California Privacy Notices | HealthEquity Skip to content

California Privacy Notice

For California residents, our information sharing practices are in accordance with federal law. California law places additional restrictions on sharing information about their residents, and our policies comply with such restrictions.

Direct Marketing Requests

California Civil Code Section 1798.83 permits you, if you are a California resident, to request certain information regarding disclosure of Personal Information (defined below) to third parties for their direct marketing purposes. To make such a request, please send an e-mail to Privacy@healthequity.com or write us at Privacy Officer, HealthEquity, Inc., 121 W. Senic Pointe Drive, Draper, UT 84020.

Do Not Track Settings

Cal. Bus. And Prof. Code Section 22575 also requires us to notify you how we deal with the “Do Not Track” settings in your browser. As of the effective date listed above, there is no commonly accepted response for Do Not Track signals initiated by browsers. Therefore, HealthEquity’s system does not respond to the Do Not Track settings. Do Not Track is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit www.donottrack.us.

California Consumer Privacy Act/California Privacy Rights Act Supplemental Notice

This California Privacy Notice is intended to supplement our other privacy notices available here.

To understand our privacy practices, you should refer to our other privacy notices and this supplemental California notice (“Notice”).

Applicability

The California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and this Notice apply to visitors, users, and others who are California residents (“consumers” or “you”).

This Notice applies to California residents’ Personal Information, as defined below, we collect to provide them with certain products and services (collectively, “Services”). The CCPA and CPRA do not apply to Personal Information for some of our Services that are excepted from the CCPA and CPRA, such as those subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Gramm-Leach-Bliley (GLBA). The requirements of CCPA and CPRA further do not apply to deidentified or aggregate consumer information.

In addition, updated CCPA/CPRA requirements went into effect on January 1, 2023, for applicable Services related to employee and business-to-business Personal Information. As a result, this Notice also applies to employees, applicants for employment, and independent contractors, who are California residents.

Personal Information

The CCPA and CPRA define “Personal information” as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household. Under the CPRA, “Personal Information” further includes “Sensitive Personal Information” such as social security number, driver license number, state identification card, passport number, financial data, genetic data, biometric data, precise geolocation, and racial and ethnic origin, content of consumer communications (email, mail, or text), unless the business is the intended recipient, genetic data, and information collected concerning a consumer’s health, sex life, or sexual orientation.

Below are the categories of Personal Information that we may have collected or shared for a business purpose in the last twelve (12) months, as permitted by law and depending on the product you receive:

Retention

We retain Personal Information about you necessary to fulfill the purpose for which that information was collected and in accordance with your employer’s contract with us, consistent with applicable laws. We generally retain information regarding [for example, an individual’s Commuter Account with us] for at least seven years from [the date of our last interaction/account closure/etc.], in compliance with our obligations under applicable laws, or for longer if required to do so according to our regulatory obligations or where we believe necessary to establish, defend, or protect our legal rights or those of others.

When we destroy your Personal Information, we do so in a way that prevents that information from being restored or reconstructed.

Categories of Sources of Personal Information

Below are the sources from which we may receive your Personal Information:

  • directly from you when you inquire about our Services via our website or by telephone
  • from you when you or a benefit program sponsor creates an account with us
  • from you when you submit a claim for reimbursement
  • from your device when you access our website, mobile app and other online services
  • from your employer (where applicable) when related to Services that are covered by CPRA and CCPA
  • from third parties that assist us in providing relevant Services

We may combine Personal Information that you provide us through our website with other information we have received from you or your employer plan or program sponsor, whether online or offline, or from other sources such as from our service providers. For more information, please see the “What Information We Collect” section of our General Privacy Notice. Our website uses cookies to improve functionality and performance. Please see the “Cookies” section of our General Privacy Notice for more information.

