CALIFORNIA PRIVACY NOTICE

For California residents, our information sharing practices are in accordance with federal law. California law places additional restrictions on sharing information about their residents, and our policies comply with such restrictions.

Direct Marketing Requests

California Civil Code Section 1798.83 permits you, if you are a California resident, to request certain information regarding disclosure of Personal Information (defined below) to third parties for their direct marketing purposes. To make such a request, please send an e-mail to Privacy@healthequity.com or write us at Privacy Officer, HealthEquity, Inc., 15 W Scenic Pointe Drive, Suite 100, Draper, UT 84020.

Do Not Track Settings

Cal. Bus. And Prof. Code Section 22575 also requires us to notify you how we deal with the “Do Not Track” settings in your browser. As of the effective date listed above, there is no commonly accepted response for Do Not Track signals initiated by browsers. Therefore, HealthEquity’s system does not respond to the Do Not Track settings. Do Not Track is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit www.donottrack.us.

CALIFORNIA CONSUMER PRIVACY ACT/CALIFORNIA PRIVACY RIGHTS ACT SUPPLEMENTAL NOTICE

This California Privacy Notice is intended to supplement our other privacy notices available here.

To understand our privacy practices, you should refer to our other privacy notices and this supplemental California notice (“Notice”).

Applicability

The California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and this Notice apply to visitors, users, and others who are California residents (“consumers” or “you”).

This Notice applies to California residents’ Personal Information, as defined below, we collect to provide them with certain products and services (collectively, “Services”). The CCPA and CPRA do not apply to Personal Information for some of our Services that are excepted from the CCPA and CPRA, such as those subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Gramm-Leach-Bliley (GLBA). The requirements of CCPA and CPRA further do not apply to deidentified or aggregate consumer information.

In addition, some of the requirements of CCPA/CPRA do not go into effect until January 1, 2023, for applicable Services related to employee and business-to-business Personal Information. At that time, this Notice may also apply to employees, applicants for employment, and independent contractors, who are California residents.

Personal Information

The CCPA and CPRA define “Personal information” as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. Under the CPRA, “Personal Information” further includes “Sensitive Personal Information” such as social security number, driver license number, state identification card, passport number, financial data, genetic data, biometric data, precise geolocation, and racial and ethnic origin, content of consumer communications (email, mail, or text), unless the business is the intended recipient, genetic data, and information collected concerning a consumer’s health, sex life, or sexual orientation.

Below are the categories of Personal Information that we may have collected or shared for a business purpose in the last twelve (12) months, as permitted by law and depending on the product you receive:

Retention

We retain Personal Information about you necessary to fulfill the purpose for which that information was collected and in accordance with your employer’s contract with us, consistent with applicable laws. We generally retain information regarding [for example, an individual’s Commuter Account with us] for at least seven years from [the date of our last interaction/account closure/etc.], in compliance with our obligations under applicable laws, or for longer if required to do so according to our regulatory obligations or where we believe necessary to establish, defend, or protect our legal rights or those of others.

When we destroy your Personal Information, we do so in a way that prevents that information from being restored or reconstructed.

Categories of Sources of Personal Information

Below are the sources from which we may receive your Personal Information:

We may combine Personal Information that you provide us through our website with other information we have received from you or your employer plan or program sponsor, whether online or offline, or from other sources such as from our service providers. For more information, please see the “What Information We Collect” section of our General Privacy Notice. Our website uses cookies to improve functionality and performance. Please see the “Cookies” section of our General Privacy Notice for more information.

How We Use and Share Personal Information For Business or Commercial Purposes

We may use or share the Personal Information listed above for the following business or commercial purposes:

Within the last 12 months, we have disclosed Personal Information identified in the “Personal Information” section, categories (A)-(L) above only (i) at your express request or at the direction of your employer benefit program sponsor; (ii) as part of an exempt transaction; or (iii) to our service providers for the business purpose(s) described above. To learn more about the categories of third parties with whom we share such information, please see the “How We Use and Share Information” section of our General Privacy Notice.

