Privacy Policy

We protect your privacy

At Further by HealthEquity, our mission is to save and improve lives by empowering healthcare consumers. We have become an industry leader in administering Health Savings Accounts, in addition to our roster of other products and benefits, by bringing together advanced technology and remarkable service. As part of our remarkable service, we are committed to protecting the privacy of your personal information. These policies and notices provide a clear explanation of how we collect, use, disclose, transfer, and store your information.

Our Privacy Commitments

We are Secure

We use up to date administrative, physical, and technical safeguards to protect personal information.

We are Transparent

We keep you informed regarding how we collect, use and share personal information.

We are Ethical

We only use personal information to provide our services.

We are Accountable

Our team members and business partners are trained on and accountable for complying with our privacy policies and standards.

Contact Information

If you have any questions about HealthEquity’s privacy practices, commitments, or notices, we would love to hear from you.

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

General Privacy Notice:

Your privacy is important to us. This General Privacy Notice (“Notice”) describes the information Further by HealthEquity, Inc. ("we", "our", “us”) collects when interacting with you in connection with our products and services (such as health savings accounts and various employer sponsored plans and programs, each an “Account” and collectively, “Services”), or employment opportunities. This Notice also describes how our website and mobile application may collect information from you.

We encourage you to review our other applicable product, state, and regulatory notices provided through the Quick Links to the left. Please read those notices to understand how they apply to you and the Services. You can view the privacy practices applicable to specific types of information and to our different Services, and how we use personal information to conduct our business.

When we are administering a health benefit plan provided by your employer, the information we collect about you is subject to the requirements of the Health Insurance Portability and Accountability Act ("HIPAA"). In circumstances where HIPAA applies, your plan’s HIPAA Notice of Privacy Practices and not this General Privacy Notice will apply. If you have questions about which policy applies in a certain situation, please contact us using the Contact Information provided in this General Privacy Notice.

This website is intended for individuals who reside in the United States. We honor all individual privacy rights defined by law, as set forth herein, and in governing regulations.

We reserve the right to make changes to this Notice and our other privacy notices, and recommend you read them regularly. Your submission of personal information for job opportunities, or use of the Further by HealthEquity website and/or our Services constitutes your acceptance of and agreement to this Notice. If you do not agree to this Notice, do not use the website, Services, or otherwise provide your personal information. If we provide Services to you, to stay current on our practices, please update your email address with us if it changes.

What information we collect

If you sign up for Services we may collect, from you or from your employer, among other information:

Your name;

E-mail and physical address;

Social security number ("SSN");

Date of birth;

Phone number;

Names of the dependents (and other identification or "ID") that are connected to or covered by your Account;

Names and ID of people authorized by you to use your Account;

Names and ID of people authorized by you to access your Account information;

Technical information associated with the device you use, such as the type and model, system language, browser type, geographical location, operating system, Internet protocol (IP) address, IDFA (identifier for advertisers), and other unique identifiers collected automatically when you interact with our website (as further detailed below in the “Cookies and Website” section); and

Transactions with us such as your Account balance, fees, payments, reimbursements, distributions, contributions, and the identity of persons to whom you make payments, including health care providers.

If you are receiving services from us, we may combine personal information that you provide us with information from other sources such as from your employer or benefits plan/program sponsor and our business partners and service providers.

If you apply for a job opportunity, we collect personal information from you in connection with your resume and the application you submit to us. We use your information to evaluate your skills and abilities for job opportunities, verify your information, carry out reference checks and/or background checks (where applicable), communicate with you about the recruitment process, recommend potential career opportunities, create and/or submit reports as required under applicable laws/regulations, and make improvements to our application or recruitment process.

The personal information we collect may include:

Identification Data – such as full name, preferred name, home address, email address, telephone number, and photo/image (if volunteered), citizenship status, or nationality.

Demographic Data – such as gender, ethnicity, disability status, gender identity, and sexual orientation. Our purposes for processing this data include the following:

To monitor and ensure diversity and equality of treatment and opportunity;

To provide work-related accommodations or adjustments; and

To comply with applicable legislation.

Note that where processing is not required or permitted by law, we will ask for your express consent.

Employment and Professional Data – such as job title/position, hire/term/rehire dates, employer information, employment contacts, CV/resume, academic/professional qualifications, skills, work-related licenses, education, references, military status, work permits, salary, desired salary.

Other Data – we may also collect personal information about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at our company. For example, before and during your employment or assignment we may collect information from public professional sources, such as your LinkedIn profile for recruitment purposes. We also may conduct lawful background screenings to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history.

If you are offered and accept employment with us, the personal information collected during the job application and recruitment process may become part of your employment record. If you are not offered or accept employment, we will keep your CV/resume on file for future job openings. You may request removal of your CV/resume by submitting a request pursuant to the Data Subject Access Request process set forth herein.

How we collect information

Your Personal Information

Direct Interactions: You provide your personal information when contacting us through applications, this website, mobile applications, signing up for or receiving Services, emailing us, or applying for job opportunities through candidate tracking systems.

Third Parties or Publicly Available Sources: We may obtain information about you from your employer, your health plan, benefit provider, publicly available online sources or government records, background check providers, criminal records check, or past or current professional references you supply to us. We will seek information from third parties only once a job offer or assignment has been made or through provisioning of Services, and will inform you that we are doing so.

It is your choice whether to provide us with personal information, however, our ability to provide or continue to provide Services or information to you may be impacted should you decline to provide us with requested information.

Cookies and Website Tracking

“Cookies” may be placed on your computer when you visit the Further by HealthEquity website. Cookies allow us to collect technical information associated with the device you are using and collect information, including clickstream information, browser type, time and date you visited the website, and other information about your interactions with the website (as detailed above in “What Information We Collect”). Cookies can be for a single session or interaction with our website or can be persistent and stored on your computer or device until they are deleted or expire. Most internet browsers allow you to disable and delete cookies or can be set to notify you when you receive a cookie allowing you decide whether to accept it. If you choose to disable cookies some functionality on the website may be impacted or not work at all.

Additionally, like many websites, we use standard internet technology (such as web beacons, tracking pixels, and embedded scripts) to track your web-surfing activity when you are visiting our website. We also include standard internet technology in advertisements and promotional e-mail messages to determine whether advertising or messages have been acted upon. This information enables us to customize the services we offer our website visitors, to deliver targeted advertisements, and to measure the overall effectiveness of our online advertising, content, programming, or other activities. Some other examples of ways we use your activity information include developing anonymized reports regarding website usage, activity, and statistics for our internal use and assisting users experiencing website problems.

We use this information only as dictated by applicable law.

We may also allow third party service providers to use cookies and other web technologies to collect information and to track browsing activity over time and across third party websites such as web browsers used to read our websites, which websites are referring traffic or linking to our websites, which may deliver advertisements to you. We do not control these third-party technologies and their use is governed by the privacy policies of the third parties using such technologies. For more information about entities that use these technologies, see http://www.aboutads.info/consumers , and to opt-out of such ad networks’ and services’ advertising practices, go to www.aboutads.info/choices .

