California Privacy Notice
For California residents, our information sharing practices are in accordance with federal law. California law places additional restrictions on sharing information about their residents, and our policies comply with such restrictions.
Direct Marketing Requests
California Civil Code Section 1798.83 permits you, if you are a California resident, to request certain information regarding disclosure of Personal Information (defined below) to third parties for their direct marketing purposes. To make such a request, please send an e-mail to [email protected] or write us at Privacy Officer, HealthEquity, Inc., PO Box 14374 Lexington, KY 40512.
Do Not Track Settings
Cal. Bus. And Prof. Code Section 22575 also requires us to notify you how we deal with the “Do Not Track” settings in your browser. As of the effective date listed above, there is no commonly accepted response for Do Not Track signals initiated by browsers. Therefore, HealthEquity’s system does not respond to the Do Not Track settings. Do Not Track is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit www.donottrack.us.
California Consumer Privacy Act/California Privacy Rights Act Supplemental Notice
This California Privacy Notice is intended to supplement our other privacy notices available here.
To understand our privacy practices, you should refer to our other privacy notices and this supplemental California notice (“Notice”).
The California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and this Notice apply to visitors, users, and others who are California residents (“consumers” or “you”).
This Notice applies to California residents’ Personal Information, as defined below, we collect to provide them with certain products and services (collectively, “Services”). The CCPA and CPRA do not apply to Personal Information for some of our Services that are excepted from the CCPA and CPRA, such as those subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Gramm-Leach-Bliley (GLBA). The requirements of CCPA and CPRA further do not apply to deidentified or aggregate consumer information.
In addition, updated CCPA/CPRA requirements went into effect on January 1, 2023, for applicable Services related to employee and business-to-business Personal Information. As a result, this Notice also applies to employees, applicants for employment, and independent contractors, who are California residents.
The CCPA and CPRA define “Personal information” as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. Under the CPRA, “Personal Information” further includes “Sensitive Personal Information” such as social security number, driver license number, state identification card, passport number, financial data, genetic data, biometric data, precise geolocation, and racial and ethnic origin, content of consumer communications (email, mail, or text), unless the business is the intended recipient, genetic data, and information collected concerning a consumer’s health, sex life, or sexual orientation.
Below are the categories of Personal Information that we may have collected or shared for a business purpose in the last twelve (12) months, as permitted by law and depending on the product you receive:
Possibly collected or shared for a business purpose in the last 12 months
Real name, alias, postal address, email address.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
Identifiers listed in the preceding category A and subsequent category I, and signature, social security number, telephone number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, or any other financial information, medical information, health insurance information.
C. Protected classification characteristics under California or federal law.
Age, marital status, medical condition, gender, veteran or military status.
D. Commercial Information
Products or services purchased, consumer history
E. Biometric information
F. Internet or other similar network activity.
Browsing and search history, usage of, and information regarding your use of our applications or website. This information may be used to create anonymous data to help us better understand customer preferences and needs.
G. Geolocation data.
City and state location of your device, which may include GPS-based, WiFi based, or cell-based location information. You can disable collection of location information by our app at any time in your mobile device settings.
H. Sensory data.
Audio recordings of calls when you call our customer service, and Internet and electronic network activity, as described above. You are notified at the beginning of a call whether the call is being recorded.
I. Professional or employment-related information.
Resume and employment application information.
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)).
Where applicable, student information related to eligibility for benefits.
K. Inferences drawn from other personal information.
Inferences drawn from (1) the information we collect when you visit our website, use our app, or interact with our tools, widgets or plug-ins, (2) information we collect from reimbursement claims, and (3) information about user preferences and behavior that we collect on our website and mobile app to create a profile about a user reflecting the user’s preferences, characteristics, predispositions, behavior, and abilities.
L. Sensitive personal information.
Identifiers listed in the preceding category B and precise geolocation, racial and ethnic origin (when hired for a position), the contents of communications where HealthEquity is not an intended recipient.
