Privacy Policy

General Privacy Notice

Your privacy is important to us. This General Privacy Notice (“Notice”) describes the information HealthEquity, Inc. ("HealthEquity", "we", "our", “us”) collects when interacting with you in connection with our products and services (such as health savings accounts and various employer sponsored plans and programs, each an “Account” and collectively, “Services”), or employment opportunities. This Notice also describes how our website and mobile application may collect information from you.

We encourage you to review our other applicable product, state, and regulatory notices provided through the Quick Links to the left. Please read those notices to understand how they apply to you and the Services. You can view the privacy practices applicable to specific types of information and to our different Services, and how we use personal information to conduct our business.

When we are administering a health benefit plan provided by your employer, the information we collect about you is subject to the requirements of the Health Insurance Portability and Accountability Act ("HIPAA"). In circumstances where HIPAA applies, your plan’s HIPAA Notice of Privacy Practices and not this General Privacy Notice will apply. If you have questions about which policy applies in a certain situation, please contact us using the Contact Information provided in this General Privacy Notice.

This website is intended for individuals who reside in the United States. We honor all individual privacy rights defined by law, as set forth herein, and in governing regulations.

We reserve the right to make changes to this Notice and our other privacy notices, and recommend you read them regularly. Your submission of personal information for job opportunities, or use of the HealthEquity website and/or our Services constitutes your acceptance of and agreement to this Notice. If you do not agree to this Notice, do not use the website, Services, or otherwise provide your personal information. If we provide Services to you, to stay current on our practices, please update your email address with us if it changes.

 

What information we collect

When you sign up for Services we may collect and process, from you or from your employer, your personal information that includes, but is not limited to, the following:

  • Your name;
  • E-mail and physical address;
  • Social security number ("SSN");
  • Date of birth;
  • Phone number;
  • Names of the dependents (and other identification or "ID") that are connected to or covered by your Account;
  • Names and ID of people authorized by you to use your Account;
  • Names and ID of people authorized by you to access your Account information;
  • Technical information associated with the device you use, such as the type and model, system language, browser type, geographical location, operating system, Internet protocol (IP) address, IDFA (identifier for advertisers), and other unique identifiers collected automatically when you interact with our website (as further detailed below in the “Cookies and Website” section); and
  • Transactions with us such as your Account balance, fees, payments, reimbursements, distributions, contributions, and the identity of persons to whom you make payments, including health care providers.

If you are receiving services from us, we may combine personal information that you provide us with information from other sources such as from your employer or benefits plan/program sponsor and our business partners and service providers.

In addition to the personal information noted above, when you call our Company for customer service, we may collect your biometric information that includes your voice prints and speech patterns for identification, fraud prevention, quality assurance and training. We will not sell your biometric data and will protect it with necessary care.

If you apply for a job opportunity, we collect personal information from you in connection with your resume and the application you submit to us. We use your information to evaluate your skills and abilities for job opportunities, verify your information, carry out reference checks and/or background checks (where applicable), communicate with you about the recruitment process, recommend potential career opportunities, create and/or submit reports as required under applicable laws/regulations, and make improvements to our application or recruitment process.

The personal information we collect may include:

  • Identification Data – such as full name, preferred name, home address, email address, telephone number, and photo/image (if volunteered), citizenship status, or nationality.
  • Demographic Data – such as gender, ethnicity, disability status, gender identity, and sexual orientation. Our purposes for processing this data include the following:
    • To monitor and ensure diversity and equality of treatment and opportunity;
    • To provide work-related accommodations or adjustments; and

To comply with applicable legislation.

  • Employment and Professional Data – such as job title/position, hire/term/rehire dates, employer information, employment contacts, CV/resume, academic/professional qualifications, skills, work-related licenses, education, references, military status, work permits, salary, desired salary.
  • Other Data – we may also collect personal information about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at our company. For example, before and during your employment or assignment we may collect information from public professional sources, such as your LinkedIn profile for recruitment purposes. We also may conduct lawful background screenings to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history.

If you are offered and accept employment with us, the personal information collected during the job application and recruitment process may become part of your employment record. If you are not offered or accept employment, we will keep your CV/resume on file for future job openings. You may request removal of your CV/resume by submitting a request pursuant to the Data Subject Access Request process set forth herein.

Note that where processing is not required or permitted by law, we will ask for your express consent.

How we collect information Your Personal Information

  • Direct Interactions: You provide your personal information when contacting us through applications, this website, mobile applications, signing up for or receiving Services, emailing us, or applying for job opportunities through candidate tracking systems.
  • Third Parties or Publicly Available Sources: We may obtain information about you from your employer, your health plan, benefit provider, publicly available online sources or government records, background check providers, criminal records check, or past or current professional references you supply to us. We will seek information from third parties only once a job offer or assignment has been made or through provisioning of Services, and will inform you that we are doing so.