We use Google and Facebook technologies to advertise online. These technologies help us tailor ads that we think may be of interest to visitors to our website. As always, we respect your privacy and do not collect any personal information using these technologies. For example, we may tailor advertising based on the specific product pages you viewed on the website. These ads may appear across the internet, including websites on Google and Facebook. You may opt out of these cookies by visiting the ad settings on these entities’ webpages or through our cookie management console. Any data we collect through these technologies is used for internal purposes only, in accordance with applicable law and our privacy policies and notices.

We use Google Analytics as described at https://policies.google.com/technologies/partner-sites . You can prevent your data from being used by Google Analytics on our websites by installing the Google Analytics opt-out browser add-on or through our cookie management console. If you have accounts with third-party providers, you may be able to control your ad preferences through your account settings.

You have the ability to opt out of these cookies and web technologies at any time by using our cookie management console. You are prompted to make cookie management choices upon your first visit to our website. To update your choices, click on the Do Not Sell link at the bottom of our webpage.

How we use and share information

We may use or share the personal information listed above for the following business or commercial purposes:

Delivering our Services to you, or on behalf of another, including:

Verifying your identity, opening and administering your Accounts and benefits, and providing other financial services under the USA PATRIOT Act;

Administering the Services that we offer you or your employer, including to determine eligibility or to review and pay claims;

Displaying claims information in your health savings account portal with your authorization;

Communicating with you or others designated by you about your Account, benefits, and/or our Services;

Responding to inquiries;

Making payments to medical service providers;

Providing you with any health insurance information related to our Services, if applicable;

Helping to protect you and us from fraud and financial loss;

Linking accounts you provide us to facilitate the movement of funds as directed by you;

Preparing Account statements;

Preparing annual tax reporting information, if applicable;

Protecting your health, safety, or welfare;

Delivering user surveys; and

Delivering customized content and analytics on our websites or app.

Operating our websites and maintaining or servicing your Account;

Engaging third party service providers to assist us in administering and providing our products and services pursuant to a written agreement;

Performing analytics and improving our Services and website;

Conducting internal research to develop and demonstrate technology;

Marketing our Services, only as permitted by law;

Keeping a record of our transactions and communications;

Conducting audits and reporting related to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;

Detecting, analyzing, and preventing security incidents, and other fraudulent or illegal activity;

Identifying, debugging and repairing errors in our systems, websites, or app that impair existing functionality;

Protecting our rights, the rights of affiliates and related third parties, or taking appropriate legal action, such as to enforce our Terms of Use;

Complying with applicable laws, regulations, administrative or legal requests, subpoenas, or otherwise as required by law;

In connection with a merger, acquisition, or other sale or transfer of all or part of our assets or business;

In accordance with your consent, authorization, or instructions;

Short-term, transient use of personal information that is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction; and

We do not sell our customer lists or individual customer information. We will only share your personal information with third parties as outlined in our privacy notices. From time-to-time, we provide your information to nonaffiliated third-party service providers (i.e., subcontractors) to perform services for or functions on our behalf, to effect, administer, or enforce transactions necessary for the proper administration of an Account or as otherwise authorized by you.

We may also exchange information with reference sources or reporting agencies for risk management and verification, in order to maximize the accuracy and security of your personal information. We only use and share information needed to service your account or protect against fraud, unless we are required to do so by law.

If you have an Account and are receiving Services from us, you may authorize other individuals to access your information or make changes to your Account (such as a spouse, dependent, or legal representative). You are responsible for your authorized user’s transactions. Your authorized users will have access to the Account balance if they are authenticated by our system. It is your responsibility to keep your authorizations up to date and accurate. You will be able to see all activities conducted by an authorized user.

Rights and Choices

You may have rights such as the right to know, access, and/or delete your information. These rights may differ depending on your State of residency or the source of the information, or the type of Services or Account you have. You can submit a request regarding your personal information through our Privacy portal, located here - Data Subject Access Requests. If you are a Further by HealthEquity teammate, you can submit requests regarding your personal information through our Privacy portal, located here – Teammate Data Subject Access Requests.

You may also submit your requests to [email protected] . Please note, there may be situations where we cannot grant your request, for example, if you ask us to delete your data that is governed by a Federal privacy regulation that is exempted from your state privacy law, or where Further by HealthEquity is legally obligated to keep a record of our interactions with you to comply with law. We may also decline your request in order to maintain our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied are if it jeopardizes the privacy of others, is frivolous or vexatious, or would require disproportionate effort.

Electronic and Online Communications

We use e-mail to send newsletters, account notifications, marketing materials, and other communications, on a periodic basis to various individuals and organizations. You have the ability to opt-out of these communications at any time. For example, you can opt-out using links in a specific email communication or contact us (see Contact Information below). Opt-outs may not apply to communications related to your Account status, administrative messages, website updates, or other communications that are necessary to provide our Services.

We also, if you opt in to such communications, may use SMS text to communicate with you. We do not share your subscriber data with any other parties.

Information Security

Further by HealthEquity places a high priority on protecting your personal information. We maintain administrative, technical, and physical safeguards designed to protect the information that you provide on this website and in connection with the Services from unauthorized access to or acquisition of such information. Please be advised, however, that regardless of our best efforts to protect information, the confidentiality and security of any communication or material transmitted to or from the website or via email cannot be guaranteed to be 100% secure at any time. We also cannot guarantee that the information you transmit over the Internet will not be unlawfully intercepted or accessed by third parties. Any transmission of your information is at your own risk. Therefore, we strongly encourage all users to be careful and responsible about what you choose to provide online. Further, when you create an Account with Further by HealthEquity, you will create a unique password. It is your responsibility to personalize your password and protect and secure such password. Further by HealthEquity is not responsible for any information compromised due to your failure to secure your Account or login credentials.

If you have any reason to believe that your interaction with us through this website or other means is no longer secure, please immediately notify us (see Contact Information below).

For more details regarding our information security practices, please see our Information Security information available in the Quick Links on the left.

Further by HealthEquity will, for example:

Never ask for your login or password through email or phone call;

Use your secret question and answer to authenticate you on a phone call;

Never utilize an automated voice response system when contacting you.

Information provided via our web portal is submitted within a secure session. These sessions utilize Transport Layer Security (TLS, formerly known as SSL) technology to ensure that the information is encrypted while in transit. Your browser must be able to support this technology to use our web services.

Require a User ID and password in order to access an Account or receive Services. This may either be provided to you or you will be allowed to choose your own. The User ID and password are designed to protect you by confirming your identity to our computer network systems. Our employees do not have access to your password.

Automatically log you out of your Account if you are inactive after logging in for a certain amount of time.

Require you to regularly change your password from time to time.

Monitor your Account for any signs of suspicious or potentially fraudulent activity.

