1. Purpose and Scope
“Confidential Information” means non-public information clearly identified as proprietary or confidential or which by its nature should be reasonably construed to be confidential. Confidential Information may include, but is not limited to, Personal Information (as defined below); information about any Vestwell client or users of the Sites; Vestwell’s proprietary software, intellectual property, products, services, or databases currently existing or under development; all reports posted on the Sites; tutorials, guides, and other education materials that are prepared by or for Vestwell on the Sites.
“End User” or “End Users” (sometimes referred to as “you” or “your”) means any individual or organization that uses the Sites, receives Services, uses the Vestwell Platform, or who has otherwise provided their Personal Information to Vestwell. This includes employees of Plan Sponsors and Employers that utilize the Vestwell Platform or engaged Vestwell for Services.
“Personal Information” means any information or data collected or maintained for Vestwell’s business purposes that (a) identifies an End User, including by name, signature, address, telephone number, or other unique identifier; (b) can be used to identify or authenticate an End User, including passwords, PINs, biometric data, unique identification numbers (e.g., social security numbers, EINs), answers to security questions or other personal identifiers, or (c) an account number or credit card number or debit card number, in combination with any required security code, access code, or password, that would permit access to an End User's retirement plan account.
“Plan Sponsor(s),” or “Employers” refers to businesses that offer tax-qualified retirement plans or participate in Secure Choice or other retirement or saving plans sponsored by various states.
“Services” refers to the services provided by Vestwell to support tax-qualified or state-sponsored retirement or savings plans or accounts, including payroll file and participant data processing, recordkeeping, and plan and program administration services set forth in contracts with clients.
3. What Information Vestwell Collects About You
As part of the Services, and in order to carry out its contractual responsibilities, Vestwell collects information associated with Plan Sponsors, Employers, investment advisors, and End Users that uses the Vestwell Platform including, but not limited to:
- Contact information such as address, telephone/cell phone numbers, email address
- Demographic information such as date of birth, marital status, gender
- Social security number or EIN numbers
- Banking information for purposes of processing plan contributions and distributions or invoices
- Employment-related records, such as job title, compensation, and years of service
- Vestwell services provided to its clients
- Marketing channel and any notice delivery preferences
- Investment selections and contribution rates
Vestwell is provided with this information by you, your Employer, or others acting on your or your Employer’s behalf such as payroll providers and advisors.
In addition to collecting Personal Information in connection with providing the Services, Vestwell may also collect Personal Information or other information when End Users visit the Sites, request information about the Services, download a white paper, or schedule a demonstration of the Vestwell Platform. Certain information may also be collected and tracked automatically when End Users visit the Sites; please see Section 4 for more details.
4. How and When Vestwell Collects Information
Vestwell collects information in the following ways:
- Anonymous information that is collected from End Users that browse the Sites (section 4.1);
- Information that is provided to Vestwell when an End User registers to attend any of Vestwell’s events, responds to surveys, requests a proposal, contacts Vestwell for more information about the Services, or applies for employment opportunities with Vestwell (section 4.2);
- Information that Plan Sponsors or Employers provide to Vestwell relating to an agreement with Vestwell to support its benefit plan; when an End User registers for a Vestwell account; when an advisor, its affiliated home office, or any other organization enters into an agreement or arrangement with Vestwell to use or market the Vestwell Platform (section 4.3).
4.1 Anonymous information Vestwell collects from End Users of the Sites
An End User can browse through the Sites without providing any Personal Information or Confidential Information. However, certain information may be passively collected (information that is gathered without an End User actively providing it) using various technologies, such as cookies, unique identifiers, Internet tags, web beacons, and navigational data collection (log files, server logs, clickstream).
- Device and location information: Vestwell collects device-specific information, such as whether End Users are accessing the Sites from a mobile phone or laptop, the website URL that directed End Users to the Sites, the Internet Protocol address, the browser version of End User’s device, the date and time of access to the Sites, and the pages or screens that End Users access navigate while at the Sites.
