Team member privacy notice

HealthEquity, Inc. (together with its subsidiaries, including but not limited to WageWorks, Inc. and Fort Effect Corp., DBA Luum, the “Company”) takes your privacy very seriously. Please read this privacy notice (“Notice”) carefully, as it contains important information on who we are, and how and why we collect, store, use, and share your personal information as your employer. It also explains your rights in relation to your personal information and how to contact us in the event you have a complaint. This Notice applies to current and former employees (commonly referred to within the Company as “team members”).

The Company will only process your personal information according to this Notice unless otherwise required by applicable law. When we do so we are subject to various state privacy laws in the United States and are responsible for your personal information.

The Company ensures that the personal information collected related to your employment or potential employment is adequate, relevant, not excessive, and processed for limited purposes. The Company does not sell applicant, employee, or former employee personal information, nor do we share it with third parties for cross-context behavioral advertising.

This Notice does not cover aggregated data, data rendered anonymous, or data that has been de-identified. Aggregate data relates to a group or category of individuals from which individual identities have been removed. Data is rendered anonymous if individual persons are no longer identifiable. Deidentified data is data that has had identifiable elements removed, and cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual.

If you fail to provide certain personal information when requested, we may not be able to fully perform services as your employer (such as paying you or providing a benefit), or we could be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

  1. Personal Information We Collect About You. We may collect and use the following personal information that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with an employee or former employee:

  2. How Your Personal Information is Collected.We collect most of this Personal Information directly from you—in person, by telephone, text, email, website, and apps. However, we may also collect information:

    • From publicly accessible sources (e.g., LinkedIn).

    • Directly from a third party (e.g., background screening providers).

    • From a third party with your consent (e.g., your bank).

    • From cookies on our website; and

    • Via our IT systems, including:

      • Door entry systems and reception logs.

      • Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems; and

  3. How and Why, We Use Your Personal Information. We only use your Personal Information if we have a proper reason for doing so, including (and as set forth below):

    • To comply with our legal and regulatory obligations;

    • To protect our legal rights;

    • For our legitimate interests or those of a third party;

    • In an emergency where health or security is at stake; or

    • Where you have given consent.

    A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

    The table below explains what we use your personal information for and our reasons for doing so:

    The above table does not apply to special categories personal information, which we will only process with your explicit consent.

    We will always protect your personal information and never sell or share it with other organizations for marketing or behavioral advertising purposes.

  4. Who We Share Your Personal Information With. We routinely share personal information with:

    • Our affiliates and subsidiaries;

    • Service providers we use to help deliver our products and services to you, such as benefit providers, information technology providers for shipping and receiving Company devices, cloud providers, data hosting and storage services, background check providers, warehouses and delivery companies;

    • Government authorities as required by law, such as tax and social security authorities;

    • With our clients when necessary to inform them who their point of contact is, or who may otherwise be working on their accounts.

    We only allow our service providers to access or use your personal information if they meet our data privacy and protection requirements. We impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to accreditation and audit activities.

    We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

  5. Where Your Personal Information is Held. Information may be held at our offices, in Company systems and databases, third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”).

  6. How Long Your Personal Information Will Be Kept. We will keep your personal information while you are employed with us. Thereafter, we will keep your personal information for as long as is necessary:

    • To respond to any questions, complaints or claims made by you or on your behalf; or,

    • To comply with record retention laws and requirements, and our policies.

    We will not retain your personal information for longer than necessary for the purposes set out in this notice. Different retention periods apply for different types of personal information. Further details on this are available in our Records Retention Policy.

    When it is no longer necessary to retain your personal information, we will delete or anonymize it.

  7. Your Rights Under State Privacy Laws. If you are a resident of an applicable state, you have the following rights under State Privacy Laws (such as the California Privacy Rights Act (CPRA)):

  8. Keeping Your Personal Information Secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

  9. Changes to This Privacy Notice. This privacy notice was published on [date] and last updated on [date].

    We may change this privacy notice from time to time–when we do, we will inform you via posting to the Company’s intranet and systems of record.

  10. How to Contact the Privacy Office. Please contact the Privacy Office by email – privacy@healthequity.com if you have any questions about this privacy notice or the information the Company holds about you.

  11. Do You Need Extra Help? If you would like this notice in another format (for example: audio, large print, braille) please contact us (see “How to contact us” above).