It is your choice whether to provide us with personal information, however, our ability to provide or continue to provide Services or information to you may be impacted should you decline to provide us with requested information.

Use of AI Systems We use AI systems to process personal information in accordance with relevant privacy laws and regulations. AI systems help us improve our services, provide personalized experiences, and make data-driven decisions. We prioritize responsible AI systems use and use AI Systems with human oversight where feasible, especially when making significant decisions impacting individuals.

Cookies and Website Tracking

“Cookies” may be placed on your computer when you visit HealthEquity’s website. Cookies allow us to collect technical information associated with the device you are using and collect information, including clickstream information, browser type, time and date you visited the website, and other information about your interactions with the website (as detailed above in “What Information We Collect”). Cookies can be for a single session or interaction with our website or can be persistent and stored on your computer or device until they are deleted or expire. Most internet browsers allow you to disable and delete cookies or can be set to notify you when you receive a cookie allowing you decide whether to accept it. If you choose to disable cookies some functionality on the website may be impacted or not work at all.

Additionally, like many websites, we use standard internet technology (such as web beacons, tracking pixels, and embedded scripts) to track your web-surfing activity when you are visiting our website. We also include standard internet technology in advertisements and promotional e-mail messages to determine whether advertising or messages have been acted upon. This information enables us to customize the services we offer our website visitors, to deliver targeted advertisements, and to measure the overall effectiveness of our online advertising, content, programming, or other activities. Some other examples of ways we use your activity information include developing anonymized reports regarding website usage, activity, and statistics for our internal use and assisting users experiencing website problems.

We use this information only as dictated by applicable law.

We may also allow third party service providers to use cookies and other web technologies to collect information and to track browsing activity over time and across third party websites such as web browsers used to read our websites, which websites are referring traffic or linking to our websites, which may deliver advertisements to you. We do not control these third-party technologies and their use is governed by the privacy policies of the third parties using such technologies. For more information about entities that use these technologies, see http://www.aboutads.info/consumers , and to opt-out of such ad networks’ and services’ advertising practices, go to www.aboutads.info/choices .

We use Google and Facebook technologies to advertise online. These technologies help us tailor ads that we think may be of interest to visitors to our website. As always, we respect your privacy and do not collect any personal information using these technologies. For example, we may tailor advertising based on the specific product pages you viewed on the website. These ads may appear across the internet, including websites on Google and Facebook. You may opt out of these cookies by visiting the ad settings on these entities’ webpages or through our cookie management console. Any data we collect through these technologies is used for internal purposes only, in accordance with applicable law and our privacy policies and notices.

We use Google Analytics as described at https://policies.google.com/technologies/partner-sites . You can prevent your data from being used by Google Analytics on our websites by installing the Google Analytics opt-out browser add-on or through our cookie management console. If you have accounts with third-party providers, you may be able to control your ad preferences through your account settings.

You can opt out of these cookies and web technologies at any time by using our cookie management console. You are prompted to make cookie management choices upon your first visit to our website. To update your choices, visit our cookie management console.

How we use and share information

We may use or share the personal information listed above for the following business or commercial purposes:

  • Delivering our Services to you, or on behalf of another, including:
    • Verifying your identity, opening and administering your Accounts and benefits, and providing other financial services under the USA PATRIOT Act;
    • Administering the Services that we offer you or your employer, including to determine eligibility or to review and pay claims;
    • Displaying claims information in your health savings account portal with your authorization;
    • Communicating with you or others designated by you about your Account, benefits, and/or our Services;
    • Responding to inquiries;
    • Making payments to medical service providers;
    • Providing you with any health insurance information related to our Services, if applicable;
    • Helping to protect you and us from fraud and financial loss;
    • Linking accounts you provide us to facilitate the movement of funds as directed by you;
    • Preparing Account statements;
    • Preparing annual tax reporting information, if applicable;
    • Protecting your health, safety, or welfare;
    • Delivering user surveys; and
    • Delivering customized content and analytics on our websites or app.
  • Operating our websites and maintaining or servicing your Account;
  • Engaging third party service providers to assist us in administering and providing our products and services pursuant to a written agreement;
  • To enhance our Services through AI and data analytics, ensuring a better user experience;
  • Conducting internal research to develop and demonstrate technology;
  • Marketing our Services, only as permitted by law;
  • Keeping a record of our transactions and communications;
  • Conducting audits and reporting related to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
  • Detecting, analyzing, and preventing security incidents, and other fraudulent or illegal activity;
  • Identifying, debugging and repairing errors in our systems, websites, or app that impair existing functionality;
  • Protecting our rights, the rights of affiliates and related third parties, or taking appropriate legal action, such as to enforce our Terms of Use;
  • Complying with applicable laws, regulations, administrative or legal requests, subpoenas, or otherwise as required by law;
  • In connection with a merger, acquisition, or other sale or transfer of all or part of our assets or business;
  • In accordance with your consent, authorization, or instructions;
  • Short-term, transient use of personal information that is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction; and

