At HSA Bank, a division of Webster Bank, N.A. (referred to herein as “Webster,” “we,” or “us”), we value your privacy and are committed to the protection of personal information. In this California Consumer Privacy Act Privacy Policy, we provide information regarding the collection, use, disclosure, and other processing of information relating to California residents by Webster Financial Corporation, and its affiliates and subsidiaries, including Webster Bank.

Under the California Consumer Privacy Act (“CCPA”), “Personal Information” is information that identifies, relates to, or could reasonably be linked with a particular California resident and includes certain categories of Personal Information discussed below that constitute “Sensitive Personal Information.” The CCPA, however, does not apply to certain information, such as information subject to the federal Gramm-Leach-Bliley Act, and Health Insurance Portability and Accountability Act (HIPAA).

The specific Personal Information that we collect, use, and disclose relating to a California resident covered by the CCPA will vary based on our relationship or interaction with that individual. For example, this Privacy Policy does not apply with respect to information that we collect about California residents who apply for or obtain our financial products and services for personal, family, or household purposes. For more information about how we collect, disclose, and secure information relating to these customers, please refer to our Privacy and Opt-Out Notice located at websterbank.com/privacy/.

 

Our Collection, Use, Disclosure, and Sharing of Personal Information

The following chart provides information about the categories of Personal Information that we collect and use, as well as the categories of Personal Information that we disclose to third parties for our operational business purposes, including in the past 12 months preceding the date this Privacy Policy was last updated.

We do not sell Personal Information, and we do not share Personal Information for purposes of cross-context behavioral or targeted advertising, as defined under the CCPA. We have not engaged in such activities in the 12 months preceding the date this Privacy Policy was last updated. Without limiting the foregoing, we do not sell or knowingly share the Personal Information relating to minors under 16 years of age.

 

Categories of Personal Information Categories of Third Parties to Whom Information is Disclosed for Our Operational Business Purposes Categories of Third Parties to Whom Information is Shared for Cross-Context Behavioral Advertising
Identifiers, such as name, postal address, IP address that can reasonably be linked or associated with a particular California resident or household, email address, account name, online identifiers, and government-issued identifiers (e.g., Social Security number) Affiliates; service providers; ad networks; business partners; marketing partners; credit bureaus; legal authorities; other parties in litigation None
Personal information as defined in the California customer records law, such as name, contact information, and financial information Affiliates; service providers; ad networks; business partners; marketing partners; credit bureaus; legal authorities; other parties in litigation None
Protected Class Information, such as characteristics of protected classifications under California or federal law, such as sex, age, gender, race, marital status, and veteran or military status Affiliates; service providers None
Commercial Information, such as transaction information and purchase history Affiliates; service providers; ad networks; business partners; marketing partners; credit bureaus; legal authorities; other parties in litigation None
Internet or network activity information, such as browsing history, search history, and interactions with our online properties, applications, or ads Affiliates; service providers None
Geolocation Data, such as device location Affiliates; service providers None
Audio, Video, and Similar Data, such as call and video recordings Affiliates; service providers None
Education Information subject to the federal Family Educational Rights and Privacy Act, such as student records and directory information Affiliates; service providers None
Professional and Employment Information, such as current or past job history or performance evaluations Affiliates; service providers None
Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual’s preferences or characteristics Affiliates; service providers None
Sensitive Personal Information Personal Information that reveals an individual’s: (1) Social Security, driver’s license, state identification card, or passport number; (2) account log-in, financial account, credit or debit card number in combination with any required security or access code, password, or credentials allowing access to an account; (4) racial or ethnic origin, religious or philosophical beliefs, citizenship, immigration status, or union membership; (5) the contents of mail, email, and text messages unless we are the intended recipient of the communication; Affiliates; service providers None

We may also disclose Personal Information to a third party in the event of a reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

 

Purposes for Our Collection, Use, Sharing, or Other Disclosure of Personal Information

We may collect, use, share, or disclose Personal Information in order to:

  • operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives;
  • develop, improve, repair, and maintain our existing and future products and services;
  • personalize, advertise, and market our products and services;
  • operate, maintain, and improve our website and other online services or applications;
  • conduct research, analytics, and data analysis;
  • plan and manage human resources, including, but not limited to, ensuring appropriate staffing, processing payroll, managing benefits, conducting workforce assessments, reporting and analytics, and succession planning;
  • process and evaluate job applications and recruit employees;
  • undertake quality and safety assurance measures;
  • conduct risk and security control and monitoring;
  • protect the safety of our customers, business contacts, employees and job applicants, and other individuals;
  • detect and prevent fraud and identity verification;
  • facilitate and implement any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings);
  • perform accounting, audit, and other internal functions, such as internal investigations;
  • comply with law, legal process, contracts, and internal policies;
  • maintain records;
  • exercise and defend legal claims.

 

Our Use of Sensitive Personal Information

Subject to your consent where required by applicable law, we may use Sensitive Personal Information for purposes of providing goods or services as requested by you; ensuring security and integrity; short term transient use such as displaying first party, non-personalized advertising; performing services for our business, including maintaining and servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, and providing storage, or providing similar services on behalf of our business.

 

Our Retention of Personal Information

We retain Personal Information for as long as needed or permitted in light of the purpose(s) for which it was collected. The criteria that we consider in determining our retention periods include:

  • The length of time we have an ongoing relationship with you and provide services to you (e.g., for as long as you have an account with us or keep using our services) and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise;
  • Whether there is a legal obligation to which we are subject (e.g., certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or
  • Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

 

Sources of Personal Information

We collect Personal Information from you and from affiliates, third-party service providers, business partners, consumer reporting agencies, publicly available databases, social media, operating systems and platforms, internet service providers, ad networks, data analytics providers, and joint marketing partners, when they share the information with us.

 

Individual Requests

If you are a California resident, you may, subject to applicable law, make the following requests:

  1. You may request to know whether we process Personal Information relating to you and to access such Information.
    1. You may request that we disclose to you the following information covering the 12 months preceding your request:
      1. The categories of Personal Information that we collected about you and the categories of sources from which we collected such Personal Information;
      2. The business or commercial purpose for collecting or sharing (if applicable) Personal Information relating to you;
      3. The categories of Personal Information that we shared and the categories of third parties with whom we shared such Personal Information (if applicable);
      4. The categories of Personal Information about you that we otherwise disclosed, and the categories of third parties to whom we disclosed, such Personal Information (if applicable).
  2. You may request to correct inaccuracies in Personal Information that we maintain about you;
  3. You may request to have Personal Information you provided to us deleted
  4. You may request to receive a copy of Personal Information that we maintain about you, including, where applicable, to request to obtain a copy of your Personal Information.

We will not unlawfully discriminate against you for exercising your rights under the CCPA. To make a request described above, please contact us by calling 1-833-227-7072 or by sending an email to HSAWebPrivacyRequest@hsabank.com. We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the Personal Information subject to the request. In some instances, we may decline to honor your request where the law or right you are invoking does not apply or where an exception applies. We may need to request additional Personal Information from you in order to verify your identity and protect against fraudulent requests. If you maintain a password-protected account with us, we may verify your identity through our existing authentication practices for your account and require you to re-authenticate yourself before disclosing or deleting your Personal Information. If you make a request to delete, we may ask you to confirm your request before we delete your Personal Information.

 

Authorized Agents

If you would like an agent to make a request on your behalf to the extent permitted under applicable law, the agent may use the request methods listed above. Not all kinds of requests can be made by authorized agents. As part of our verification process, we may request that the agent provide, as applicable, proof concerning his or her status as an authorized agent. In addition, we may require that you verify your identity as described above or confirm that you provided the agent permission to submit the request.

 

De-Identified Information

Where we maintain or use de-identified data, we will continue to maintain and use the de-identified data only in a de-identified fashion and will not attempt to re-identify the data.

 

Changes to this Privacy Policy

We may change or update this Privacy Policy from time to time. When we do, we will post the revised Privacy Policy on this page with a new “Last Updated” date.

 

Last Updated on 6/30/23

 

Contact Us

If you have any questions regarding this Privacy Policy, please contact us at HSAWebPrivacyRequest@hsabank.com.