Maintain up to date policies, standards, and processes designed to protect your personal information and comply with applicable state and federal data security laws, regulations, and guidance.

Train our workforce on our policies, standards, and processes.

Limit access to your personal information to only those who need it to perform their duties.

Require our subcontractors to maintain the same privacy and security standards for protecting your information as we do.

California Privacy Practices

If you are a California resident, please see more information about our privacy practices and your rights in our California Privacy Notice.

Children's Privacy

Further by HealthEquity’s Services are intended for individuals who are at least 13 years of age. The Services may include information about dependents or beneficiaries who are under the age of 13, however, there are no Services offered directly to children under the age of 13. We do not collect personal information from children under the age of 13. If you think we have collected personal information from a child under the age of 13, without parental consent, please alert us (see Contact Information below).

Contact Information

If you have any questions or comments about this Notice or our other privacy notices, the ways in which we collect and use information, or choices and rights regarding personal information, please contact us at:

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

Effective Date

Last updated May 2023.

California Privacy Notice (linked under the Practices):

For California residents, our information sharing practices are in accordance with federal law. California law places additional restrictions on sharing information about their residents, and our policies comply with such restrictions.

Direct Marketing Requests

California Civil Code Section 1798.83 permits you, if you are a California resident, to request certain information regarding disclosure of Personal Information (defined below) to third parties for their direct marketing purposes. To make such a request, please send an e-mail to [email protected] or write us at Privacy Officer, HealthEquity, Inc., 121 W. Scenic Pointe Drive, Draper, UT 84020.

Do Not Track Settings

Cal. Bus. And Prof. Code Section 22575 also requires us to notify you how we deal with the “Do Not Track” settings in your browser. As of the effective date listed above, there is no commonly accepted response for Do Not Track signals initiated by browsers. Therefore, Further by HealthEquity’s system does not respond to the Do Not Track settings. Do Not Track is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit www.donottrack.us.

California Consumer Privacy Act/California Privacy Rights Act Supplemental Notice

This California Privacy Notice is intended to supplement our other privacy notices available here.

To understand our privacy practices, you should refer to our other privacy notices and this supplemental California notice (“Notice”).

Applicability

The California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and this Notice apply to visitors, users, and others who are California residents (“consumers” or “you”).

This Notice applies to California residents’ Personal Information, as defined below, we collect to provide them with certain products and services (collectively, “Services”). The CCPA and CPRA do not apply to Personal Information for some of our Services that are excepted from the CCPA and CPRA, such as those subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Gramm-Leach-Bliley (GLBA). The requirements of CCPA and CPRA further do not apply to deidentified or aggregate consumer information.

In addition, updated CCPA/CPRA requirements went into effect on January 1, 2023, for applicable Services related to employee and business-to-business Personal Information. As a result, this Notice also applies to employees, applicants for employment, and independent contractors, who are California residents.

Personal Information

The CCPA and CPRA define “Personal information” as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. Under the CPRA, “Personal Information” further includes “Sensitive Personal Information” such as social security number, driver license number, state identification card, passport number, financial data, genetic data, biometric data, precise geolocation, and racial and ethnic origin, content of consumer communications (email, mail, or text), unless the business is the intended recipient, genetic data, and information collected concerning a consumer’s health, sex life, or sexual orientation.

Below are the categories of Personal Information that we may have collected or shared for a business purpose in the last twelve (12) months, as permitted by law and depending on the product you receive:

Category

Terms and Definitions

Company, We, Us, Our HealthEquity and our group companies

Personal Information

Any information relating to, describing, reasonably capable of being associated with, or capable of reasonably being linked, directly or indirectly, to an identified, or an identifiable, natural person.

Sensitive Personal Information

Government identifiers, such as Social Security Numbers and drivers license numbers;
Account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords);
Precise geolocation information;
Racial or ethnic origin, religious or philosophical beliefs, or union membership;
Content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications;
Genetic data; and
Biometric information that uniquely identifies a consumer or information concerning a consumer's health, sex life, or sexual orientation.

1. Personal Information We Collect About You. We may collect and use the following personal information that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with an employee or former employee:

Categories of Personal Information	Specific Types of Personal Information Collected
Identifiers	Name, preferred name, home/mailing address, email address, telephone/mobile number, online identifiers, emergency contacts/next-of-kin, photograph/CCTV images, date of birth, social security number, state identification card, driver’s license image, employee identification number, signatures, languages
Demographic Data	age, gender, race, ethnicity, disability status, sexual orientation, gender identity, and transgender status
Characteristics of protected classifications under California or federal law.	Race, religion, sexual orientation, gender identity, gender expression, age
Background Data	Drug screening, credit/criminal check, prior or current employment verification, education/certification/licensing verification, military status, citizenship status, nationality
Employment and Professional Data	Job title/position, office location, hire/rehire/term dates, employment contracts, performance reviews, disciplinary records, grievance procedures, sick time, vacation time/paid time off, timesheets, academic/professional qualifications, training records, education, CV/resume, references, interview notes
Financial Data	Bank routing/account number, state and federal tax declarations and withholdings, benefits, payroll, salary, expenses and allowances, and stock and equity grants
Health Data	Medical diagnosis, physician notes, workplace accident/incident reports, short- or long-term disability or illnesses, leave of absence and sick leave and related requests and analyses, medical accommodations and related requests and analyses, and employment-related medical screenings
Spouse/Partner’s and Dependents’ Data	Names, dates of birth, social security number, and other contact details
Workplace, Device, Usage and Content Data	IP address, log files, login information, software/hardware inventories, Office 365, Teams, Outlook including emails sent and received, calendar entries, to-do items, instant messages, building and information system access, websites visited data, text messages on Company devices, Company device, system and application usage (including telemetry) when accessing and using Company assets
Video, Voice, and Image	Facial images, voice files or recordings, video files or recordings

2. Personal Information We Collect About You. We may collect and use the following personal information that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with an employee or former employee:

Categories of Personal Information	Specific Types of Personal Information Collected
Identifiers	Name, preferred name, home/mailing address, email address, telephone/mobile number, online identifiers, emergency contacts/next-of-kin, photograph/CCTV images, date of birth, social security number, state identification card, driver’s license image, employee identification number, signatures, languages
Demographic Data	age, gender, race, ethnicity, disability status, sexual orientation, gender identity, and transgender status
Characteristics of protected classifications under California or federal law.	Race, religion, sexual orientation, gender identity, gender expression, age
Background Data	Drug screening, credit/criminal check, prior or current employment verification, education/certification/licensing verification, military status, citizenship status, nationality
Employment and Professional Data	Job title/position, office location, hire/rehire/term dates, employment contracts, performance reviews, disciplinary records, grievance procedures, sick time, vacation time/paid time off, timesheets, academic/professional qualifications, training records, education, CV/resume, references, interview notes
Financial Data	Bank routing/account number, state and federal tax declarations and withholdings, benefits, payroll, salary, expenses and allowances, and stock and equity grants
Health Data	Medical diagnosis, physician notes, workplace accident/incident reports, short- or long-term disability or illnesses, leave of absence and sick leave and related requests and analyses, medical accommodations and related requests and analyses, and employment-related medical screenings
Spouse/Partner’s and Dependents’ Data	Names, dates of birth, social security number, and other contact details
Workplace, Device, Usage and Content Data	IP address, log files, login information, software/hardware inventories, Office 365, Teams, Outlook including emails sent and received, calendar entries, to-do items, instant messages, building and information system access, websites visited data, text messages on Company devices, Company device, system and application usage (including telemetry) when accessing and using Company assets
Video, Voice, and Image	Facial images, voice files or recordings, video files or recordings