We do not sell our customer lists or individual customer information. We will only share your personal information with third parties as outlined in our privacy notices. From time-to-time, we provide your information to nonaffiliated third-party service providers (i.e., subcontractors) to perform services for or functions on our behalf, to effect, administer, or enforce transactions necessary for the proper administration of an Account or as otherwise authorized by you.

We may also exchange information with reference sources or reporting agencies for risk management and verification, to maximize the accuracy and security of your personal information. We only use and share information needed to service your account or protect against fraud, unless we are required to do so by law.

If you have an Account and are receiving Services from us, you may authorize other individuals to access your information or make changes to your Account (such as a spouse, dependent, or legal representative). You are responsible for your authorized user’s transactions. Your authorized users will have access to the Account balance if they are authenticated by our system. It is your responsibility to keep your authorizations up to date and accurate. You will be able to see all activities conducted by an authorized user.

 

Consumer Rights and Choices

You may have rights such as the right to know, access, and/or delete your information. These rights may differ depending on your State of residency or the source of the information, or the type of Services or Account you have. You can submit a request regarding your personal information through our Privacy portal, located here - Data Subject Access Requests. If you are a HealthEquity teammate, you can submit requests regarding your personal information through our Privacy portal, located here – Teammate Data Subject Access Requests.

You may also submit your requests to [email protected] . Please note, there may be situations where we cannot grant your request, for example, if you ask us to delete your data that is governed by a Federal privacy regulation that is exempted from your state privacy law, or where HealthEquity is legally obligated to keep a record of our interactions with you to comply with law. We may also decline your request in order to maintain our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied are if it jeopardizes the privacy of others, is frivolous or vexatious, or would require disproportionate effort.

Authentication of Consumer Requests

To ensure the security and accuracy of your privacy rights requests, we may take the following steps to verify your identity:

  1. Existing Authentication Data: We may use information we already have on file, such as account numbers, addresses, or dates of birth.
  2. Security Questions: For more sensitive requests, we may ask you to answer security questions that only you would know.
  3. Document Uploads: In certain cases, we may request you to upload identification documents to verify your identity.

Authorized Agents: If your request is made through an authorized agent, we will verify the agent's authority by requiring signed permission from you and may also contact you directly for further verification.

 

 Electronic and Online Communications

We use e-mail to send newsletters, account notifications, marketing materials, and other communications, on a periodic basis to various individuals and organizations. You can opt-out of these communications at any time. For example, you can opt-out using links in a specific email communication or contact us (see Contact Information below). Opt-outs may not apply to communications related to your Account status, administrative messages, website updates, or other communications that are necessary to provide our Services.

We also, if you opt in to such communications, may use SMS text to communicate with you. We do not share your subscriber data with any other parties.

Information Security

HealthEquity places a high priority on protecting your personal information. We maintain administrative, technical, and physical safeguards designed to protect the information that you provide on this website and in connection with the Services from unauthorized access to or acquisition of such information. Please be advised, however, that regardless of our best efforts to protect information, the confidentiality and security of any communication or material transmitted to or from the website or via email cannot be guaranteed to be 100% secure at any time. We also cannot guarantee that the information you transmit over the Internet will not be unlawfully intercepted or accessed by third parties. Any transmission of your information is at your own risk. Therefore, we strongly encourage all users to be careful and responsible about what you choose to provide online. Further, when you create an Account with HealthEquity, you will create a unique password. It is your responsibility to personalize your password and protect and secure such password. HealthEquity is not responsible for any information compromised due to your failure to secure your Account or login credentials.

If you have any reason to believe that your interaction with us through this website or other means is no longer secure, please immediately notify us (see Contact Information below).

For more details regarding our information security practices, please see our Information Security information available in the Quick Links on the left.

