General Privacy Notice

Your privacy is important to us. This General Privacy Notice (“Notice”) describes the information HealthEquity, Inc. ("HealthEquity", "we", "our", “us”) collects when interacting with you in connection with our products and services (such as health savings accounts and various employer sponsored plans and programs, each an “Account” and collectively, “Services”), or employment opportunities. This Notice also describes how our website and mobile application may collect information from you.

We encourage you to review our other applicable product, state, and regulatory notices provided through the Quick Links to the left. Please read those notices to understand how they apply to you and the Services. You can view the privacy practices applicable to specific types of information and to our different Services, and how we use personal information to conduct our business.

When we are administering a health benefit plan provided by your employer, the information we collect about you is subject to the requirements of the Health Insurance Portability and Accountability Act ("HIPAA"). In circumstances where HIPAA applies, your plan’s HIPAA Notice of Privacy Practices and not this General Privacy Notice will apply. If you have questions about which policy applies in a certain situation, please contact us using the Contact Information provided in this General Privacy Notice.

This website is intended for individuals who reside in the United States. We honor all individual privacy rights defined by law, as set forth herein, and in governing regulations.

We reserve the right to make changes to this Notice and our other privacy notices, and recommend you read them regularly. Your submission of personal information for job opportunities, or use of the HealthEquity website and/or our Services constitutes your acceptance of and agreement to this Notice. If you do not agree to this Notice, do not use the website, Services, or otherwise provide your personal information. If we provide Services to you, to stay current on our practices, please update your email address with us if it changes.

 

What information we collect

When you sign up for Services we may collect and process, from you or from your employer, your personal information that includes, but is not limited to, the following:

• Your name;
• E-mail and physical address;
• Social security number ("SSN");
• Date of birth;
• Phone number;
• Names of the dependents (and other identification or "ID") that are connected to or covered by your Account;
• Names and ID of people authorized by you to use your Account;
• Names and ID of people authorized by you to access your Account information;
• Technical information associated with the device you use, such as the type and model, system language, browser type, geographical location, operating system, Internet protocol (IP) address, IDFA (identifier for advertisers), and other unique identifiers collected automatically when you interact with our website (as further detailed below in the “Cookies and Website” section); and
• Transactions with us such as your Account balance, fees, payments, reimbursements, distributions, contributions, and the identity of persons to whom you make payments, including health care providers.

If you are receiving services from us, we may combine personal information that you provide us with information from other sources such as from your employer or benefits plan/program sponsor and our business partners and service providers.

In addition to the personal information noted above, when you call our Company for customer service, we may collect your biometric information that includes your voice prints and speech patterns for identification, fraud prevention, quality assurance and training. We will not sell your biometric data and will protect it with necessary care.

If you apply for a job opportunity, we collect personal information from you in connection with your resume and the application you submit to us. We use your information to evaluate your skills and abilities for job opportunities, verify your information, carry out reference checks and/or background checks (where applicable), communicate with you about the recruitment process, recommend potential career opportunities, create and/or submit reports as required under applicable laws/regulations, and make improvements to our application or recruitment process.

The personal information we collect may include:

• Identification Data – such as full name, preferred name, home address, email address, telephone number, and photo/image (if volunteered), citizenship status, or nationality.
• Demographic Data – such as gender, ethnicity, disability status, gender identity, and sexual orientation. Our purposes for processing this data include the following:
  • To monitor and ensure diversity and equality of treatment and opportunity;
  • To provide work-related accommodations or adjustments; and

To comply with applicable legislation.

• Employment and Professional Data – such as job title/position, hire/term/rehire dates, employer information, employment contacts, CV/resume, academic/professional qualifications, skills, work-related licenses, education, references, military status, work permits, salary, desired salary.
• Other Data – we may also collect personal information about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at our company. For example, before and during your employment or assignment we may collect information from public professional sources, such as your LinkedIn profile for recruitment purposes. We also may conduct lawful background screenings to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history.

If you are offered and accept employment with us, the personal information collected during the job application and recruitment process may become part of your employment record. If you are not offered or accept employment, we will keep your CV/resume on file for future job openings. You may request removal of your CV/resume by submitting a request pursuant to the Data Subject Access Request process set forth herein.

Note that where processing is not required or permitted by law, we will ask for your express consent.

How we collect information Your Personal Information

• Direct Interactions: You provide your personal information when contacting us through applications, this website, mobile applications, signing up for or receiving Services, emailing us, or applying for job opportunities through candidate tracking systems.
• Third Parties or Publicly Available Sources: We may obtain information about you from your employer, your health plan, benefit provider, publicly available online sources or government records, background check providers, criminal records check, or past or current professional references you supply to us. We will seek information from third parties only once a job offer or assignment has been made or through provisioning of Services, and will inform you that we are doing so.

It is your choice whether to provide us with personal information, however, our ability to provide or continue to provide Services or information to you may be impacted should you decline to provide us with requested information.

Use of AI Systems We use AI systems to process personal information in accordance with relevant privacy laws and regulations. AI systems help us improve our services, provide personalized experiences, and make data-driven decisions. We prioritize responsible AI systems use and use AI Systems with human oversight where feasible, especially when making significant decisions impacting individuals.

