENT TO THIS POLICY
By accessing, browsing, downloading, or otherwise using the Services, you confirm that you have read, understood, and agreed with this Policy. Beyond this Policy, your use of the Services is subject to our Disclaimer. If you do not agree to this Policy or our Disclaimer, you may not use the Services.
This Policy and the Disclaimer apply regardless of how the Services are accessed and will cover any technologies or devices by which we make the Services available to you.
If you have any questions or concerns about our personal information policies or practices, you can contact us in the methods described in the “Contact Us” section below.
2. TYPES OF PERSONAL INFORMATION WE COLLECT
We collect information you voluntarily provide directly to us, information that we collect automatically when you interact with the Services, and information collected from third parties. The categories of personal information that we collect and the purposes for which we collect that information are described below.
A. Personal Information You Provide to Us
The following list describes the categories of personal information we may collect directly from you:
- Investor Information includes first name, last name, email address, and other information that we may collect from investors. We collect this information when you provide it directly to us such as when you sign up for the Services, or fill out a form. We collect this information for providing the Services and administrative purposes.
- Contact Information includes first name, last name, contact type, and email address. We collect this information when you provide it directly to us, such as when you sign up for our Investor Alerts, request information about our Services, or fill out a form. We collect this information for providing the Services and administrative purposes.
The purposes for which we use your personal information are described in further detail in the “How We Use Personal Information We Collect” section below.
B. Personal Information Collected Automatically Through “Cookies” or Other Tracking Technologies
Cookies are small files created by websites, including our Services, that reside on your computer’s hard drive and that store information about your use of particular websites. When you access our Services, we use cookies and other tracking technologies to:
- Estimate our audience size and usage patterns;
- Contact you to provide you with information that you request from us through our Investor Alerts; and
- Recognize when you return to our Services.
We may send one or more cookies to your computer or other device. We set some cookies ourselves, and others are set by third parties. We may also use other similar technologies such as tracking pixels, tags, or similar tools when you visit our Services. These technologies can collect data regarding your operating system, browser type, device type, screen resolution, IP address, and other technical information, as well as navigation events and session information as you interact with our Services. This information allows us to understand how you use the Services.
Some cookies operate from the time you visit the Services until the end of that particular browsing session. These cookies, which are called “session cookies,” expire and are automatically deleted when you close your Internet browser.
Some cookies will stay on your device between browsing sessions and will not expire or automatically delete when you close your Internet browser. These cookies are called “persistent cookies” and the length of time they will remain on your device will vary from cookie to cookie. Persistent cookies are used for a number of purposes, such as storing your preferences so that they are available for your next visit and to keep a more accurate account of how often you visit the Services, and how your use of the Services may change over time.
You can manage your cookies preference as described in the “Your Privacy Options and Configurations” section below. However, disabling these cookies can negatively impact the performance of Services.
C. Personal Information We Receive From Third Parties
We may receive additional information about you from third parties, such as parents, affiliates, subsidiaries, or third party service partners, and combine it with other information we have about you. We will always use that information only as described in this Policy.
3. HOW WE USE PERSONAL INFORMATION WE COLLECT
We use your personal information for a variety of business purposes, including to provide our Services and for administrative purposes, as described below.
A. Providing Our Services
We use your information to provide you with our Services, such as:
- Providing you with Investor Alerts;
- Providing access to certain areas, functionalities, and features of our Services;
- Answering requests for support;
- Communicating with you about your Investor Alert account, activities on our Services, and policy changes;
- Processing applications if you apply for a job we post on our Services; and
- Allowing you to register for events.
B. Administrative Purposes
We use your information for various administrative purposes, such as:
- Pursuing our legitimate interests such as research and development (including marketing research), network and information security, and fraud prevention;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
- Measuring interest and engagement in our Services;
- Improving, upgrading, or enhancing our Services;
- Developing new services;
- Ensuring internal quality control and safety;
- Authenticating and verifying individual identities, including requests to exercise your rights under this Policy;
- Debugging to identify and repair errors with our Services;
- Auditing relating to interactions, transactions, and other compliance activities;
- Sharing personal information with third parties as needed to provide the Services;
- Enforcing our agreements and policies; and
- Carrying out activities that are required to comply with our legal obligations.