4.2 Information provided to Vestwell when an End User schedules or attends a Vestwell event, applies for employment, or other affirmative contact with Vestwell.
Vestwell collects and uses the information that an End User, such as an attendee at one of its webinars, affirmatively provides when registering to attend a Vestwell event. When End Users register to attend any of Vestwell’s webinars, seminars, or online programs or events; respond to any surveys, emails, or questionnaires; or contact Vestwell to request information or correspond, End Users may be requested to provide names, addresses, e-mail addresses, company, and contact information. When End Users provide that information, Vestwell uses it to keep in contact with End Users to inform them about Vestwell’s Services, product enhancements, and related educational and promotional materials.
4.3 Information End Users provide to us when using the Services
End Users that use the Vestwell Platform to manage their retirement plan, retirement plan account, college savings account, or other savings product are consenting to provide Vestwell with information needed to service the retirement plan in which they participate or their savings accounts. This information includes Personal Information as well as name, address, compensation, years of service, job positions, contributions, investment selections, information necessary to qualify you to open or utilize a savings product, investment performance, and other data that Vestwell needs in order to perform its contractual obligations and Services. Information collected is used by Vestwell and its service providers and business partners to perform the Services. By registering for a Vestwell account or by using the Services, End Users, Employers, and Plan Sponsors agree to Vestwell’s use of Personal Information and cannot opt out, change or remove consent, or delete Personal Information or other information from the Sites. This information is essential for Vestwell to perform the Services.
5. How Vestwell Uses the Information Collected
Vestwell uses the information collected to provide the Services, including to verify identity and diagnose and remediate technical and service related issues.
Vestwell may also use collected information for its own general business purposes, which may include, but is not limited to, helping it analyze, research, report on, and improve the Services; assessing the effectiveness of the Services; detecting, understanding and resolving any technical issues with the Sites or servicing End User accounts; or better serving its current and prospective clients’ and investment advisors’ needs with respect to products, services, and support.
Vestwell may also use collected information for marketing communications, either directly or through a third party, in relation to existing or new services, for education information it thinks might benefit the End User, or for keeping End Users up to date on industry and regulatory information and trends. End Users may opt out of receiving these marketing communications at any time (see "Choice/Opt-Out" below).
Vestwell may also use End Users’, Employers’, and/or Plan Sponsors’ contact information to inform them about additional or changes to Vestwell’s services, market trends, legislative changes, general retirement plan education materials, or other information related to the use of the Vestwell Platform. By registering for a Vestwell account or when using the Vestwell Platform, End Users, Employers, investment advisors, and Plan Sponsors agree to Vestwell’s uses of Personal Information and cannot opt out, change or remove consent, or delete Personal Information or other information from the Sites. This information is essential for Vestwell to perform the Services and to comply with any relevant regulatory requirements.
6. Cookies and Tracking Technologies
In addition to cookies, the Sites use a variety of other methods and tools for tracking purposes, including Internet tags and web beacons, which are small pieces of data that are embedded in images and pages of the Sites. While most web browsers automatically accept cookies, many browsers allow End Users to modify browser settings to decline cookies and/or "opt-out" of tracking technologies. As each browser is different, please consult the “help” menu within the browser. For additional information about cookies and how to control their use on various browsers and devices, End Users can visit http://www.allaboutcookies.org. Please note however, if a visitor turns off cookies, such visitor may find some of the functionality of the Sites and/or our Services to be reduced or impaired.
Vestwell also utilizes both proprietary and third-party analytics tools, such as Google Analytics and other solutions, to gather information designed to help gain insight into how visitors to the Sites interact with and use the Sites’ contents and other services.
