Team member privacy notice

HealthEquity, Inc. and its subsidiaries, including WageWorks, Inc. and Fort Effect Corp. (DBA Luum), prioritize your privacy. This notice explains who we are, how and why we handle your personal information as your employer, and your rights regarding that information. It also outlines how to contact us with complaints. This notice applies to all current and former employees ("team members").

The Company processes personal information as per this Notice, unless required by law. We follow state privacy laws in the United States and are responsible for your data.

We collect relevant and limited personal information related to employment. The Company neither sells nor shares team member information for behavioral advertising.

This Notice excludes aggregated, anonymous, or de-identified data. Aggregated data removes individual identities. Anonymous data makes individuals unidentifiable. De-identified data cannot reasonably identify any individual.

Failing to provide requested personal information may affect our ability to serve you fully as an employer (such as payment or benefits) or comply with legal obligations (such as worker health and safety).

Category	Terms and Definitions
AI System	An engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments.
Company, We, Us, Our	HealthEquity and our group companies
Personal Information	Any information relating to, describing, reasonably capable of being associated with, or capable of reasonably being linked, directly or indirectly, to an identified, or an identifiable, natural person.
Sensitive Personal Information	Government identifiers, such as Social Security Numbers and drivers license numbers; Account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords); Precise geolocation information; Racial or ethnic origin, religious or philosophical beliefs, or union membership; Content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications; Genetic data; and Biometric information that uniquely identifies a consumer or information concerning a consumer's health, sex life, or sexual orientation.

1. Personal Information We Collect About You. The Company may collect and use personal information that can identify, relate to, describe, or be reasonably associated with team members. Sensitive Personal Information may be collected and processed if required or permitted under applicable law, necessary for the establishment, exercise, or defense of legal claims, or if the team member has provided explicit consent.

Categories of Personal Information	Specific Types of Personal Information Collected
Identifiers	Name, preferred name, home/mailing address, email address, telephone/mobile number, online identifiers, emergency contacts/next-of-kin, photograph/CCTV images, date of birth, social security number, state identification card, driver’s license image, employee identification number, signatures, languages
Demographic Data	age, gender, race, ethnicity, disability status, sexual orientation, gender identity, and transgender status
Characteristics of protected classifications under California or federal law.	Race, religion, sexual orientation, gender identity, gender expression, age
Background Data	Drug screening, credit/criminal check, prior or current employment verification, education/certification/licensing verification, military status, citizenship status, nationality
Employment and Professional Data	Job title/position, office location, hire/rehire/term dates, employment contracts, performance reviews, disciplinary records, grievance procedures, sick time, vacation time/paid time off, timesheets, academic/professional qualifications, training records, education, CV/resume, references, interview notes
Financial Data	Bank routing/account number, state and federal tax declarations and withholdings, benefits, payroll, salary, expenses and allowances, and stock and equity grants
Health Data	Medical diagnosis, physician notes, workplace accident/incident reports, short- or long-term disability or illnesses, leave of absence and sick leave and related requests and analyses, medical accommodations and related requests and analyses, and employment-related medical screenings
Spouse/Partner’s and Dependents’ Data	Names, dates of birth, social security number, and other contact details
Workplace, Device, Usage and Content Data	IP address, log files, login information, software/hardware inventories, Office 365, Teams, Outlook including emails sent and received, calendar entries, to-do items, instant messages, building and information system access, websites visited data, text messages on Company devices, Company device, system and application usage (including telemetry) when accessing and using Company assets
Video, Voice, and Image	Facial images, voice files or recordings, video files or recordings

If you provide personal information about others, inform them of the purpose and share this Notice. We will assume their consent for collection and processing unless notified otherwise in writing.

2. How Your Personal Information is Collected. We collect most of this Personal Information directly from you—in person, by telephone, text, email, website, and apps. However, we may also collect information:

• From publicly accessible sources (e.g., LinkedIn).
• Directly from a third party (e.g., background screening providers).
• From a third party with your consent (e.g., your bank).
• From cookies on our website; and
• Via our IT systems, including:
• Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems. Please refer to the People Handbook (including any applicable state supplement) and Acceptable Use Policy for additional information.
• Through Data Loss Prevention tools 

3. How and Why, We Use Your Personal Information. We only use your Personal Information if we have a proper reason for doing so, including (and as set forth below):

• To comply with our legal and regulatory obligations;
• To protect our legal rights;
• For our legitimate interests or those of a third party;
• In an emergency where health or security is at stake; or
• Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

To innovate and continuously improve, we employ AI tools, including Microsoft Copilot, to aid in a variety of tasks such as:

• Streamlining administrative workflows and improving process efficiencies.
• Facilitating informed decision-making.