C. With Your Consent
We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.
4. HOW WE DISCLOSE PERSONAL INFORMATION WE COLLECT
We may collect, use, or disclose personal information for a variety of business purposes, including the following:
- To Business Partners and Affiliates. We may disclose personal information to our business partners and affiliates; advisors such as legal advisors and financial advisors; related entities, parent companies, investors, subsidiaries, joint ventures, or other companies under common control; and other third parties.
- As Part of Business Transactions or Mergers. We reserve the right to disclose your personal information to third parties as part of any potential business or asset sale, merger, acquisition, investment, round of funding, or similar type of transaction. Additionally, if we are entering into a corporate transaction with a third party, we may receive personal information in connection with the diligence. If we close a transaction, the third party may transfer personal information, which we would use as described in this Policy.
- As Part of Bankruptcy or Insolvency. In the event of bankruptcy, insolvency, or dissolution proceedings, we may disclose your personal information with third parties as part of the sale or reorganization process.
- To Service Providers. We use service providers to perform various functions on our behalf. We may also receive personal information from service providers.
- As Required by Law, for Legal Purposes, and Similar Disclosures. We may access, preserve, and disclose your information if we believe doing so is required or appropriate to: (a) comply with regulatory, administrative, or law enforcement requests and legal process, such as a court order or subpoena, or the requests of governmental or regulatory agencies (whether domestic or foreign); (b) respond to your requests, the requests of others, or to lessen the burden of anticipated or formal legal requests; or (c) protect your, our, or others’ rights, property or safety. For the avoidance of doubt, the disclosure of your information may occur if you post any objectionable content on or through the Services.
5. YOUR PRIVACY OPTIONS AND CONFIGURATIONS
Depending on the device(s) you use to access the Services, you may be able to select certain privacy choices or configuration, which are further described below:
- Email Communications. If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding Services you have requested while your opt-out request is being processed. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (g., communications regarding our Services or updates to our Disclaimer or this Policy).
- Do Not Track (“DNT”). DNT is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals.
- Cookies and Personalized Advertising. You may stop or restrict the placement of cookies and tracking technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our Services may not work properly.
6. SUPPLEMENTAL PROVISIONS FOR CALIFORNIA RESIDENTS
This section supplements our Policy and only applies to our processing of personal information that is subject to California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act and implementing regulations (collectively “CCPA”).
A. Collection of Personal Information
In the preceding 12 months, we have collected personal information from the following categories, which are described using the terms identified under the CCPA: identifiers, personal information, characteristics of protected classifications, internet or other similar network activity, geolocation data, education information, professional or employment related information, and inferences.
B. Disclosure of Personal Information
In the preceding 12 months, we have disclosed personal information in the following categories: identifiers, personal information, internet or other similar network activity, and inferences with service providers.
C. Sharing of Personal Information
In the preceding 12 months, we have not shared your personal information for cross-contextual behavioral advertising.
D. Sales of Personal Information
In the preceding 12 months, we have not sold personal information of any consumer.
E. Collection of Personal Information from Children under 16
In the preceding 12 months, we have not knowingly collected or processed personal information pertaining to children under the age of 16.
F. Sensitive Data
If we process sensitive data as defined by California law, we will only do so for the purposes specifically authorized by California law and in a manner that is necessary and proportionate for those purposes.
G. Your Privacy Rights
| Consumer Right | Explanation |
|---|---|
| Right to Know/Access | You have the right to know specific pieces of personal information we have collected about you, the categories of personal information we have collected about you, the categories of sources from which the personal information was collected, the business or commercial purpose for collecting, selling, or sharing personal information, and the categories of third parties to whom we disclose personal information. |
| Right of Correction | You have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information. |
| Right of Deletion | You have the right to delete your personal information provided by you or obtained about you. |
| Right of Portability | You have the right to obtain your personal information in a portable and—to the extent technically feasible—readily usable format that allows you to transmit the data to another entity without hindrance. |
| Right to Opt-Out | You have the right to opt-out of the sale or sharing of your personal information. |
| Right to Non-Discrimination | You have the right not to receive discriminatory treatment for exercising the privacy rights conferred by law. We will not discriminate against you because you exercised any of your privacy rights. |
Exercising Your Rights. To exercise your rights described above, please email us at privacyrequests@twoharborsinvestment.com or call us at 1-800-680-2109.