3. How Your Personal Information is Collected. We collect most of this Personal Information directly from you—in person, by telephone, text, email, website, and apps. However, we may also collect information:

- From publicly accessible sources (e.g., LinkedIn).
- Directly from a third party (e.g., background screening providers).
- From a third party with your consent (e.g., your bank).
- From cookies on our website; and
- Via our IT systems, including:
  - Door entry systems and reception logs.
  - Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems; and
How and Why, We Use Your Personal Information. We only use your Personal Information if we have a proper reason for doing so, including (and as set forth below):
- To comply with our legal and regulatory obligations;
- To protect our legal rights;
- For our legitimate interests or those of a third party;
- In an emergency where health or security is at stake; or
- Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use your personal information for and our reasons for doing so:

What we use your personal information for	Our reasons
For business or emergency communication (SMS, email, telephone), such as scheduling interviews, notifying you of job opportunities, or encouraging employees to share feedback	For our legitimate interests, i.e., fulfilling job opportunities, or to contact you or others on your behalf for emergencies such as weather events
To pay you, for benefits administration, retirement administration, managing various types of leave of absence, tax reporting, measuring employee sentiment, diversity reporting, measuring performance metrics for the purpose of reviewing, rewarding and coaching	To manage the employment or working relationship with you and to fulfill our legal obligations as your employer
To prevent and detect fraud against you or us	For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
To conduct background screening to confirm identity and screening for financial or other sanctions Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator	To comply with our legal and regulatory obligations
To gather and provide information required by or relating to audits, enquiries, or investigations by regulatory bodies	To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use	For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
Ensuring the confidentiality of commercially sensitive information	For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information To comply with our legal and regulatory obligations
Preventing unauthorized access and modifications to systems	For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments	To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

The above table does not apply to special categories personal information, which we will only process with your explicit consent.

We will always protect your personal information and never sell or share it with other organizations for marketing or behavioral advertising purposes.

4. Who We Share Your Personal Information With. We routinely share personal information with:

- Our affiliates and subsidiaries;
- Service providers we use to help deliver our products and services to you, such as benefit providers, information technology providers for shipping and receiving Company devices, cloud providers, data hosting and storage services, background check providers, warehouses and delivery companies;
- Government authorities as required by law, such as tax and social security authorities;
- With our clients when necessary to inform them who their point of contact is, or who may otherwise be working on their accounts.

We only allow our service providers to access or use your personal information if they meet our data privacy and protection requirements. We impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to accreditation and audit activities.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

5. Where Your Personal Information is Held. Information may be held at our offices, in Company systems and databases, third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”).

6. How Long Your Personal Information Will Be Kept. We will keep your personal information while you are employed with us. Thereafter, we will keep your personal information for as long as is necessary:

- To respond to any questions, complaints or claims made by you or on your behalf; or,
- To comply with record retention laws and requirements, and our policies.

We will not retain your personal information for longer than necessary for the purposes set out in this notice. Different retention periods apply for different types of personal information. Further details on this are available in our Records Retention Policy.

When it is no longer necessary to retain your personal information, we will delete or anonymize it.

7. Your Rights Under State Privacy Laws. If you are a resident of an applicable state, you have the following rights under State Privacy Laws (such as the California Privacy Rights Act (CPRA)):

Your rights	Description
Disclosure of Personal Information We Collect About You	You have the right to know: The categories of personal information we have collected about you. The categories of sources from which the personal information is collected. Our business or commercial purpose for collecting personal information. The categories of third parties with whom we share personal information, if any; and The specific pieces of personal information we have collected about you. Please note that we are not required to: Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or Provide the personal information to you more than twice in a 12-month period.
Right to Request access, correction, amendment, and portability You also have the right to request limits on use and sharing of your Sensitive Personal Information	You can access, correct or amend certain personal information through self-service tools as set forth below: ADP Vantage SAP Concur Motivosity (edit profile) For other data, you may submit a data subject access request through our privacy portal found here: Data Subject Access Requests You may also email [email protected]. When you submit a request, you will be required to provide personal information for us to properly authenticate you and confirm your identity. We will not ask for more than necessary information for this purpose.
Personal Information Shared for a Business Purpose	You have the right to know the categories of personal information that we disclosed to a third party for a business purpose.
Right to Deletion	Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will: Delete your personal information from our records; and Direct any service providers to delete your personal information from their records. We may not delete your personal information if it is necessary to comply with our legal and employment obligations.
Protection Against Discrimination	Further by HealthEquity will not discriminate against you for exercising any of your rights allowed or required by law.

8. Keeping Your Personal Information Secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

9. Changes to This Privacy Notice. This privacy notice was published on 12/29/2022 and last updated on 10/12/2023.

We may change this privacy notice from time to time - when we do, we will inform you via posting to the Company's intranet and systems or record.

10. How to Contact the Privacy Office. Please contact the Privacy Office by email – [email protected] if you have any questions about this privacy notice or the information the Company holds about you.

11. Do You Need Extra Help? If you would like this notice in another format (for example: audio, large print, braille) please contact us (see “How to contact us” above).

Contact Information

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

Effective Date

Last updated October 2023.

Health Savings Accounts:

Health Savings Account Privacy Information

This document supplements the Further by HealthEquity, Inc. (“we”, “our”, “us”) General Privacy Notice and only applies to health savings accounts (“HSAs”), including the web-only HSA investment advisor services offered by HealthEquity Advisors, LLC, a wholly owned subsidiary.

When you open an HSA with Further by HealthEquity, you agree to the terms of our Health Savings Account Custodial Agreement ("Agreement", available here: Custodial Agreement). The Agreement confirms that your HSA is subject to the privacy and security protections of the Gramm-Leach-Bliley Act (“GLBA”) and that Further by HealthEquity collects, processes, and discloses HSA information in accordance with the (a) GLBA Notice of Privacy Practices, and (b) HSA Data Sharing Practices, each described below.

