Team member privacy notice

HealthEquity, Inc. (together with its subsidiaries, including but not limited to WageWorks, Inc. and Fort Effect Corp., DBA Luum, the “Company”) takes your privacy very seriously. Please read this privacy notice (“Notice”) carefully, as it contains important information on who we are, and how and why we collect, store, use, and share your personal information as your employer. It also explains your rights in relation to your personal information and how to contact us in the event you have a complaint. This Notice applies to current and former employees (commonly referred to within the Company as “team members”).

The Company will only process your personal information according to this Notice unless otherwise required by applicable law. When we do so we are subject to various state privacy laws in the United States and are responsible for your personal information.

The Company ensures that the personal information collected related to your employment or potential employment is adequate, relevant, not excessive, and processed for limited purposes. The Company does not sell applicant, employee, or former employee personal information, nor do we share it with third parties for cross-context behavioral advertising.

This Notice does not cover aggregated data, data rendered anonymous, or data that has been de-identified. Aggregate data relates to a group or category of individuals from which individual identities have been removed. Data is rendered anonymous if individual persons are no longer identifiable. Deidentified data is data that has had identifiable elements removed, and cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual.

If you fail to provide certain personal information when requested, we may not be able to fully perform services as your employer (such as paying you or providing a benefit), or we could be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

Category	Terms and Definitions
Company, We, Us, Our	HealthEquity and our group companies
Personal Information	Any information relating to, describing, reasonably capable of being associated with, or capable of reasonably being linked, directly or indirectly, to an identified, or an identifiable, natural person.
Sensitive Personal Information	Government identifiers, such as Social Security Numbers and drivers license numbers; Account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords); Precise geolocation information; Racial or ethnic origin, religious or philosophical beliefs, or union membership; Content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications; Genetic data; and Biometric information that uniquely identifies a consumer or information concerning a consumer's health, sex life, or sexual orientation.

1. Personal Information We Collect About You. We may collect and use the following personal information that identifies, relates to, describes, is reasonable capable of being associated with, or could reasonably be linked, directly or indirectly, with an employee or former employee:

Categories of Personal Information	Specific Types of Personal Information Collected
Identifiers	Name, preferred name, home/mailing address, email address, telephone/mobile number, online identifiers, emergency contacts/next-of-kin, photograph/CCTV images, date of birth, social security number, state identification card, driver’s license image, employee identification number, signatures, languages
Demographic Data	age, gender, race, ethnicity, disability status, sexual orientation, gender identity, and transgender status
Characteristics of protected classifications under California or federal law.	Race, religion, sexual orientation, gender identity, gender expression, age
Background Data	Drug screening, credit/criminal check, prior or current employment verification, education/certification/licensing verification, military status, citizenship status, nationality
Employment and Professional Data	Job title/position, office location, hire/rehire/term dates, employment contracts, performance reviews, disciplinary records, grievance procedures, sick time, vacation time/paid time off, timesheets, academic/professional qualifications, training records, education, CV/resume, references, interview notes
Financial Data	Bank routing/account number, state and federal tax declarations and withholdings, benefits, payroll, salary, expenses and allowances, and stock and equity grants
Health Data	Medical diagnosis, physician notes, workplace accident/incident reports, short- or long-term disability or illnesses, leave of absence and sick leave and related requests and analyses, medical accommodations and related requests and analyses, and employment-related medical screenings
Spouse/Partner’s and Dependents’ Data	Names, dates of birth, social security number, and other contact details
Workplace, Device, Usage and Content Data	IP address, log files, login information, software/hardware inventories, Office 365, Teams, Outlook including emails sent and received, calendar entries, to-do items, instant messages, building and information system access, websites visited data, text messages on Company devices, Company device, system and application usage (including telemetry) when accessing and using Company assets
Video, Voice, and Image	Facial images, voice files or recordings, video files or recordings

2. How Your Personal Information is Collected. We collect most of this Personal Information directly from you—in person, by telephone, text, email, website, and apps. However, we may also collect information:

• From publicly accessible sources (e.g., LinkedIn).
• Directly from a third party (e.g., background screening providers).
• From a third party with your consent (e.g., your bank).
• From cookies on our website; and
• Via our IT systems, including:
• Door entry systems and reception logs.
• Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems; and

3. How and Why, We Use Your Personal Information. We only use your Personal Information if we have a proper reason for doing so, including (and as set forth below):