 

HealthEquity will, for example:

  • Never ask for your login or password through email or phone call;
  • Use your secret question and answer to authenticate you on a phone call;
  • Never utilize an automated voice response system when contacting you.
  • Information provided via our web portal is submitted within a secure session. These sessions utilize Transport Layer Security (TLS, formerly known as SSL) technology to ensure that the information is encrypted while in transit. Your browser must be able to support this technology to use our web services.
  • Require a User ID and password in order to access an Account or receive Services. This may either be provided to you or you will be allowed to choose your own. The User ID and password are designed to protect you by confirming your identity to our computer network systems. Our employees do not have access to your password.
  • Automatically log you out of your Account if you are inactive after logging in for a certain amount of time.
  • Require you to regularly change your password from time to time.
  • Monitor your Account for any signs of suspicious or potentially fraudulent activity.
  • Maintain up to date policies, standards, and processes designed to protect your personal information and comply with applicable state and federal data security laws, regulations, and guidance.
  • Train our workforce on our policies, standards, and processes.
  • Limit access to your personal information to only those who need it to perform their duties.
  • Require our subcontractors to maintain the same privacy and security standards for protecting your information as we do.

California Privacy Practices

If you are a California resident, please see more information about our privacy practices and your rights in our California Privacy Notice.

Children's Privacy

HealthEquity’s Services are intended for individuals who are at least 13 years of age. The Services may include information about dependents or beneficiaries who are under the age of 13, however, there are no Services offered directly to children under the age of 13. We do not collect personal information from children under the age of 13. If you think we have collected personal information from a child under the age of 13, without parental consent, please alert us (see Contact Information below).

Contact Information

If you have any questions or comments about this Notice or our other privacy notices, the ways in which we collect and use information, or choices and rights regarding personal information, please contact us at:

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

Effective Date

Last updated January 2025.

CALIFORNIA PRIVACY NOTICE

For California residents, our information sharing practices are in accordance with federal law. California law places additional restrictions on sharing information about their residents, and our policies comply with such restrictions.

Direct Marketing Requests

California Civil Code Section 1798.83 permits you, if you are a California resident, to request certain information regarding disclosure of Personal Information (defined below) to third parties for their direct marketing purposes. To make such a request, please send an e-mail to [email protected] or write us at Privacy Officer, HealthEquity, Inc., 121 W. Scenic Pointe Drive, Draper, UT 84020.

Do Not Track Settings

Cal. Bus. And Prof. Code Section 22575 also requires us to notify you how we deal with the “Do Not Track” settings in your browser. As of the effective date listed above, there is no commonly accepted response for Do Not Track signals initiated by browsers. Therefore, HealthEquity’s system does not respond to the Do Not Track settings. Do Not Track is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit www.donottrack.us.

CALIFORNIA CONSUMER PRIVACY ACT/CALIFORNIA PRIVACY RIGHTS ACT SUPPLEMENTAL NOTICE

This California Privacy Notice is intended to supplement our other privacy notices available here.

To understand our privacy practices, you should refer to our other privacy notices and this supplemental California notice (“Notice”).

Applicability

The California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and this Notice applies to visitors, users, and others who are California residents (“consumers” or “you”).

This Notice applies to California residents’ Personal Information, as defined below, we collect to provide them with certain products and services (collectively, “Services”). The CCPA and CPRA do not apply to Personal Information for some of our Services that are excepted from the CCPA and CPRA, such as those subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Gramm-Leach-Bliley (GLBA). The requirements of CCPA and CPRA further do not apply to deidentified or aggregate consumer information.

Personal Information

The CCPA and CPRA define “Personal information” as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. Under the CPRA, “Personal Information” further includes “Sensitive Personal Information” such as social security number, driver license number, state identification card, passport number, financial data, genetic data, biometric data, precise geolocation, and racial and ethnic origin, content of consumer communications (email, mail, or text), unless the business is the intended recipient, genetic data, and information collected concerning a consumer’s health, sex life, or sexual orientation.

Below are the categories of Personal Information that we may have collected or shared for a business purpose in the last twelve (12) months, as permitted by law and depending on the product you receive:

Category Examples Possibly collected or shared for a business purpose in the last 12 months
A. Identifiers Real name, alias, postal address, email address. Yes
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). Identifiers listed in the preceding category A and subsequent category I, and signature, social security number, telephone number, passport number, driver’s license or state identification card number, insurance policy number, bank account number, or any other financial information, medical information, health insurance information. Yes
C. Protected classification characteristics under California or federal law. Age, marital status, medical condition, gender, veteran or military status. Yes
D. Commercial Information Products or services purchased, consumer history Yes
E. Biometric information N/A Yes
F. Internet or other similar network activity. Browsing and search history, usage of, and information regarding your use of our applications or website. This information may be used to create anonymous data to help us better understand customer preferences and needs. Yes
G. Geolocation data. City and state location of your device, which may include GPS-based, WiFi based, or cell-based location information. You can disable collection of location information by our app at any time in your mobile device settings. Yes
H. Sensory data. Audio recordings of calls when you call our customer service, and Internet and electronic network activity, as described above. You are notified at the beginning of a call whether the call is being recorded. Yes
I. Professional or employment-related information. Resume and employment application information. Yes
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)). Where applicable, student information related to eligibility for benefits. Yes
K. Inferences drawn from other personal information. Inferences drawn from (1) the information we collect when you visit our website, use our app, or interact with our tools, widgets or plug-ins, (2) information we collect from reimbursement claims, and (3) information about user preferences and behavior that we collect on our website and mobile app to create a profile about a user reflecting the user’s preferences, characteristics, predispositions, behavior, and abilities. Yes
L. Sensitive personal information. Identifiers listed in the preceding category B and precise geolocation, racial and ethnic origin (when hired for a position), the contents of communications where HealthEquity is not an intended recipient. Yes