How We Use and Share Personal Information For Business or Commercial Purposes

We may use or share the Personal Information listed above for the following business or commercial purposes:

  • Delivering relevant Services to you, or on behalf of another, including:
    • Verifying your identity in connection with the Services.
    • Administering the Services subject to CCPA and CPRA at the direction of your employer, including to determine eligibility for reimbursement under your employer’s benefits program;
    • Communicating with you or others designated by you about your participation in an employer sponsored benefit program, in connection to which we provide Services;
    • Responding to covered inquiries;
    • Helping to protect you and us from fraud or financial loss;
    • Linking accounts you provide us to facilitate the movement of funds;
    • Preparing account statements;
    • Preparing annual tax reporting information, if applicable;
    • Protecting your health, safety, or welfare;
    • Delivering user surveys; and
    • Delivering customized content and analytics on our websites or app.
  • Operating our websites in connection to covered Services;
  • Engaging third party service providers to assist us in administering and providing covered Services pursuant to a written agreement;
  • Performing analytics and improving our Services and websites;
  • Conducting internal research to develop and demonstrate technology;
  • Marketing our Services, only as permitted by law;
  • Keeping a record of our transactions and communications;
  • Conducting audits and reporting related to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
  • Detecting, analyzing, and preventing security incidents, and other fraudulent or illegal activity;
  • Identifying, debugging and repairing errors in our systems, websites, or app that impair existing functionality;
  • Protecting our rights, the rights of affiliates and related third parties, or taking appropriate legal action, such as to enforce our Terms of Use;
  • Complying with applicable laws, regulations, administrative or legal requests, subpoenas, or otherwise as required by law;
  • In connection with a merger, acquisition, or other sale or transfer of all or part of our assets or business;
  • In accordance with your consent or the direction of your employer;
  • Short-term, transient use of Personal Information that is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction; and
  • As otherwise necessary or useful for us to lawfully conduct our business or provide covered Services.

Within the last 12 months, we have disclosed Personal Information identified in the “Personal Information” section, categories (A)-(L) above only (i) at your express request or at the direction of your employer benefit program sponsor; (ii) as part of an exempt transaction; or (iii) to our service providers for the business purpose(s) described above. To learn more about the categories of third parties with whom we share such information, please see the “How We Use and Share Information” section of our General Privacy Notice.

No Sale of Personal Information

We do not sell Personal Information within the meaning of the CCPA or CPRA. If that changes, we will let you know in advance and provide you with information so that you may understand and exercise your right to opt-out of the future sale or disclosure of your Personal Information.

Consumer Rights

If you are a California resident, you may exercise certain privacy rights related to your Personal Information. You may exercise these rights free of charge except as otherwise permitted under applicable law. Please note, there may be situations where we cannot grant your request, for example, if you ask us to delete your Personal Information that is governed by a Federal privacy regulation that is exempted from CCPA/CPRA, or where HealthEquity is legally obligated to keep a record of our interactions with you to comply with law. We may also decline your request in order to maintain our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied are if it jeopardizes the privacy of others, is frivolous, or would require disproportionate effort.

You may submit your request in through our Privacy portal, which you can access by clicking here - Data Subject Access Requests. If you are a HealthEquity teammate, you can submit requests regarding your personal information through our Privacy portal, located here – Teammate Data Subject Access Requests. You may also send an email to datasubjectrequest@healthequity.com.

  1. The Right to Know, Access, Rectify, and/or Delete Personal Information
  2. Where the CCPA/CPRA applies to the Services we provide, you may have the right to know, access, correct, and/or delete Personal Information about you which we have collected.

    The Right to Know/Access: You have the right to know the information contained in this Notice and our General Privacy Notice, and to request access to a copy of the Personal Information that HealthEquity has collected about you directly or indirectly, including Personal Information collected by a service provider or contractor on our behalf. You may access your account through the websites and mobile app and view your Personal Information.

    The Right to Correct: You may access your account through the websites and mobile app and update your Personal Information. Users may make changes to some Personal Information through their online accounts. For Personal Information that cannot be changed via your account, you may contact us as set forth above to request the change or contact your employer if the change relates to covered Services. We will use commercially reasonable efforts to honor your requests within the limits defined by your employer program sponsor.