• To comply with our legal and regulatory obligations;
• To protect our legal rights;
• For our legitimate interests or those of a third party;
• In an emergency where health or security is at stake; or
• Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use your personal information for and our reasons for doing so:

What we use your personal information for	Our reasons
For business or emergency communication (SMS, email, telephone), such as scheduling interviews, notifying you of job opportunities, or encouraging employees to share feedback	For our legitimate interests, i.e., fulfilling job opportunities, or to contact you or others on your behalf for emergencies such as weather events
To pay you, for benefits administration, retirement administration, managing various types of leave of absence, tax reporting, measuring employee sentiment, diversity reporting, measuring performance metrics for the purpose of reviewing, rewarding and coaching	To manage the employment or working relationship with you and to fulfill our legal obligations as your employer
To prevent and detect fraud against you or us	For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
To conduct background screening to confirm identity and screening for financial or other sanctions Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator	To comply with our legal and regulatory obligations
To gather and provide information required by or relating to audits, enquiries, or investigations by regulatory bodies	To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use	For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
Ensuring the confidentiality of commercially sensitive information	For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information To comply with our legal and regulatory obligations
Preventing unauthorized access and modifications to systems	For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments	To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

The above table does not apply to special categories personal information, which we will only process with your explicit consent.

We will always protect your personal information and never sell or share it with other organizations for marketing or behavioral advertising purposes.

4. Who We Share Your Personal Information With. We routinely share personal information with:

• Our affiliates and subsidiaries;

• Service providers we use to help deliver our products and services to you, such as benefit providers, information technology providers for shipping and receiving Company devices, cloud providers, data hosting and storage services, background check providers, warehouses and delivery companies;

• Government authorities as required by law, such as tax and social security authorities;

• With our clients when necessary to inform them who their point of contact is, or who may otherwise be working on their accounts.

We only allow our service providers to access or use your personal information if they meet our data privacy and protection requirements. We impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to accreditation and audit activities.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

5. Where Your Personal Information is Held. Information may be held at our offices, in Company systems and databases, third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”).

6. How Long Your Personal Information Will Be Kept. We will keep your personal information while you are employed with us. Thereafter, we will keep your personal information for as long as is necessary:

• To respond to any questions, complaints or claims made by you or on your behalf; or,

• To comply with record retention laws and requirements, and our policies.

We will not retain your personal information for longer than necessary for the purposes set out in this notice. Different retention periods apply for different types of personal information. Further details on this are available in our Records Retention Policy.

When it is no longer necessary to retain your personal information, we will delete or anonymize it.

7. Your Rights Under State Privacy Laws. If you are a resident of an applicable state, you have the following rights under State Privacy Laws (such as the California Privacy Rights Act (CPRA)):

Your rights	Description
Disclosure of Personal Information We Collect About You	You have the right to know: The categories of personal information we have collected about you. The categories of sources from which the personal information is collected. Our business or commercial purpose for collecting personal information. The categories of third parties with whom we share personal information, if any; and The specific pieces of personal information we have collected about you. Please note that we are not required to: Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or Provide the personal information to you more than twice in a 12-month period.
Right to Request access, correction, amendment, and portability You also have the right to request limits on use and sharing of your Sensitive Personal Information	You can access, correct or amend certain personal information through self-service tools as set forth below: ADP Vantage SAP Concur Motivosity (edit profile) For other data, you may submit a data subject access request through our privacy portal found here: Data Subject Access Requests You may also email privacy@healthequity.com. When you submit a request, you will be required to provide personal information for us to properly authenticate you and confirm your identity. We will not ask for more than necessary information for this purpose.
Personal Information Shared for a Business Purpose	You have the right to know the categories of personal information that we disclosed to a third party for a business purpose.
Right to Deletion	Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will: Delete your personal information from our records; and Direct any service providers to delete your personal information from their records. We may not delete your personal information if it is necessary to comply with our legal and employment obligations.
Protection Against Discrimination	HealthEquity will not discriminate against you for exercising any of your rights allowed or required by law.

8. Keeping Your Personal Information Secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

9. Changes to This Privacy Notice. This privacy notice was published on 12/29/2022 and last updated on 10/12/2023.

   We may change this privacy notice from time to time - when we do, we will inform you via posting to the Company's intranet and systems or record.

10. How to Contact the Privacy Office. Please contact the Privacy Office by email – privacy@healthequity.com if you have any questions about this privacy notice or the information the Company holds about you.

11. Do You Need Extra Help? If you would like this notice in another format (for example: audio, large print, braille) please contact us (see “How to contact us” above).