Cookies and Website Tracking

“Cookies” may be placed on your computer when you visit HealthEquity’s website. Cookies allow us to collect technical information associated with the device you are using and collect information, including clickstream information, browser type, time and date you visited the website, and other information about your interactions with the website (as detailed above in “What Information We Collect”). Cookies can be for a single session or interaction with our website or can be persistent and stored on your computer or device until they are deleted or expire. Most internet browsers allow you to disable and delete cookies or can be set to notify you when you receive a cookie allowing you decide whether to accept it. If you choose to disable cookies some functionality on the website may be impacted or not work at all.

Additionally, like many websites, we use standard internet technology (such as web beacons, tracking pixels, and embedded scripts) to track your web-surfing activity when you are visiting our website. We also include standard internet technology in advertisements and promotional e-mail messages to determine whether advertising or messages have been acted upon. This information enables us to customize the services we offer our website visitors, to deliver targeted advertisements, and to measure the overall effectiveness of our online advertising, content, programming, or other activities. Some other examples of ways we use your activity information include developing anonymized reports regarding website usage, activity, and statistics for our internal use and assisting users experiencing website problems.

We use this information only as dictated by applicable law.

We may also allow third party service providers to use cookies and other web technologies to collect information and to track browsing activity over time and across third party websites such as web browsers used to read our websites, which websites are referring traffic or linking to our websites, which may deliver advertisements to you. We do not control these third-party technologies and their use is governed by the privacy policies of the third parties using such technologies. For more information about entities that use these technologies, see http://www.aboutads.info/consumers , and to opt-out of such ad networks’ and services’ advertising practices, go to www.aboutads.info/choices .

We use Google and Facebook technologies to advertise online. These technologies help us tailor ads that we think may be of interest to visitors to our website. As always, we respect your privacy and do not collect any personal information using these technologies. For example, we may tailor advertising based on the specific product pages you viewed on the website. These ads may appear across the internet, including websites on Google and Facebook. You may opt out of these cookies by visiting the ad settings on these entities’ webpages or through our cookie management console. Any data we collect through these technologies is used for internal purposes only, in accordance with applicable law and our privacy policies and notices.

We use Google Analytics as described at https://policies.google.com/technologies/partner-sites . You can prevent your data from being used by Google Analytics on our websites by installing the Google Analytics opt-out browser add-on or through our cookie management console. If you have accounts with third-party providers, you may be able to control your ad preferences through your account settings.

You can opt out of these cookies and web technologies at any time by using our cookie management console. You are prompted to make cookie management choices upon your first visit to our website. To update your choices, visit our cookie management console.

How we use and share information

We may use or share the personal information listed above for the following business or commercial purposes:

• Delivering our Services to you, or on behalf of another, including:
  • Verifying your identity, opening and administering your Accounts and benefits, and providing other financial services under the USA PATRIOT Act;
  • Administering the Services that we offer you or your employer, including to determine eligibility or to review and pay claims;
  • Displaying claims information in your health savings account portal with your authorization;
  • Communicating with you or others designated by you about your Account, benefits, and/or our Services;
  • Responding to inquiries;
  • Making payments to medical service providers;
  • Providing you with any health insurance information related to our Services, if applicable;
  • Helping to protect you and us from fraud and financial loss;
  • Linking accounts you provide us to facilitate the movement of funds as directed by you;
  • Preparing Account statements;
  • Preparing annual tax reporting information, if applicable;
  • Protecting your health, safety, or welfare;
  • Delivering user surveys; and
  • Delivering customized content and analytics on our websites or app.
• Operating our websites and maintaining or servicing your Account;
• Engaging third party service providers to assist us in administering and providing our products and services pursuant to a written agreement;
• To enhance our Services through AI and data analytics, ensuring a better user experience;
• Conducting internal research to develop and demonstrate technology;
• Marketing our Services, only as permitted by law;
• Keeping a record of our transactions and communications;
• Conducting audits and reporting related to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
• Detecting, analyzing, and preventing security incidents, and other fraudulent or illegal activity;
• Identifying, debugging and repairing errors in our systems, websites, or app that impair existing functionality;
• Protecting our rights, the rights of affiliates and related third parties, or taking appropriate legal action, such as to enforce our Terms of Use;
• Complying with applicable laws, regulations, administrative or legal requests, subpoenas, or otherwise as required by law;
• In connection with a merger, acquisition, or other sale or transfer of all or part of our assets or business;
• In accordance with your consent, authorization, or instructions;
• Short-term, transient use of personal information that is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction; and

We do not sell our customer lists or individual customer information. We will only share your personal information with third parties as outlined in our privacy notices. From time-to-time, we provide your information to nonaffiliated third-party service providers (i.e., subcontractors) to perform services for or functions on our behalf, to effect, administer, or enforce transactions necessary for the proper administration of an Account or as otherwise authorized by you.

We may also exchange information with reference sources or reporting agencies for risk management and verification, to maximize the accuracy and security of your personal information. We only use and share information needed to service your account or protect against fraud, unless we are required to do so by law.