Retention

We retain Personal Information about you necessary to fulfill the purpose for which that information was collected and in accordance with your employer’s contract with us, consistent with applicable laws. We generally retain information regarding [for example, an individual’s Commuter Account with us] for at least seven years from [the date of our last interaction/account closure/etc.], in compliance with our obligations under applicable laws, or for longer if required to do so according to our regulatory obligations or where we believe necessary to establish, defend, or protect our legal rights or those of others.

When we destroy your Personal Information, we do so in a way that prevents that information from being restored or reconstructed.

Categories of Sources of Personal Information

Below are the sources from which we may receive your Personal Information:

  • directly from you when you inquire about our Services via our website or by telephone
  • from you when you or a benefit program sponsor creates an account with us
  • from you when you submit a claim for reimbursement
  • from your device when you access our website, mobile app and other online services
  • from your employer (where applicable) when related to Services that are covered by CPRA and CCPA
  • from third parties that assist us in providing relevant Services

We may combine Personal Information that you provide us through our website with other information we have received from you or your employer plan or program sponsor, whether online or offline, or from other sources such as from our service providers. For more information, please see the “What Information We Collect” section of our General Privacy Notice. Our website uses cookies to improve functionality and performance. Please see the “Cookies” section of our General Privacy Notice for more information.

How We Use and Share Personal Information for Business or Commercial Purposes

We may use or share the Personal Information listed above for the following business or commercial purposes:

  • Delivering relevant Services to you, or on behalf of another, including:
    • Verifying your identity in connection with the Services.
    • Administering the Services subject to CCPA and CPRA at the direction of your employer, including to determine eligibility for reimbursement under your employer’s benefits program;
    • Communicating with you or others designated by you about your participation in an employer sponsored benefit program, in connection to which we provide Services;
    • Responding to covered inquiries;
    • Helping to protect you and us from fraud or financial loss;
    • Linking accounts you provide us to facilitate the movement of funds;
    • Preparing account statements;
    • Preparing annual tax reporting information, if applicable;
    • Protecting your health, safety, or welfare;
    • Delivering user surveys; and
    • Delivering customized content and analytics on our websites or app.
  • Operating our websites in connection to covered Services;
  • Engaging third party service providers to assist us in administering and providing covered Services pursuant to a written agreement;
  • Performing analytics and improving our Services and websites;
  • Conducting internal research to develop and demonstrate technology;
  • Marketing our Services, only as permitted by law;
  • Keeping a record of our transactions and communications;
  • Conducting audits and reporting related to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
  • Detecting, analyzing, and preventing security incidents, and other fraudulent or illegal activity;
  • Identifying, debugging and repairing errors in our systems, websites, or app that impair existing functionality;
  • Protecting our rights, the rights of affiliates and related third parties, or taking appropriate legal action, such as to enforce our Terms of Use;
  • Complying with applicable laws, regulations, administrative or legal requests, subpoenas, or otherwise as required by law;
  • In connection with a merger, acquisition, or other sale or transfer of all or part of our assets or business;
  • In accordance with your consent or the direction of your employer;
  • Short-term, transient use of Personal Information that is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction; and
  • As otherwise necessary or useful for us to lawfully conduct our business or provide covered Services.

Within the last 12 months, we have disclosed Personal Information identified in the “Personal Information” section, categories (A)-(L) above only (i) at your express request or at the direction of your employer benefit program sponsor; (ii) as part of an exempt transaction; or (iii) to our service providers for the business purpose(s) described above. To learn more about the categories of third parties with whom we share such information, please see the “How We Use and Share Information” section of our General Privacy Notice.

No Sale of Personal Information

We do not sell Personal Information within the meaning of the CCPA or CPRA. If that changes, we will let you know in advance and provide you with information so that you may understand and exercise your right to opt-out of the future sale or disclosure of your Personal Information.