GLBA Notice of Privacy Practices

The GLBA Privacy Rule defines nonpublic personal information (“NPI”) as any “personally identifiable financial information” that Further by HealthEquity collects about an individual in connection with offering or providing HSA services. NPI includes any information that is not publicly available that (a) a consumer provides to Further by HealthEquity (directly or through an employer or other agent) to apply for or obtain an HSA, (b) results from a transaction between the consumer and Further by HealthEquity involving an HSA, or (c) Further by HealthEquity otherwise obtains about a consumer in connection with providing HSA services. For example, NPI includes names, addresses, phone numbers, social security numbers, income, credit score, transaction information, information collected through an internet “cookie” or other tracking technology, and the mere fact that an individual has an HSA administered by Further by HealthEquity. The GLBA Notice of Privacy Practices explains how we collect and protect NPI, and when it may be shared (e.g., for business purposes, such as transaction processing or with affiliates). The notice is available here: GLBA Privacy Notice. A paper copy was provided in your HSA welcome kit.

HSA Data Sharing Practices

Employer, Health Plan, or Insurance Company Disclosures

If you open or maintain an HSA through or in association with an employer, health plan, health insurance company, benefits administrator, benefits aggregator, or other entity, or those operating on behalf of such entities (each, an “Agent”), we may disclose HSA information, including but not limited to personally identifiable information, to your Agent related to the opening and maintenance of your HSA, and to ensure the security of our network and services, to protect against or prevent potential fraud or unauthorized transactions, or as otherwise permitted or required by law. When your Agent notifies us that your association with the Agent has been terminated, we will cease disclosing your information to that Agent, with a reasonable time for us to act on such notification.

If your Agent is subject to any rules of the U.S. Securities and Exchange Commission (“SEC”) that may indirectly or directly require the Agent to monitor your beneficial ownership of securities issued by clients of the Agent, we may disclose to your Agent the fact that you have or have not invested in securities through your HSA, the value of your ownership interest in such securities, detail regarding your transactions in such securities, and any other information that the Agent reasonably requests for purposes of facilitating its compliance with such SEC rules, unless you opt out of such sharing. To opt out, contact Member Services. Note that this opt-out only extends to the sharing described in this paragraph.

SSO or Links to Other Websites

Your Agent, retirement plan, or 401k recordkeeper, as part of a service offering, may have set up the capability whereby you can access the Agent’s retirement plan’s, 401k recordkeeper’s, or another third party’s website from our website without the need to enter your login credentials to access the third party’s website. This is often called “single sign on”. You may see a disclosure on our website that alerts you when you are leaving our website and accessing the website of the third party. If you have questions about this arrangement, please contact your Agent, retirement plan, or 401k recordkeeper.

Data Sharing Arrangements

Your Agent, retirement plan, or 401k recordkeeper, as part of a service offering and for your convenience, may have enabled functionality that would permit you to view your HSA information on the Agent’s, retirement plan’s, 401k recordkeeper’s, or another third party’s website or for other purposes that support the data sharing arrangement. If you have such an arrangement, we will share the information defined in the arrangement (such as account balance or investment information) that is necessary to provide the service with your Agent, retirement plan, 401k recordkeeper or another third party, which may be stored on their servers or systems. We are not responsible for the privacy and security practices of your Agent or another third party, and do not control their use or further disclosure of HSA information.

Integrated Claims

If you authorize the disclosure of HIPAA protected health information (“PHI”) to your HSA for personal tax recordkeeping purposes, it is no longer subject to HIPAA protections. Instead, the data is treated by Further by HealthEquity as confidential HSA information subject to the provisions of the Agreement, the GLBA Notice of Privacy Practices, these HSA Data Sharing Practices, and our General Privacy Notice.

Contact Information

If you have any questions or comments about our HSA privacy and data sharing practices, please contact us at:

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

Effective Date

Last updated February 2022.

Legal Homepage:

Legal information

PLEASE READ THESE TERMS OF USE AND OTHER IMPORTANT LEGAL AND PRIVACY INFORMATION AVAILABLE IN THE “QUICK LINKS” SIDEBAR CAREFULLY BEFORE USING THIS WEBSITE (“WEBSITE”). THESE TERMS OF USE GOVERN YOUR ACCESS TO AND USE OF THIS WEBSITE AND OTHER WEBSITES, APPLICATIONS, AND SERVICES PROVIDED BY HEALTHEQUITY, INC. (TOGETHER WITH ITS AFFILIATES, “HEALTHEQUITY”, “WE”, “US”, OR “OUR”). BY ACCESSING THE WEBSITE OR OTHERWISE USING THE WEBSITE, YOU ACKNOWLEDGE THAT YOU HAVE READ, FULLY UNDERSTAND, AGREE TO, AND WILL BE BOUND BY THESE TERMS OF USE. IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS OF USE, YOU MAY NOT USE THE WEBSITE OR ACCESS ANY CONTENT.

By using the Website in any manner, including but not limited to visiting or browsing the Website, you agree to these Terms of Use and all other operating rules, policies, and procedures that may be published from time to time on the Website by us, as well as the Applicable Service Terms defined below, each of which is incorporated by reference and each of which may be updated from time to time without notice to you. These Terms of Use apply to all users of the Website. ARBITRATION AND CLASS ACTION WAIVER: EXCEPT FOR CERTAIN TYPES OF DISPUTES DESCRIBED IN THE ARBITRATION SECTION BELOW, YOU AGREE THAT DISPUTES BETWEEN YOU AND US WILL BE RESOLVED BY BINDING, INDIVIDUAL ARBITRATION AND YOU WAIVE YOUR RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.

SERVICES PROVIDED BY HEALTHEQUITY

HealthEquity is an Internal Revenue Service (“IRS”) authorized, non-bank trustee (“NBT”) operating as the custodian of health savings accounts (“HSAs”). The IRS NBT Authorization Letter is available at the Quick Links sidebar on this page.

HealthEquity is also a directed third-party administrator of other tax favored health plans, programs, and services which it administers according to the sponsor’s applicable plans, programs, directives and service terms (“Plan”).

These Terms of Use are not intended to replace or modify the terms, conditions, limitations, and exclusions contained within the applicable Plan documents, the Health Savings Account Custodial Agreement or other applicable agreements or laws that apply to the services (“Additional Service Terms”). In the event of a conflict between these Terms of Use and the Additional Service Terms, such Additional Service Terms shall control unless they expressly state otherwise. In order to elect and effectively use our services, it is important to review the applicable legal documents (e.g., Plan documents, Health Savings Account Custodial Agreement, etc.) and any information provided to you by your employer.

We do not provide medical advice, diagnosis, or treatment. Information obtained from HealthEquity licensors and from the Website, including text, tools, and services, is for your personal informational purposes only and should not in any case replace legal, tax, medical, and other professional advice.