Verification. To ensure the protection of your personal information, we may need to verify that the individual submitting a request is the consumer to whom the request relates prior to processing the request, or an authorized agent. To verify a consumer’s identity, we may request up to three pieces of personal information about you to compare against our records when you make a request.
Making a verifiable consumer request does not require you to create an Investor Alert account with us. However, we may require that you access a previously existing account where necessary to submit the request.
We will only use personal information provided in your request to verify your identity and will delete any information you provide after processing the request. We reserve the right to take additional steps as necessary to verify the identity of consumers where we have reason to believe a request is fraudulent.
You may choose a person or business that you authorize to act on your behalf to submit your requests (“Authorized Agent”). If you choose to use an Authorized Agent, we require that you provide the Authorized Agent with written permission to allow them to submit your request and that you verify your identity directly with us. Failure to do so may result in us denying your request.
7. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
We process personal information on our servers in the United States, which does not have an adequacy decision, and may do so in other countries. If you use our Services or otherwise provide us with information from outside of the United States, you expressly consent to the transfer of your data to the United States, the processing of your data in the United States, and the storage of your data in the United States.
Personal information about you provided while in another country, including an EEA member state, the UK, or Switzerland may be transferred to the United States. Applicable data protection laws may permit such transfers when necessary for the performance of a contract between you and us, if we obtain your explicit consent to such transfer, or if it is in our legitimate interest to transfer the personal information. The laws in the United States may not be as protective as the applicable data protection laws in the EEA, UK, and Switzerland or the laws of other jurisdictions where you may be located. If we transfer personal information from the EEA, UK, or Switzerland, or another country with cross-border transfer obligations, we will provide an appropriate safeguard, such as using standard contractual clauses.
For more information, please contact us using the information provided in the “Contact Us” section below.
8. HOW LONG YOUR PERSONAL INFORMATION IS KEPT
We determine how long to retain your personal information by taking into account various criteria, such as the type of Services provided to you, the nature and length of our relationship with you, possible re-enrollment with our Services, the impact on our Services we provide to you if we delete some information from or about you, and our obligations under applicable law.
We will retain your personal information until the personal information is no longer necessary to accomplish the purpose for which it was provided. We may retain your personal information for longer periods for specific purposes to the extent that we are obliged to do so in accordance with applicable laws and regulations, to protect you, other people, and us from fraud, abuse, an unauthorized access, as necessary to protect our legal rights, or for certain business requirements.
We will delete your personal information when it is no longer necessary for the purpose for which it was collected, or upon your request, subject to exceptions as discussed in this Policy or under applicable law, contract, or regulation.
9. OUR COMMITMENT TO DATA SECURITY
The security of your personal information is important to us. We take various reasonable organizational, administrative, and technical measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. If required by law to do so, we will notify you and/or the relevant supervisory authority in the event of a data breach.
However, we cannot and do not guarantee complete security, as it does not exist on the internet.
10. THIRD PARTY LINKS
10. THIRD PARTY LINKS Our Services may contain links to third-party websites. When we provide links, we do so only as a convenience and we are not responsible for any content of any third-party website or any links contained within. It is important to note that this Policy only applies to our Services. We are not responsible and assume no responsibility for any personal information collected, stored, or used by any third party as a result of you visiting third-party websites. We also advise that you carefully read the privacy notice of any third-party websites you choose to visit.
11. CHILDREN’S PRIVACY
Our Services are not directed at children (as defined under applicable law). We do not knowingly collect or otherwise process personal information from children. If you believe a child has provided us with information, you can alert us by contacting us as set forth in the “Contact Us” section below.
12. POLICY CHANGES
This Policy may change from time to time. If we need to change this Policy at some point in the future, we will post any changes on this page. If we make a significant or material change to this Policy we will notify you as required by applicable law. You should check these terms when you use the Services. Your continued use of the Services constitutes acceptance of the most current version of this Policy.
13. CONTACT US
If you have any questions about this Policy, please contact us by email at privacyrequests@twoharborsinvestment.com.