We retain Personal Information about you necessary to fulfill the purpose for which that information was collected and in accordance with your employer’s contract with us, consistent with applicable laws. We generally retain information regarding [for example, an individual’s Commuter Account with us] for at least seven years from [the date of our last interaction/account closure/etc.], in compliance with our obligations under applicable laws, or for longer if required to do so according to our regulatory obligations or where we believe necessary to establish, defend, or protect our legal rights or those of others.
When we destroy your Personal Information, we do so in a way that prevents that information from being restored or reconstructed.
Categories of Sources of Personal Information
Below are the sources from which we may receive your Personal Information:
- directly from you when you inquire about our Services via our website or by telephone
- from you when you or a benefit program sponsor creates an account with us
- from you when you submit a claim for reimbursement
- from your device when you access our website, mobile app and other online services
- from your employer (where applicable) when related to Services that are covered by CPRA and CCPA
- from third parties that assist us in providing relevant Services
How We Use and Share Personal Information For Business or Commercial Purposes
We may use or share the Personal Information listed above for the following business or commercial purposes:
- Delivering relevant Services to you, or on behalf of another, including:
- Verifying your identity in connection with the Services.
- Administering the Services subject to CCPA and CPRA at the direction of your employer, including to determine eligibility for reimbursement under your employer’s benefits program;
- Communicating with you or others designated by you about your participation in an employer sponsored benefit program, in connection to which we provide Services;
- Responding to covered inquiries;
- Helping to protect you and us from fraud or financial loss;
- Linking accounts you provide us to facilitate the movement of funds;
- Preparing account statements;
- Preparing annual tax reporting information, if applicable;
- Protecting your health, safety, or welfare;
- Delivering user surveys; and
- Delivering customized content and analytics on our websites or app.
- Operating our websites in connection to covered Services;
- Engaging third party service providers to assist us in administering and providing covered Services pursuant to a written agreement;
- Performing analytics and improving our Services and websites;
- Conducting internal research to develop and demonstrate technology;
- Marketing our Services, only as permitted by law;
- Keeping a record of our transactions and communications;
- Conducting audits and reporting related to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
- Detecting, analyzing, and preventing security incidents, and other fraudulent or illegal activity;
- Identifying, debugging and repairing errors in our systems, websites, or app that impair existing functionality;
- Complying with applicable laws, regulations, administrative or legal requests, subpoenas, or otherwise as required by law;
- In connection with a merger, acquisition, or other sale or transfer of all or part of our assets or business;
- In accordance with your consent or the direction of your employer;
- Short-term, transient use of Personal Information that is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction; and
- As otherwise necessary or useful for us to lawfully conduct our business or provide covered Services.
Within the last 12 months, we have disclosed Personal Information identified in the “Personal Information” section, categories (A)-(L) above only (i) at your express request or at the direction of your employer benefit program sponsor; (ii) as part of an exempt transaction; or (iii) to our service providers for the business purpose(s) described above. To learn more about the categories of third parties with whom we share such information, please see the “How We Use and Share Information” section of our General Privacy Notice.
No Sale of Personal Information
We do not sell Personal Information within the meaning of the CCPA or CPRA. If that changes, we will let you know in advance and provide you with information so that you may understand and exercise your right to opt-out of the future sale or disclosure of your Personal Information.
If you are a California resident, you may exercise certain privacy rights related to your Personal Information. You may exercise these rights free of charge except as otherwise permitted under applicable law. Please note, there may be situations where we cannot grant your request, for example, if you ask us to delete your Personal Information that is governed by a Federal privacy regulation that is exempted from CCPA/CPRA, or where HealthEquity is legally obligated to keep a record of our interactions with you to comply with law. We may also decline your request in order to maintain our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied are if it jeopardizes the privacy of others, is frivolous, or would require disproportionate effort.