Consumer Rights

If you are a California resident, you may exercise certain privacy rights related to your Personal Information. You may exercise these rights free of charge except as otherwise permitted under applicable law. Please note, there may be situations where we cannot grant your request, for example, if you ask us to delete your Personal Information that is governed by a Federal privacy regulation that is exempted from CCPA/CPRA, or where HealthEquity is legally obligated to keep a record of our interactions with you to comply with law. We may also decline your request in order to maintain our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied are if it jeopardizes the privacy of others, is frivolous, or would require disproportionate effort.

You may submit your request in through our Privacy portal, which you can access by clicking here - Data Subject Access Requests. If you are a HealthEquity teammate, you can submit requests regarding your personal information through our Privacy portal, located here – Teammate Data Subject Access Requests. You may also send an email to [email protected].

  1. The Right to Know, Access, Rectify, and/or Delete Personal Information

Where the CCPA/CPRA applies to the Services we provide, you may have the right to know, access, correct, and/or delete Personal Information about you which we have collected.

The Right to Know/Access:You have the right to know the information contained in this Notice and our General Privacy Notice, and to request access to a copy of the Personal Information that HealthEquity has collected about you directly or indirectly, including Personal Information collected by a service provider or contractor on our behalf. You may access your account through the websites and mobile app and view your Personal Information.

The Right to Correct: You may access your account through the websites and mobile app and update your Personal Information. Users may make changes to some Personal Information through their online accounts. For Personal Information that cannot be changed via your account, you may contact us as set forth above to request the change or contact your employer if the change relates to covered Services. We will use commercially reasonable efforts to honor your requests within the limits defined by your employer program sponsor.

The Right to Delete: You have the right to request that HealthEquity delete your Personal Information, subject to certain limited exceptions. For example, we may retain an archived copy of your records consistent with applicable law, to continue to provide covered Services, or for other legitimate business purposes. When you exercise your deletion right, you may lose access to certain aspects of Services that require your Personal Information to function.

  1. The Right to Opt-out of the Sale or Sharing of Personal Information or De-identified Personal Information
  • We do not sell your Personal Information for monetary or other valuable consideration.
  • We do not sell any de-identified Personal Information. We may de-identify your Personal Information for internal use only.
  • We do not share your Personal Information for the purposes of “cross-context behavioral advertising.” Cross-context behavioral advertising is “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
  1. The Right to Limit the Use of Sensitive Personal Information

We limit our use of Sensitive Personal Information to only the purposes necessary to perform covered Services, and for certain business and commercial purposes described above.

  1. The Right to Non-Discrimination

We will not discriminate or retaliate against you for exercising your consumer rights under the CCPA/CPRA, including by (a) denying you goods or services; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; or (c) providing you a different level or quality of goods or services (or suggesting that we will do so). We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your Personal Information.

Verification

As required or permitted under applicable law, we may take steps to verify your request before providing Personal Information to you, deleting Personal Information, or otherwise processing your request. To verify your request, you must provide your name, employer (if any), product or service, email address, phone number, and state of residence. You may also be asked to verify your ability to control the email address or phone number you have provided to us. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us. We will review each request carefully and respond accordingly within the timeframe established by the CCPA/CPRA.

Agent Authorization

You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent may contact us as set forth in this Notice. Even if you choose to use an agent, as permitted by law, we may require you to confirm you have authorized the agent to act on your behalf or require you to verify your own identity.

Notice of Financial Incentive

We do not offer financial incentives to consumers for providing Personal Information.

Changes to Our Privacy Notice

We reserve the right to amend this Notice at our discretion and at any time. We will do so by updating this Notice. Amended terms take effect upon being incorporated into this Notice, and your continued use of the website or participation in your employer’s covered benefit program following the posting of any changes constitutes acceptance of any new terms. If the changes will materially affect the way we use your Personal Information in connection with covered Services that we have already collected, we will notify you by sending you a message in your online account.

Requesting Notice in Alternative Format/Language

You may be able to request this Notice in another language where we provide such notices in the ordinary course of business or in an alternative format if you have a disability. Please contact the Privacy Office below to request an alternative format.

Contact Information

If you have questions or comments about this Notice, our privacy policies, the ways in which we collect and use your information, your choices and rights regarding such use, please contact us at:

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
121 W. Scenic Pointe Drive
Draper, UT 84020

Effective Date

Last updated January 2025

 

TEAM MEMBER PRIVACY NOTICE

HealthEquity, Inc. and its subsidiaries, including WageWorks, Inc. and Fort Effect Corp. (DBA Luum), prioritize your privacy. This notice explains who we are, how and why we handle your personal information as your employer, and your rights regarding that information. It also outlines how to contact us with complaints. This notice applies to all current and former employees ("team members").

The Company processes personal information as per this Notice, unless required by law. We follow state privacy laws in the United States and are responsible for your data.