    The Right to Delete: You have the right to request that HealthEquity delete your Personal Information, subject to certain limited exceptions. For example, we may retain an archived copy of your records consistent with applicable law, to continue to provide covered Services, or for other legitimate business purposes.

  3. The Right to Opt-out of the Sale or Sharing of Personal Information or De-identified Personal Information
    • We do not sell your Personal Information for monetary or other valuable consideration.
    • We do not sell any de-identified Personal Information. We may de-identify your Personal Information for internal use only.
    • We do not share your Personal Information for the purposes of “cross-context behavioral advertising.” Cross-context behavioral advertising is “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
  4. The Right to Limit the Use of Sensitive Personal Information
  5. We limit our use of Sensitive Personal Information to only the purposes necessary to perform covered Services, and for certain business and commercial purposes described above.

  6. The Right to Non-Discrimination
  7. We will not discriminate or retaliate against you for exercising your consumer rights under the CCPA/CPRA, including by (a) denying you goods or services; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; or (c) providing you a different level or quality of goods or services (or suggesting that we will do so). We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your Personal Information. This section currently applies to consumers. In 2023, this section may also apply to employees, applicants for employment, and independent contractors.

Verification

As required or permitted under applicable law, we may take steps to verify your request before providing Personal Information to you, deleting Personal Information, or otherwise processing your request. To verify your request, you must provide your name, employer (if any), product or service, email address, phone number, and state of residence. You may also be asked to verify your ability to control the email address or phone number you have provided to us. If we believe we need further information to verify your request as required by law, we may ask you to provide additional information to us. We will review each request carefully and respond accordingly within the timeframe established by the CCPA/CPRA.

Agent Authorization

You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent may contact us as set forth in this Notice. Even if you choose to use an agent, as permitted by law, we may require you to confirm you have authorized the agent to act on your behalf or require you to verify your own identity.

The following summary contains California residents’ data requests volume for calendar year 2023.

Request to Know

  • Requests Received: 1
  • Requests Completed in Whole or in Part: 1
  • Requests Denied*: 0 Average Days to Complete: 14.35

Request to Delete

  • Requests Received: 13
  • Requests Completed in Whole or in Part: 13
  • Requests Denied*: 0 Average Days to Complete: 22.98

Request to Correct

  • Requests Received: 0
  • Requests Completed in Whole or in Part: 0
  • Requests Denied*: 0 Average Days to Complete: NA

Request to not sell information

  • Requests Received: 4
  • Requests Completed in Whole or in Part: 3
  • Requests Denied*: 1 Average Days to Complete: 16.95

Request to Opt out

  • Requests Received: 2
  • Requests Completed in Whole or in Part:2
  • Requests Denied*: 0 Average Days to Complete: 21.92

*Requests may be denied in whole or in part due to various factors including because a request was not verifiable, was not made by a consumer, was made multiple times, or called for information exempt from disclosure.

Notice of Financial Incentive

We do not offer financial incentives to consumers for providing Personal Information.

Changes to Our Privacy Notice

We reserve the right to amend this Notice at our discretion and at any time. We will do so by updating this Notice. Amended terms take effect upon being incorporated into this Notice, and your continued use of the website or participation in your employer’s covered benefit program following the posting of any changes constitutes acceptance of any new terms. If the changes will materially affect the way we use your Personal Information in connection with covered Services that we have already collected, we will notify you by sending you a message in your online account.

Requesting Notice in Alternative Format/Language

You may be able to request this Notice in another language where we provide such notices in the ordinary course of business or in an alternative format if you have a disability. Please contact the Privacy Office below to request an alternative format.

Contact Information

If you have questions or comments about this Notice, our privacy policies, the ways in which we collect and use your information, your choices and rights regarding such use, please contact us at:

Toll-Free Phone: 1-866-629-6347
Phone: 1-801-727-1000

Email: Privacy@healthequity.com

Mail: HealthEquity, Inc.
Attn: Privacy Officer
PO Box 14374
Lexington, KY 40512

Effective Date

Last updated June 2024

COBRA/Direct Bill Employer login

Please refer to your Client Welcome email for the URL of your specific COBRA/Direct Bill Employer login page.