You may submit your request in through our Privacy portal, which you can access by clicking here - Data Subject Access Requests. If you are a HealthEquity teammate, you can submit requests regarding your personal information through our Privacy portal, located here – Teammate Data Subject Access Requests. You may also send an email to [email protected].
- The Right to Know, Access, Rectify, and/or Delete Personal Information
- The Right to Opt-out of the Sale or Sharing of Personal Information or De-identified Personal Information
- We do not sell your Personal Information for monetary or other valuable consideration.
- We do not sell any de-identified Personal Information. We may de-identify your Personal Information for internal use only.
- We do not share your Personal Information for the purposes of “cross-context behavioral advertising.” Cross-context behavioral advertising is “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
- The Right to Limit the Use of Sensitive Personal Information
- The Right to Non-Discrimination
Where the CCPA/CPRA applies to the Services we provide, you may have the right to know, access, correct, and/or delete Personal Information about you which we have collected.
The Right to Know/Access: You have the right to know the information contained in this Notice and our General Privacy Notice, and to request access to a copy of the Personal Information that HealthEquity has collected about you directly or indirectly, including Personal Information collected by a service provider or contractor on our behalf. You may access your account through the websites and mobile app and view your Personal Information.
The Right to Correct: You may access your account through the websites and mobile app and update your Personal Information. Users may make changes to some Personal Information through their online accounts. For Personal Information that cannot be changed via your account, you may contact us as set forth above to request the change or contact your employer if the change relates to covered Services. We will use commercially reasonable efforts to honor your requests within the limits defined by your employer program sponsor.
The Right to Delete: You have the right to request that HealthEquity delete your Personal Information, subject to certain limited exceptions. For example, we may retain an archived copy of your records consistent with applicable law, to continue to provide covered Services, or for other legitimate business purposes.
We limit our use of Sensitive Personal Information to only the purposes necessary to perform covered Services, and for certain business and commercial purposes described above.
We will not discriminate or retaliate against you for exercising your consumer rights under the CCPA/CPRA, including by (a) denying you goods or services; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; or (c) providing you a different level or quality of goods or services (or suggesting that we will do so). We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your Personal Information. This section currently applies to consumers. In 2023, this section may also apply to employees, applicants for employment, and independent contractors.
As required or permitted under applicable law, we may take steps to verify your request before providing Personal Information to you, deleting Personal Information, or otherwise processing your request. To verify your request, you must provide your name, employer (if any), product or service, email address, phone number, and state of residence. You may also be asked to verify your ability to control the email address or phone number you have provided to us. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us. We will review each request carefully and respond accordingly within the timeframe established by the CCPA/CPRA.
You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent may contact us as set forth in this Notice. Even if you choose to use an agent, as permitted by law, we may require you to confirm you have authorized the agent to act on your behalf or require you to verify your own identity.
Notice of Financial Incentive
We do not offer financial incentives to consumers for providing Personal Information.
Changes to Our Privacy Notice
We reserve the right to amend this Notice at our discretion and at any time. We will do so by updating this Notice. Amended terms take effect upon being incorporated into this Notice, and your continued use of the website or participation in your employer’s covered benefit program following the posting of any changes constitutes acceptance of any new terms. If the changes will materially affect the way we use your Personal Information in connection with covered Services that we have already collected, we will notify you by sending you a message in your online account.
Requesting Notice in Alternative Format/Language
You may be able to request this Notice in another language where we provide such notices in the ordinary course of business or in an alternative format if you have a disability. Please contact the Privacy Office below to request an alternative format.
If you have questions or comments about this Notice, our privacy policies, the ways in which we collect and use your information, your choices and rights regarding such use, please contact us at:
Email: [email protected]
Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512
Last updated January 2023
First, tell us who you are:
COBRA/Direct Bill Employer login
Please refer to your Client Welcome email for the URL of your specific COBRA/Direct Bill Employer login page.