We collect relevant and limited personal information related to employment. The Company neither sells nor shares team member information for behavioral advertising.

This Notice excludes aggregated, anonymous, or de-identified data. Aggregated data removes individual identities. Anonymous data makes individuals unidentifiable. De-identified data cannot reasonably identify any individual.

Failing to provide requested personal information may affect our ability to serve you fully as an employer (such as payment or benefits) or comply with legal obligations (such as worker health and safety).

 

Category Terms and Definitions
AI System An engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments.
Company, We, Us, Our HealthEquity and our group companies
Personal Information Any information relating to, describing, reasonably capable of being associated with, or capable of reasonably being linked, directly or indirectly, to an identified, or an identifiable, natural person.
Sensitive Personal Information
  • Government identifiers, such as Social Security Numbers and drivers license numbers;
  • Account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords);
  • Precise geolocation information;
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • Content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications;
  • Genetic data; and
  • Biometric information that uniquely identifies a consumer or information concerning a consumer's health, sex life, or sexual orientation.

Personal Information We Collect About You. The Company may collect and use personal information that can identify, relate to, describe, or be reasonably associated with team members. Sensitive Personal Information may be collected and processed if required or permitted under applicable law, necessary for the establishment, exercise, or defense of legal claims, or if the team member has provided explicit consent.

Categories of Personal Information Specific Types of Personal Information Collected
Identifiers Name, preferred name, home/mailing address, email address, telephone/mobile number, online identifiers, emergency contacts/next-of-kin, photograph/CCTV images, date of birth, social security number, state identification card, driver’s license image, employee identification number, signatures, languages
Demographic Data age, gender, race, ethnicity, disability status, sexual orientation, gender identity, and transgender status
Characteristics of protected classifications under California or federal law. Race, religion, sexual orientation, gender identity, gender expression, age
Background Data Drug screening, credit/criminal check, prior or current employment verification, education/certification/licensing verification, military status, citizenship status, nationality
Employment and Professional Data Job title/position, office location, hire/rehire/term dates, employment contracts, performance reviews, disciplinary records, grievance procedures, sick time, vacation time/paid time off, timesheets, academic/professional qualifications, training records, education, CV/resume, references, interview notes
Financial Data Bank routing/account number, state and federal tax declarations and withholdings, benefits, payroll, salary, expenses and allowances, and stock and equity grants
Health Data Medical diagnosis, physician notes, workplace accident/incident reports, short- or long-term disability or illnesses, leave of absence and sick leave and related requests and analyses, medical accommodations and related requests and analyses, and employment-related medical screenings
Spouse/Partner’s and Dependents’ Data Names, dates of birth, social security number, and other contact details
Workplace, Device, Usage and Content Data IP address, log files, login information, software/hardware inventories, Office 365, Teams meetings/conference recordings, or transcripts (including Copilot/AI transcripts), Outlook including emails sent and received, calendar entries, to-do items, instant messages, attendance logs or logs from booking Company meeting rooms, building and information system access, websites visited data, text messages on Company devices, Company device, system and application usage (including telemetry) when accessing and using Company assets, including inputs or prompts team members enter into AI Systems and output from AI Systems.
Video, Voice, and Image Facial images, voice files or recordings, video files or recordings

If you provide personal information about others, inform them of the purpose and share this Notice. We will assume their consent for collection and processing unless notified otherwise in writing.

How Your Personal Information is Collected. We collect most of this Personal Information directly from you—in person, by telephone, text, email, website, and apps. However, we may also collect information:

  • From publicly accessible sources (e.g., LinkedIn).
  • Directly from a third party (e.g., background screening providers).
  • From a third party with your consent (e.g., your bank).
  • From cookies on our website; and
  • Via our IT systems, including:
    • Door entry systems and reception logs; and
    • Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems. Please refer to the People Handbook (including any applicable state supplement) and Acceptable Use Policy for additional information.
    • Through Data Loss Prevention tools

How and Why, We Use Your Personal Information. We only use your Personal Information if we have a proper reason for doing so, including (and as set forth below):

  • To comply with our legal and regulatory obligations;
  • To protect our legal rights;
  • For our legitimate interests or those of a third party;
  • In an emergency where health or security is at stake; or
  • Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

To innovate and continuously improve, , we employ AI tools, including Microsoft Copilot, to aid in a variety of tasks such as:

  • Streamlining administrative workflows and improving process efficiencies.
  • Facilitating informed decision-making.

The Company's Responsible AI Policy governs our use of AI tools and requires all team members to use AI Systems responsibility and with written approval before inputting Personal Data, Company Confidential Information, and Customer Data. Company may take necessary steps to both enforce this Policy and to protect Company intellectual property (IP) in connection with AI Systems use.