Content

For purposes of these Terms of Use, the term “Content” includes, without limitation, information, data, text, photographs, charts, videos, audio clips, other files, written posts, graphics, and interactive features generated, provided or otherwise made accessible on or through the Website. Content is provided to enhance your understanding and is for illustrative purposes only - use the information at your own risk. Content may contain references to health and/or medical materials. If you find these materials offensive, do not use this Website. We do not guarantee that any Content will be made available on the Website. We reserve the right to, but do not have any obligation to, (a) monitor, remove, edit, or modify any Content in our sole discretion, at any time, without notice to you and for any reason (including, but not limited to, upon receipt of claims or allegations from third parties or authorities relating to such Content or if we are concerned that you may have violated these Terms of Use), or for no reason at all and (b) to remove or block any Content from the Website.

License and Intellectual Property

The Website is owned and operated by HealthEquity. Unless otherwise indicated, all Content, information, and other materials on the Website are protected by relevant intellectual property and proprietary rights and laws. All Content and other materials are the property of HealthEquity or its subsidiaries or affiliated companies and/or third party licensors. Unless otherwise expressly stated in writing by HealthEquity, by agreeing to these Terms of Use you are granted a limited, non-sublicensable license (i.e., a personal and limited right) to access and use the Website for your personal use.

HealthEquity reserves all rights not expressly granted in these Terms of Use. This license is subject to these Terms of Use and does not permit you to engage in any of the following: (a) resale or commercial use of the Website or the Content; (b) distribution, public performance or public display of any Content; (c) modifying or otherwise making any derivative uses of the Website or the Content, or any portion of them; (d) use of any data mining, robots, or similar data gathering or extraction methods; (e) downloading (except page caching) of any portion of the Website, the Content, or any information contained in them, except as expressly permitted on the Website; or (f) any use of the Website or Content except for their intended purposes. Any use of the Website or Content except as specifically authorized in these Terms of Use, without the prior written permission of HealthEquity, is strictly prohibited and may violate intellectual property rights or other laws. Unless explicitly stated in these Terms of Use, nothing in them shall be interpreted as conferring any license to intellectual property rights, whether by estoppel, implication, or other legal principles.

Copyrights

Copyrights in the Website, Content, or display screens, and in the information and material within, including their arrangement, are owned by HealthEquity. unless otherwise indicated. No information or content except as otherwise expressly stated herein, may be copied, transmitted, displayed, performed, distributed, or otherwise used in whole or in part in any manner without HealthEquity’s prior written consent, except to the extent permitted by the Copyright Act of 1976, as amended, and then, only for your personal nonbusiness use.

We respect the intellectual property of others and follow the requirements set forth in the Digital Millennium Copyright Act (https://www.copyright.gov/onlinesp) and other applicable laws. The address to receive notification of claimed infringement is listed at the end of this section. If you believe that material or content residing on or accessible through the Website infringes a copyright, please send a notice of copyright infringement (see “Contact Information / Registered Agent for Service of Process” section below) containing the following information: a physical or electronic signature of a person authorized to act on behalf of the owner of the copyright that has been allegedly infringed; identification of works or materials being infringed; identification of the material that is claimed to be infringing including information regarding the location of the infringing materials that the copyright owner seeks to have removed, with sufficient detail so that we are capable of finding and verifying its existence; contact information about the notifier including address, telephone number and, if available, e-mail address; a statement that the notifier has a good faith belief that the material is not authorized by the copyright owner, its agent, or the law; and a statement made under penalty of perjury that the information provided is accurate and the notifying party is authorized to make the complaint on behalf of the copyright owner. Please contact us to receive notification of claimed infringement (see “Contact Information / Registered Agent for Service of Process” section below). We suggest that you consult your legal advisor before filing a notice or counter-notice. Please be aware that there may be penalties for false claims under the DMCA. DMCA details are available at https://www.copyright.gov/onlinesp.

Disclaimer

We have no special relationship with or duty to you, unless expressly documented in a formal agreement such as the HSA Custodial Agreement or services arrangement. You acknowledge that we have no duty to take any action regarding: which users gain access to the Website, what Content you access via the Website, or how you may interpret or use the Content. You release us from all liability for you having acquired or not acquired Content through the Website. We make no representations concerning any Content contained in or accessed through the Website, and we will not be responsible or liable for the accuracy, copyright compliance, or legality of material or Content contained in or accessed through the Website.

THE INFORMATION, SERVICES, PRODUCTS, DATA, MATERIALS, AND CONTENT CONTAINED ON THIS WEBSITE ARE PROVIDED ON AN "AS IS" AND “AS AVAILABLE” BASIS AND HEALTHEQUITY, TO THE MAXIMUM EXTENT PERMITTED BY LAW, DOES NOT ASSUME RESPONSIBILITY OR GUARANTEE THE ACCURACY, TIMELINESS, OR COMPLETENESS OF THE CONTENT. HEALTHEQUITY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS OF ANY KIND WITH REGARD TO THE WEBSITE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. HEALTHEQUITY DOES NOT WARRANT THAT THE HEALTHEQUITY WEBSITE IS FREE OF MALWARE OR OTHER HARMFUL COMPONENTS. IN ADDITION, HEALTHEQUITY MAKES NO REPRESENTATION NOR DOES IT WARRANT, ENDORSE, GUARANTEE, OR ASSUME RESPONSIBILITY FOR ANY THIRD PARTY APPLICATIONS (OR THE CONTENT THEREOF), DEVICES OR ANY OTHER PRODUCT OR SERVICE ADVERTISED, PROMOTED OR OFFERED BY A THIRD PARTY ON OR THROUGH THE HEALTHEQUITY WEBSITE OR ANY HYPERLINKED WEBSITE, OR FEATURED IN ANY BANNER OR OTHER ADVERTISING AND HEALTHEQUITY IS NOT RESPONSIBLE OR LIABLE FOR ANY TRANSACTION BETWEEN YOU AND THIRD PARTY PROVIDERS OF THE FOREGOING. NO ADVICE OR INFORMATION WHETHER ORAL OR IN WRITING OBTAINED BY YOU FROM HEALTHEQUITY SHALL CREATE ANY WARRANTY ON BEHALF OF HEALTHEQUITY. THIS SECTION APPLIES TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW.

Indemnification

You shall defend, indemnify, and hold harmless HealthEquity, our respective subsidiaries, affiliates and each of our and their respective officers, directors, employees, contractors, suppliers and representatives from and against any and all liabilities, claims, damages, judgments, awards, losses, costs, and expenses, including reasonable attorneys’ fees, that arise from or relate to your breach of these Terms of Use, your misuse of the Website or Content, your noncompliance with applicable law, or your infringement of any intellectual property or other right of any person or entity. We reserve the right to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you will assist and cooperate with us in asserting any available defenses. You agree to defend and indemnify HealthEquity and our subsidiaries, affiliates, officers, directors, employees, and agents, and hold them harmless from any claim, demand, or damage, including reasonable attorneys’ fees, arising out of or related to your breach of these Terms of Use or your misuse of the website.