7. Information Sharing and Disclosure
Vestwell does not sell or rent Personal Information and only shares Personal Information with service providers or business partners under the following limited circumstances:
- With Plan Sponsors, Employers, payroll providers, or investment advisors associated with the End User’s retirement plan or savings account;
- Vestwell subsidiaries and its service providers to carry out, improve, or maintain the Services to End Users. These may include vendors or subcontractors of Vestwell, such as hosting and information technology providers, identity verification and fraud prevention services, data analytics, and customer support services. These providers may have access to Personal Information needed to perform their functions, but are contractually restricted from using such Personal Information for purposes other than providing services for Vestwell.
- When legally required to access, use, preserve, or disclose the information to satisfy any applicable law, regulation, legal process, or enforceable governmental request;
- To detect, prevent, or otherwise address security or technical issues involving the Sites or the Vestwell Platform;
- To protect against harm to the rights, property, or safety of Vestwell, its employees, End Users, or the public as required or permitted by law;
- To enforce the terms of Vestwell’s service agreements; or
- Disclosure to federal, state or local regulators as required by applicable law.
Vestwell may also share Vestwell Platform users aggregated or anonymized information that does not directly identify an End User (including device information and information derived from cookies and log files with third parties) with third parties regarding trends about the general use of its services.
Vestwell intends to keep End Users of the Services current about new Vestwell Platform features, important Vestwell announcements that are relevant to Vestwell Platform users, industry or regulatory updates, or other information it believes End Users would like to hear about either from it or from its business partners, and Vestwell may be using the information provided for those purposes as well as the activities noted in section 4.
In addition, Vestwell may share anonymized aggregate information about End Users, such as demographics of Vestwell Platform, with the media, business partners, and other third parties for Vestwell’s business purposes, such as to customize or enhance the content and functionality of the Sites.
Lastly, as Vestwell continues to develop its business, it might sell or buy assets. In such transactions, End User information may be one of the transferred business assets. If either Vestwell or any of Vestwell’s assets are merged or acquired, End User’s Personal Information may be one of the transferred assets.
8. Information Security
End Users’ privacy matters to Vestwell and Vestwell works hard to protect it. Vestwell utilizes the following practices:
- Encrypting data on the Vestwell Platform;
- Enforcing password complexity standards for individuals to access their accounts on the Vestwell Platform;
- Reviewing information collection, storage, and processing practices, including physical security measures, to guard against unauthorized access to Vestwell’s systems; and
- Restricting access to Personal Information to Vestwell employees and trusted service providers who need to know that information to process it on Vestwell’s behalf, so that the employee or trusted service provider can perform the Services, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if violated.
Vestwell utilizes reasonable security technologies to protect Personal Information in accordance with industry and regulatory standards, which may include monitoring and recording transactions to help detect potential fraudulent activity, and utilizing encryption, two-factor authentication, automatic logout after a specified period of inactivity, or other controls to help protect End User’s sensitive information.
9. Retention of Personal information
10. Opting Out of Certain Communications
Vestwell wants End Users to have the tools necessary to manage their Personal Information. It is important that End Users ensure that the information Vestwell has is accurate and current so that it can properly and timely perform the Services. End Users’ ability to manage their Personal Information will differ depending on their relationship with Vestwell and the Services provided.
In some areas of the Sites, such as when subscribing to marketing communications, End Users are provided with an opportunity to opt out of receiving future communications, which is how End Users give, or decline to give, their consent to use Personal Information for the purpose(s) covered by the applicable opt-out choice. End Users may also indicate their desire to opt-out when receiving marketing and promotional communications from Vestwell by clicking the "unsubscribe" hyperlink and following the instructions or at any time by sending an email request to firstname.lastname@example.org (please indicate "Opt-Out" in the subject line). Vestwell maintains records of opt-out requests consistent with applicable law. If End Users wish to remove their name and information from marketing communications, Vestwell may not be able to immediately delete residual copies from its active or backup servers, and it may take up to 30 days to completely remove the End User’s information.