The Company's Responsible AI Policy governs our use of AI tools and requires all team members to use AI Systems responsibility and with written approval before inputting Personal Data, Company Confidential Information, and Customer Data. Company may take necessary steps to both enforce this Policy and to protect Company intellectual property (IP) in connection with AI Systems use.

To the extent we use AI to process your personal information, we do so in accordance with relevant privacy laws and regulations. We refrain from using AI to make significant decisions impacting your employment without human oversight.

The table below explains what we use your personal information for and our reasons for doing so:

What we use your personal information for	Our reasons
To pay you, for benefits administration, retirement administration, managing various types of leave of absence, tax reporting, measuring employee sentiment, diversity reporting, measuring performance metrics for the purpose of reviewing, rewarding and coaching	To manage the employment or working relationship with you and to fulfill our legal obligations as your employer
To prevent and detect fraud against you or us	For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
To conduct background screening to confirm identity and screening for financial or other sanctions Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator	To comply with our legal and regulatory obligations
To gather and provide information required by or relating to audits, enquiries, or investigations by regulatory bodies	To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use	For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
Ensuring the confidentiality of commercially sensitive information	For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information To comply with our legal and regulatory obligations
Preventing unauthorized access and modifications to systems	For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments	To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

We have appropriate measures in place to protect your personal information and will never sell or share it with other organizations for marketing or cross context behavioral advertising purposes or any other behavioral marketing.

4. Who We Share Your Personal Information With. We routinely share personal information with:

• Our affiliates and subsidiaries;

• Service providers we use to help deliver our products and services to you, such as benefit providers, information technology providers for shipping and receiving Company devices, cloud providers, data hosting and storage services, background check providers, warehouses and delivery companies;

• Government authorities as required by law, such as tax and social security authorities;

• With our clients when necessary to inform them who their point of contact is, or who may otherwise be working on their accounts.

We only allow our service providers to access or use your personal information if they meet our data privacy and protection requirements. We impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to accreditation and audit activities.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

5. Where Your Personal Information is Held. Information may be held at our offices, in Company systems and databases, third party agencies, service providers, representatives and agents as described above (see above: “Who We Share Your Personal Information with”).

6. How Long Your Personal Information Will Be Kept. We will keep your personal information while you are employed with us. Thereafter, we will keep your personal information for as long as is necessary:

• To respond to any questions, complaints or claims made by you or on your behalf; or,

• To comply with record retention laws and requirements, and our policies.

We will not retain your personal information for longer than necessary for the purposes set out in this notice. Different retention periods apply for different types of personal information. Further details on this are available in our Records Retention Policy.

When it is no longer necessary to retain your personal information, we will delete or anonymize it.

7. Your Rights Under State Privacy Laws. Where permitted or required by State Privacy Laws (such as the California Privacy Rights Act (CPRA)) you may be entitled to exercise any of the following privacy rights with respect to your personal information:

Your rights	Description
Disclosure of Personal Information We Collect About You	You have the right to know: The categories of personal information we have collected about you. The categories of sources from which the personal information is collected. Our business or commercial purpose for collecting personal information. The categories of third parties with whom we share personal information, if any; and The specific pieces of personal information we have collected about you. Please note that we are not required to: Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or Provide the personal information to you more than twice in a 12-month period.
Right to Request access, correction, amendment, and portability You also have the right to request limits on use and sharing of your Sensitive Personal Information	You can access, correct or amend certain personal information through self-service tools as set forth below: ADP Vantage SAP Concur Motivosity (edit profile) For other data, you may submit a data subject access request through our privacy portal found here: Data Subject Access Requests You may also email privacy@healthequity.com. When you submit a request, you will be required to provide personal information for us to properly authenticate you and confirm your identity. We will not ask for more than necessary information for this purpose.
Personal Information Shared for a Business Purpose	You have the right to know the categories of personal information that we disclosed to a third party for a business purpose.
Right to Deletion	Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will: Delete your personal information from our records; and Direct any service providers to delete your personal information from their records. We may not delete your personal information if it is necessary to comply with our legal and employment obligations.
Protection Against Discrimination	HealthEquity will not discriminate against you for exercising any of your rights allowed or required by law.

8. Keeping Your Personal Information Secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

9. Changes to This Privacy Notice. This privacy notice was published on 2/1/2022 and last updated on 4/24/2025.

   We may change this privacy notice from time to time - when we do, we will inform you via posting to the Company's intranet and systems or record.

10. How to Contact the Privacy Office. Please contact the Privacy Office by email – privacy@healthequity.com if you have any questions about this privacy notice or the information the Company holds about you.

11. Do You Need Extra Help? If you would like this notice in another format (for example: audio, large print, braille) please contact us (see “How to contact us” above).