Limitation of Liability

Under no circumstance will HealthEquity be liable for any indirect, consequential, incidental, special, punitive, or exemplary damages arising out of any use of or inability to use the Website or any portion thereof, regardless of whether HealthEquity has been apprised of the likelihood of such damages occurring and regardless of the form of action, whether in contract, warranty, tort (including negligence), strict liability, or otherwise. Further, under no circumstance will HealthEquity be liable for any losses including, without limitation, direct or indirect, special, incidental, consequential, exemplary, and punitive damages, personal injury/wrongful death, lost profits, or damages resulting from lost data or business interruption. You agree that HealthEquity shall not be liable for any damage resulting from your use or inability to use this Website or the Content herein, including claims based on warranty, contract, tort, strict liability, and any other legal theory, and covers HealthEquity, its affiliates, and their officers, directors, employees, and agents. You agree that you use this Website at your own risk. If you are dissatisfied with this Website or the Content, your sole and exclusive remedy is to discontinue using the website.

Third Party Services

The Website may permit you to link to or share Content with other websites, services, or resources on the Internet, including, but not limited to, Facebook, Twitter, YouTube, LinkedIn, or various government websites. Other websites, services, or resources may contain links to the Website and Content. When you access third-party resources on the Internet, you do so at your own risk. These other resources are not under our control, and you acknowledge that we are not responsible or liable for the content, functions, accuracy, legality, appropriateness, or any other aspect of such websites or resources. The inclusion of any such link or ability to share Content does not imply our endorsement or any association between us and their operators. You further acknowledge and agree that we shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods, or services available on or through any such website or resource.

Privacy

Your privacy is important to us. Please see our General Privacy Notice (healthequity.com/privacy) to learn how we collect, use, and disclose your personal information.

Arbitration

YOU AGREE THAT ALL DISPUTES BETWEEN YOU AND US (WHETHER OR NOT SUCH DISPUTE INVOLVES A THIRD PARTY) WITH REGARD TO YOUR RELATIONSHIP WITH US, INCLUDING WITHOUT LIMITATION DISPUTES RELATED TO THESE TERMS OF USE, YOUR USE OF THE WEBSITE, AND/OR RIGHTS OF PRIVACY AND/OR PUBLICITY, WILL BE RESOLVED BY BINDING, INDIVIDUAL ARBITRATION UNDER THE AMERICAN ARBITRATION ASSOCIATION’S RULES FOR ARBITRATION OF CONSUMER-RELATED DISPUTES AND YOU AND WE HEREBY EXPRESSLY WAIVE TRIAL BY JURY; PROVIDED, HOWEVER, THAT TO THE EXTENT THAT YOU HAVE IN ANY MANNER VIOLATED OR THREATENED TO VIOLATE OUR INTELLECTUAL PROPERTY RIGHTS, WE MAY SEEK INJUNCTIVE OR OTHER APPROPRIATE RELIEF IN ANY STATE OR FEDERAL COURT IN THE STATE OF UTAH. DISCOVERY AND RIGHTS TO APPEAL IN ARBITRATION ARE GENERALLY MORE LIMITED THAN IN A LAWSUIT, AND OTHER RIGHTS THAT YOU AND WE WOULD HAVE IN COURT MAY NOT BE AVAILABLE IN ARBITRATION. As an alternative, you may bring your claim in your local “small claims” court, if permitted by that small claims court’s rules and if within such court’s jurisdiction, unless such action is transferred, removed or appealed to a different court. You may bring claims only on your own behalf. Neither you nor we will participate in a class action or class-wide arbitration for any claims covered by this agreement to arbitrate. YOU ARE GIVING UP YOUR RIGHT TO PARTICIPATE AS A CLASS REPRESENTATIVE OR CLASS MEMBER ON ANY CLASS CLAIM YOU MAY HAVE AGAINST US INCLUDING ANY RIGHT TO CLASS ARBITRATION OR ANY CONSOLIDATION OF INDIVIDUAL ARBITRATIONS. The location of the arbitration shall be Salt Lake City, Utah. You also agree not to participate in claims brought in a private attorney general or representative capacity, or consolidated claims involving another person’s account, if we are a party to the proceeding. This dispute resolution provision will be governed by the Federal Arbitration Act and not by any state law concerning arbitration. In the event the American Arbitration Association is unwilling or unable to set a hearing date within one hundred and sixty (160) days of filing the case, then either we or you can elect to have the arbitration administered instead by the Judicial Arbitration and Mediation Services. Judgment on the award rendered by the arbitrator may be entered in any court having competent jurisdiction. Any provision of applicable law notwithstanding, the arbitrator will not have authority to award damages, remedies or awards that conflict with these Terms of Use. You agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of, related to or connected with the use of the Website, Privacy Notice or these Terms of Use must be filed within one (1) year after such claim of action arose or be forever banned. If the prohibition against class actions and other claims brought on behalf of third parties contained above is found to be unenforceable, then all of the preceding language in this Arbitration section will be null and void. This arbitration agreement will survive the termination of your relationship with us.

Applicable Law, Personal Jurisdiction, and Venue

These Terms of Use are governed by and enforced in accordance with the laws of the Utah (excluding conflict of law principles). By using this Website, you agree to submit to the exclusive personal jurisdiction and venue of the federal and state courts located in Salt Lake County, Utah, with respect to all matters.

Unauthorized Use

Unauthorized use of HealthEquity’s Website(s) and systems, including but not limited to unauthorized entry, misuse of passwords, or misuse of any information posted to our Website(s), is strictly prohibited.

Miscellaneous Terms

Your obligations and compliance with these Terms of Use survive their termination. If any provision of these Terms of Use is found to be invalid by any court having competent jurisdiction, the invalidity of such provision shall not affect the validity of the remaining provisions, which shall remain in full force and effect. No waiver of any of these Terms of Use shall be deemed a further or continuing waiver of such term or condition or any other term or condition. You may not transfer or assign any rights or obligations under these Terms of Use. We may transfer or assign its rights and obligations under these Terms of Use. No agency, partnership, joint venture, or employment relationship is created as a result of these Terms of Use and neither party has any authority of any kind to bind the other in any respect.

Eligibility

You represent and warrant that you are at least 13 years of age, that your parent or legal guardian agrees to be bound by these Terms of Use if you are between 13 and the age of legal majority in your jurisdiction of residence, and that you have not been previously removed from and are not prohibited from using the Website. We may, in our sole discretion, (a) refuse to offer use of the Website to any person or entity and (b) change its eligibility criteria at any time. You are solely responsible for ensuring that these Terms of Use are in compliance with all laws, rules, and regulations applicable to you.

Changes to Terms

HealthEquity reserves the right to update these Terms of Use at any time. Continued use of the Website and/or HealthEquity services, signifies your acceptance of any changes.

Contact Information / Registered Agent for Service of Process

Please send questions or comments about our Terms of Use and all other legal notices to our registered agent for service of process:
National Registered Agents, Inc.
1108 E South Union Avenue
Midvale, UT 84047
https://secure.utah.gov/bes/details.html?entity=5578753-0143

Effective Date
Last updated February 2023.