11. Vestwell’s Data Security Protocols
Vestwell safeguards the security and confidentiality of Personal Information and other data by using physical, technical, and managerial procedures. Please be aware that, despite Vestwell’s best efforts, no security measures are perfect or impenetrable. While Vestwell strives to protect End User’s Personal Information, it cannot guarantee the security of the information an End User transmits, and urges End Users to take every precaution to protect their Personal Information when using the Internet. Vestwell suggests changing passwords often, using a combination of letters and numbers, taking advantage of multi-factor authentication features where available, installing an antivirus and anti-malware software, bookmarking the Sites web address once it is confirmed the Sites are owned and operated by Vestwell, and making sure that an up-to-date and secure browser is being used. Vestwell recommends that End Users not store passwords in browsers or share log-in credentials to any website with anyone.
12. Third Party Service Providers or Business Partners
Vestwell Services are not targeted or directed at children under the age of 13, and it does not intend to or knowingly collect or solicit Personal Information from children under the age of 13. If an End User has reason to believe that a child under age 13 has provided Personal Information to Vestwell, Vestwell encourages the child’s parent or guardian to contact Vestwell. If Vestwell learns that any Personal Information collected has been provided by a child under age 13, it will promptly delete it. Vestwell does, however, process Personal Information about children when necessary for the Services and when provided by the End User. For example, if an End User has a college savings account supported by Vestwell’s Services, Vestwell may collect information relating to the beneficiaries of that account, which may include children under age 13.
14. International Use Statement
15. Compliance with State Laws
16. Privacy Notice for California Residents
16.1 What is Personal Information?
“Personal Information" has the same meaning as under the California Consumer Privacy Act (“CCPA”): information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include information that is de-identified or aggregated.
16.2 Personal Information Vestwell Collects
Vestwell collects the following types of information in connection with the Sites:
- Unique identifiers (such as names or an ID number)
- Contact information (such as telephone number, email address, or mailing address)
- Professional information (such as employer’s name and title)
- Commercial information (such as communication preferences, survey data, or other information provided in order for Vestwell to respond to inquiries)
- Audio, video, or visual information (such as a recording of voice or image if an End User participates in a corporate event. End Users will always be notified of any recording in advance)
- End User profile information (such as dietary preferences if End User registers for an event with a meal included)
- Internet and technical information (such as IP address, device identifiers, browser type, ISP, and data from cookies and web beacons)
16.3 Sources of Personal Information Vestwell Collects.
Vestwell collects Personal Information used in relation to the Sites from the following sources:
- Directly from End Users (e.g., through a submission made on Vestwell’s “Contact Us” page or when registering for an event)
- From third parties acting on End User’s behalf (e.g., your employer when it provides information about its employees)
- From first and third party cookies that helps Vestwell operate and assess the Sites (see our “Cookies” section above for more information)
16.4 Vestwell’s Business or Commercial Purposes for Collecting, Using and Disclosing Personal Information
Vestwell collects, uses, and discloses Personal Information for the following purposes:
- To provide End Users with a requested service
- To verify identity and registration
- To communicate with End Users and to respond to inquiries or service requests
- To gather feedback or survey responses
- To host corporate events on behalf of Vestwell and its affiliates or partners
- For Vestwell and its affiliates or partners marketing and analytics purposes
- To administer, assess, personalize, and improve the Sites and Services
- To conduct research, statistical analysis, survey/demographic interpretation, and other data studies based on the data collected
- To maintain network security and performance and protect against cyber-attacks
- To comply with and enforce applicable laws, industry standards, and Vestwell’s own policies and terms
- For auditing, reporting, corporate governance, and internal operations
- For due diligence and implementation of commercial transactions, including reorganizations, mergers or other disposition of all or any portion of Vestwell’s business, assets or stock
- To exercise and defend legal rights
- As otherwise described to End Users at the point of collection or pursuant to the End User’s consent
16.5 Categories of Third Parties With Whom Vestwell Shares Personal Information
Vestwell may share End User’s Personal Information with:
- Affiliates to enable them to provide services to End User, and to enable them to contact an End User regarding additional products and services that may interest them
- Agents and service providers who perform services on Vestwell’s behalf, such as hosting the Sites, sending communications, operating a call center, or hosting/managing corporate events
- Third parties involved in events the End User registers to attend, including physical and virtual sites that host the event
- With the End User’s employer, to the extent the End User uses the Services in connection with their employment
- Any entity that acquires all or a portion of Vestwell’s business, assets, or stock, including in connection with a merger, reorganization, or other commercial transaction. In such transactions, End User’s information generally is one of the transferred business assets. Also, if either Vestwell or any of Vestwell’s assets are acquired (including through bankruptcy proceedings), the End User’s Personal Information may be one of the transferred assets
- Authorities, subject to applicable laws, including to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside the End User’s country or state of residence.