To the extent we use AI to process your personal information, we do so in accordance with relevant privacy laws and regulations. We refrain from using AI to make significant decisions impacting your employment without human oversight.

 

The table below explains what we use your personal information for and our reasons for doing so.

What we use your personal information for Our reasons
To pay you, for benefits administration, retirement administration, managing various types of leave of absence, tax reporting, measuring employee sentiment, diversity reporting, measuring performance metrics for the purpose of reviewing, rewarding and coaching To manage the employment or working relationship with you and to fulfill our legal obligations as your employer
To prevent and detect fraud against you or us For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
To conduct background screening to confirm identity and screening for financial or other sanctions

 

 

 

Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator

To comply with our legal and regulatory obligations
To gather and provide information required by or relating to audits, enquiries, or investigations by regulatory bodies To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
Ensuring the confidentiality of commercially sensitive information For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information

 

 

To comply with our legal and regulatory obligations

Preventing unauthorized access and modifications to systems For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you

 

 

To comply with our legal and regulatory obligations

Ensuring safe working practices, staff administration and assessments To comply with our legal and regulatory obligations

 

 

For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

We have appropriate measures in place to protect your personal information and will never sell or share it with other organizations for marketing or cross context behavioral advertising purposes or any other behavioral marketing.

Who We Share Your Personal Information With. We routinely share personal information with:

  • Our affiliates and subsidiaries;
  • Service providers we use to help deliver our products and services to you, such as benefit providers, information technology providers for shipping and receiving Company devices, cloud providers, data hosting and storage services, background check providers, warehouses and delivery companies;
  • Government authorities as required by law, such as tax and social security authorities;
  • With our clients when necessary to inform them who their point of contact is, or who may otherwise be working on their accounts.

We only allow our service providers to access or use your personal information if they meet our data privacy and protection requirements. We impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to accreditation and audit activities.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

Where Your Personal Information is Held. Information may be held at our offices, in Company systems and databases, third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”).

How Long Your Personal Information Will Be Kept. We will keep your personal information while you are employed with us. Thereafter, we will keep your personal information for as long as is necessary:

  • To respond to any questions, complaints or claims made by you or on your behalf; or,
  • To comply with record retention laws and requirements, and our policies.

We will not retain your personal information for longer than necessary for the purposes set out in this notice. Different retention periods apply for different types of personal information. Further details on this are available in our Records Retention Policy.

When it is no longer necessary to retain your personal information, we will delete or anonymize it.

Your Rights Under State Privacy Laws.  Where permitted or required by State Privacy Laws (such as the California Privacy Rights Act (CPRA)) you may be entitled to exercise any of the following privacy rights with respect to your personal information:

Your rights Description
Disclosure of Personal Information We Collect About You You have the right to know:

 

 

o    The categories of personal information we have collected about you.

o    The categories of sources from which the personal information is collected.

o    Our business or commercial purpose for collecting personal information.

o    The categories of third parties with whom we share personal information, if any; and

o    The specific pieces of personal information we have collected about you.

Please note that we are not required to:

 

o    Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained.

o    Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or

o    Provide the personal information to you more than twice in a 12-month period.

Right to Request access, correction, amendment, and portability

 

 

You also have the right to request limits on use and sharing of your Sensitive Personal Information

You can access, correct or amend certain personal information through self-service tools as set forth below:

 

 

ADP Vantage

SAP Concur

Motivosity (edit profile)

 

For other data, you may submit a data subject access request through our privacy portal found here: Data Subject Access Requests. You may also email [email protected].

 

When you submit a request, you will be required to provide personal information for us to properly authenticate you and confirm your identity. We will not ask for more than necessary information for this purpose.

Personal Information Shared for a Business Purpose You have the right to know the categories of personal information that we disclosed to a third party for a business purpose.
Right to Deletion Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

 

 

 

o    Delete your personal information from our records; and

o    Direct any service providers to delete your personal information from their records.

o    We may not delete your personal information if it is necessary to comply with our legal and employment obligations.

Protection Against Discrimination HealthEquity will not discriminate against you for exercising any of your rights allowed or required by law.

Keeping Your Personal Information Secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Changes to This Privacy Notice. This privacy notice was published on 2/1/2022 and last updated on 5/14/2025.

We may change this privacy notice from time to time–when we do, we will inform you via posting to the Company’s intranet and systems of record.

How to Contact the Privacy Office. Please contact the Privacy Office by email – [email protected] if you have any questions about this privacy notice or the information the Company holds about you.

Do You Need Extra Help? If you would like this notice in another format (for example: audio, large print, braille) please contact us (see “How to contact us” above).