If you have an Account and are receiving Services from us, you may authorize other individuals to access your information or make changes to your Account (such as a spouse, dependent, or legal representative). You are responsible for your authorized user’s transactions. Your authorized users will have access to the Account balance if they are authenticated by our system. It is your responsibility to keep your authorizations up to date and accurate. You will be able to see all activities conducted by an authorized user.

 

Consumer Rights and Choices

You may have rights such as the right to know, access, and/or delete your information. These rights may differ depending on your State of residency or the source of the information, or the type of Services or Account you have. You can submit a request regarding your personal information through our Privacy portal, located here - Data Subject Access Requests. If you are a HealthEquity teammate, you can submit requests regarding your personal information through our Privacy portal, located here – Teammate Data Subject Access Requests.

You may also submit your requests to [email protected] . Please note, there may be situations where we cannot grant your request, for example, if you ask us to delete your data that is governed by a Federal privacy regulation that is exempted from your state privacy law, or where HealthEquity is legally obligated to keep a record of our interactions with you to comply with law. We may also decline your request in order to maintain our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied are if it jeopardizes the privacy of others, is frivolous or vexatious, or would require disproportionate effort.

Authentication of Consumer Requests

To ensure the security and accuracy of your privacy rights requests, we may take the following steps to verify your identity:

1. Existing Authentication Data: We may use information we already have on file, such as account numbers, addresses, or dates of birth.
2. Security Questions: For more sensitive requests, we may ask you to answer security questions that only you would know.
3. Document Uploads: In certain cases, we may request you to upload identification documents to verify your identity.

Authorized Agents: If your request is made through an authorized agent, we will verify the agent's authority by requiring signed permission from you and may also contact you directly for further verification.

 

 Electronic and Online Communications

We use e-mail to send newsletters, account notifications, marketing materials, and other communications, on a periodic basis to various individuals and organizations. You can opt-out of these communications at any time. For example, you can opt-out using links in a specific email communication or contact us (see Contact Information below). Opt-outs may not apply to communications related to your Account status, administrative messages, website updates, or other communications that are necessary to provide our Services.

We also, if you opt in to such communications, may use SMS text to communicate with you. We do not share your subscriber data with any other parties.

Information Security

HealthEquity places a high priority on protecting your personal information. We maintain administrative, technical, and physical safeguards designed to protect the information that you provide on this website and in connection with the Services from unauthorized access to or acquisition of such information. Please be advised, however, that regardless of our best efforts to protect information, the confidentiality and security of any communication or material transmitted to or from the website or via email cannot be guaranteed to be 100% secure at any time. We also cannot guarantee that the information you transmit over the Internet will not be unlawfully intercepted or accessed by third parties. Any transmission of your information is at your own risk. Therefore, we strongly encourage all users to be careful and responsible about what you choose to provide online. Further, when you create an Account with HealthEquity, you will create a unique password. It is your responsibility to personalize your password and protect and secure such password. HealthEquity is not responsible for any information compromised due to your failure to secure your Account or login credentials.

If you have any reason to believe that your interaction with us through this website or other means is no longer secure, please immediately notify us (see Contact Information below).

For more details regarding our information security practices, please see our Information Security information available in the Quick Links on the left.

 

HealthEquity will, for example:

• Never ask for your login or password through email or phone call;
• Use your secret question and answer to authenticate you on a phone call;
• Never utilize an automated voice response system when contacting you.
• Information provided via our web portal is submitted within a secure session. These sessions utilize Transport Layer Security (TLS, formerly known as SSL) technology to ensure that the information is encrypted while in transit. Your browser must be able to support this technology to use our web services.
• Require a User ID and password in order to access an Account or receive Services. This may either be provided to you or you will be allowed to choose your own. The User ID and password are designed to protect you by confirming your identity to our computer network systems. Our employees do not have access to your password.
• Automatically log you out of your Account if you are inactive after logging in for a certain amount of time.
• Require you to regularly change your password from time to time.
• Monitor your Account for any signs of suspicious or potentially fraudulent activity.
• Maintain up to date policies, standards, and processes designed to protect your personal information and comply with applicable state and federal data security laws, regulations, and guidance.
• Train our workforce on our policies, standards, and processes.
• Limit access to your personal information to only those who need it to perform their duties.
• Require our subcontractors to maintain the same privacy and security standards for protecting your information as we do.

California Privacy Practices

If you are a California resident, please see more information about our privacy practices and your rights in our California Privacy Notice.

Children's Privacy

HealthEquity’s Services are intended for individuals who are at least 13 years of age. The Services may include information about dependents or beneficiaries who are under the age of 13, however, there are no Services offered directly to children under the age of 13. We do not collect personal information from children under the age of 13. If you think we have collected personal information from a child under the age of 13, without parental consent, please alert us (see Contact Information below).

Contact Information

If you have any questions or comments about this Notice or our other privacy notices, the ways in which we collect and use information, or choices and rights regarding personal information, please contact us at:

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: [email protected]

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

Effective Date

Last updated January 2025.