Risk and Security:

Security & IT

Remarkable service begins with remarkable trust. This is how we're building it at Further by HealthEquity.

SOC 2

Service Organization Controls (Soc2)

(TYPE II) Trust Services Principles

NIST CSF

National Institute of Standards and Technology Cybersecurity Framework

HIPAA

Health Insurance Portability and Accountability Act

Strengthening our Total Solution

As part of our remarkable service, we are committed to protecting the confidentiality, integrity, and availability of your personal information and our systems and applications.

This site explains our approach to securing your data against cyber threats—employing secure design and testing practices, developing a world-class Security & IT organization, and building strong partnerships across the cybersecurity industry.

Our Guiding Principles

People First

HealthEquity team members are our first line of defense against cyber-attacks—this is why we are investing in tools and training for security awareness, as well as why we prioritize building a world-class Security & IT team.

Zero Trust Framework

The adoption of the Zero Trust security framework at HealthEquity strengthens network security by verifying what can access corporate resources and services. Our redesigned “always on VPN” has also allowed our team members to safely work from home.

Converged Learning

Managing cybersecurity, physical security, fraud, and privacy under one team is not just an administrative exercise. It also means we combine the decision-making practices and lessons we have learned from each of these skillsets.

Strong Partnerships

Moving to the cloud and integrating our platforms is an “all-hands on-deck” effort for HealthEquity. Internal and external partnerships are critical—we have built relationships with state and federal law enforcement and security information-sharing organizations.

The Converged Team

Our cross-functional team is staffed with subject matter experts and leaders from each of these areas:

Cybersecurity

We follow a defense-in-depth security model with a Joint Security Operations Center (JSOC) and Data Protection team working with security architects and engineers deploying controls designed to prevent or limit the success of an attack.

Fraud Prevention

Our Fraud Strategy and Prevention team is leveraging the best practices of fraud prevention and cybersecurity monitoring to protect the transactions of our members and clients.

Physical Security and Crisis Management

Led by federal law enforcement veterans, our People Safety team is responsible for ensuring the security of our 3,000+ team members across the US. We also conduct regular tabletop exercises to ensure we are ready to respond to crises.

Privacy

Our Data Privacy and Governance team helps our technology teams build a lasting roadmap to creating our products, services, and standards with privacy by design, and transparency at the forefront. See our privacy policy here.

Detailed Capabilities

Statement on Standards for Attestation Engagements 18 (SSAE-18) and Service and Organization Controls (SOC 1 and 2) reports
Routine third-party validation testing
Assessment and testing for vulnerabilities, recovery, and capacity
Intrusion prevention program
Multiple redundant data centers
Plans tested routinely
Multiple call centers with dynamic call migration
All employees and non-employees with access to Further by HealthEquity systems and data complete mandatory compliance, privacy, and security training upon hire and every year thereafter
Health Insurance Portability and Accountability Act (HIPAA Security Rule)
An external NIST CSF Assessment was done in 2021, mapped to HIPAA and GLBA controls
Policies and procedures are mapped to NIST CSF
Employment verification and criminal checks for US employees

Responsible Disclosure Process

This section is for security researchers who are interested in reporting security vulnerabilities on the Further by HealthEquity platform. We value the assistance of the security research community and encourage researchers or others to report any potential vulnerabilities in accordance with the guidelines below.

Safe Harbor

We will not pursue legal action against researchers who comply with the Further by HealthEquity defined responsible disclosure process.

Reward/ Compensation

Further by HealthEquity does not operate a bug bounty program and makes no offer of reward or compensation. If you are the first to report a qualifying vulnerability and would like to be included in our Security Researcher Hall of Fame, please provide us with your name and a link for recognition.

Reporting Instructions

We will not pursue legal action against researchers who comply with the Further by HealthEquity defined responsible disclosure process.

Email us at [email protected].
Report issues promptly and do not attempt to further exploit the system or its data once you have confirmed and documented the issue.
Include a detailed description of the vulnerability: tools utilized, target, processes, and results.
Do NOT include any sensitive/personal/non-public data samples, a description of such data is sufficient.

Acknowledgement and Response

When the Further by HealthEquity Information Security Team receives a report, we will send an acknowledgement within three business days. Request(s) for further information may be sent as needed. After validation/verification of a vulnerability, additional communications will be sent through resolution.

Timeframe

Further by HealthEquity will not negotiate in response to a threat (e.g., a threat of withholding, or threat of releasing the vulnerability to the public). However, we will work with you, and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public. We will not share names or contact data of security researchers unless given explicit consent.

External Vulnerability Reporting

Reporting of vulnerability information to other third parties or vendors will be determined at the discretion of Further by HealthEquity.

Responsible Disclosure Guidelines

DO:

Do cease testing and report the vulnerability or exposure of non-public or sensitive data as quickly as is reasonably possible to [email protected], to minimize the risk of hostile actors finding or taking advantage of it.
Do provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible. Usually, the IP (Internet Protocol) address or the URL (Universal Resource Locator) and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
Do limit testing to Further by HealthEquity owned applications as defined in the ‘In-Scope’ section of this policy.
Do remove any non-public or sensitive data from your system that might have been obtained during testing.

DO NOT:

Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, making changes to the system, installing malicious software, or deleting or modifying other people’s data.
Do not test third-party applications, websites, or services that integrate with, or link to or from Further by HealthEquity systems.
Do not test in a manner which could degrade the operation of Further by HealthEquity systems or intentionally impair, disrupt, or disable Further by HealthEquity systems.
Do not build your own backdoor into a system, even if the intention is to demonstrate the vulnerability; doing so can cause additional damage and create unnecessary security risks.
Do not reveal the problem to others until it has been resolved.
Do not use attacks on physical security, social engineering, distributed denial of service, spam, phishing, or applications of third parties.
Do not include any sensitive/personal/non-public data samples in your report, a description of such data is sufficient.

In Scope

All publicly accessible domains, applications, and systems owned by HealthEquity and its subsidiaries. If you have any other information you would like to provide to our security team, please do so via the Reporting Instructions.

Out of Scope

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Vulnerabilities that require access to an already compromised user account (unless access to an account exposes other accounts).
Policies as opposed to implementations, such as email verification or password length or reuse.
Spam (unless a specific vulnerability leads to easily sending spam).
Missing security headers or ‘best practices’ (except if you are able to demonstrate a vulnerability that makes use of their absence).
Distributed Denial of Service attacks (DDoS).
Social engineering attacks.
Third party applications we make use of but do not control (e.g., a media library or social media service).

Security Researcher Hall of Fame

Further by HealthEquity would like to publicly express our gratitude to the following security researchers for responsibly disclosing vulnerabilities and working with us to remediate them. We truly appreciate your remarkable efforts!

Contact Information:

Contact Information

If you have any questions about HealthEquity’s privacy practices, commitments, or notices, we would love to hear from you.

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

Effective Date

Last updated February 2022.