No Sale of Personal Information

We do not sell Personal Information within the meaning of the CCPA or CPRA. If that changes, we will let you know in advance and provide you with information so that you may understand and exercise your right to opt-out of the future sale or disclosure of your Personal Information.

Consumer Rights

If you are a California resident, you may exercise certain privacy rights related to your Personal Information. You may exercise these rights free of charge except as otherwise permitted under applicable law. We may limit our response to your exercise of these privacy rights as permitted under applicable law.

You may submit your request in person, using our toll-free number, via email. by mail or via online form. Please see Contact Information below.

1. The Right to Know, Access, Rectify, and/or Delete Personal Information

Where the CCPA/CPRA applies to the Services we provide, you may have the right to know, access, correct, and/or delete Personal Information about you which we have collected.

The Right to Know/Access:You have the right to know the information contained in this Notice and our General Privacy Notice, and to request access to a copy of the Personal Information that HealthEquity has collected about you directly or indirectly, including Personal Information collected by a service provider or contractor on our behalf. You may access your account through the websites and mobile app and view your Personal Information.

The Right to Correct: You may access your account through the websites and mobile app and update your Personal Information. Users may make changes to some Personal Information through their online accounts. For Personal Information that cannot be changed via your account, you may contact us at Privacy@healthequity.com to request the change or contact your employer if the change relates to covered Services. We will use commercially reasonable efforts to honor your requests within the limits defined by your employer program sponsor.

The Right to Delete: You have the right to request that HealthEquity delete your Personal Information, subject to certain limited exceptions. For example, we may retain an archived copy of your records consistent with applicable law, to continue to provide covered Services, or for other legitimate business purposes.

2. The Right to Opt-out of the Sale or Sharing of Personal Information or De-identified Personal Information

3. The Right to Limit the Use of Sensitive Personal Information

We limit our use of Sensitive Personal Information to only the purposes necessary to perform covered Services, and for certain business and commercial purposes described above.

4. The Right to Non-Discrimination

We will not discriminate or retaliate against you for exercising your consumer rights under the CCPA/CPRA, including by (a) denying you goods or services; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; or (c) providing you a different level or quality of goods or services (or suggesting that we will do so). We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your Personal Information. This section currently applies to consumers. In 2023, this section may also apply to employees, applicants for employment, and independent contractors.

Verification

As required or permitted under applicable law, we may take steps to verify your request before providing Personal Information to you, deleting Personal Information, or otherwise processing your request. To verify your request, you must provide your name, employer (if any), product or service, email address, phone number, and state of residence. You may also be asked to verify your ability to control the email address or phone number you have provided to us. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us. We will review each request carefully and respond accordingly within the timeframe established by the CCPA/CPRA.

Agent Authorization

You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent may contact us as set forth in this Notice. Even if you choose to use an agent, as permitted by law, we may require you to confirm you have authorized the agent to act on your behalf or require you to verify your own identity.

Notice of Financial Incentive

We do not offer financial incentives to consumers for providing Personal Information.

Changes to Our Privacy Notice

We reserve the right to amend this Notice at our discretion and at any time. We will do so by updating this Notice. Amended terms take effect upon being incorporated into this Notice, and your continued use of the website or participation in your employer’s covered benefit program following the posting of any changes constitutes acceptance of any new terms. If the changes will materially affect the way we use your Personal Information in connection with covered Services that we have already collected, we will notify you by sending you a message in your online account.

Requesting Notice in Alternative Format/Language

You may be able to request this Notice in another language where we provide such notices in the ordinary course of business or in an alternative format if you have a disability. Please contact the Privacy Office below to request an alternative format.

Contact Information

If you have questions or comments about this Notice, our privacy policies, the ways in which we collect and use your information, your choices and rights regarding such use, or wish to exercise your rights under California law, please contact us at:

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: Privacy@healthequity.com

Mail: HealthEquity, Inc.
Attn: Privacy Officer
15 West Scenic Pointe Drive
Draper, UT 84020

Effective Date

Last updated February 2022.