Vestwell’s third-party affiliates, service providers and successors to whom it discloses information are required by law and/or contractual requirements to keep End User’s Personal Information confidential and secure. These third-party affiliates may not use or disclose information except as reasonably necessary to provide the Services to End Users of the Vestwell Platform or as otherwise permitted by law.
Vestwell may also use or share de-identified information that is not reasonably likely to identify the End User for commercially legitimate business purposes with its affiliates, service providers, and business partners.
16.6 Children’s Personal Information
16.7 Rights as a California Resident
Under California law, some California residents have specific rights regarding their Personal Information. These rights are subject to certain exceptions as described below. Further, if the End User is a current, former, or prospective Vestwell employee, or if Vestwell has collected or processed your Personal Information in connection with its business with a company, partnership, sole proprietorship, nonprofit or government agency, and the End User is an employee, owner, director, officer, or contractor of that entity, some of these rights do not go into effect until at least January 1, 2023. When required, Vestwell will respond to most requests within 45 days, unless it is reasonably necessary for it to extend its response time.
Right to Disclosure of Information
End Users have the right to request that Vestwell disclose certain information regarding its practices with respect to Personal Information. If an End User submits a valid and verifiable request and Vestwell confirms the End User’s identity and/or authority to make the request, Vestwell can disclose to the End User any of the following:
- The categories of Personal Information it collected about the End User in the last 12 months
- The categories of sources for the Personal Information it collected about the End User in the last 12 months
- Vestwell’s business or commercial purpose for collecting that Personal Information
- The categories of third parties with whom Vestwell shared that Personal Information
- The specific pieces of Personal Information Vestwell collected about the End User
- If Vestwell sold the End User’s Personal Information for a business purpose, a list of the Personal Information types that each category of recipient purchased
- If Vestwell disclosed the End User’s Personal Information to a third party for a business purpose, a list of the Personal Information types that each category of recipient received
Right to Delete Personal Information
End Users have the right to request that Vestwell deletes any of their Personal Information that was collected and retained, subject to certain exceptions. If the End User submits a valid and verifiable request and Vestwell can confirm their identity and/or authority to make the request, Vestwell will determine if retaining the information is necessary for it or its service providers to:
- Complete a transaction for which Vestwell collected the Personal Information, provide a good or service that the End User requested, take actions reasonably anticipated within the context of Vestwell’s ongoing business relationship with the End User, or otherwise perform its contractual obligations
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
- Debug products to identify and repair errors that impair existing intended functionality
- Exercise free speech, ensure the right of another End User to exercise their free speech rights, or exercise another right provided for by law
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.)
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if End User previously provided informed consent
- Enable solely internal uses that are reasonably aligned with End User’s expectations based on your relationship with us
- Comply with a legal obligation
- Make other internal and lawful uses of that information that are compatible with the context in which the End User provided it
If none of the above retention conditions apply, Vestwell will delete the End User’s Personal Information from its records and direct its service providers to do the same.
How to excercise the above rights
End Users may exercise their rights to disclosure or deletion described above by submitting a verifiable consumer request to Vestwell’s Legal Team via email at Legal@vestwell.com or by telephone at (917) 979-5358 extension 103. Only the End User or a person legally authorized to act on their behalf may make a verifiable consumer request related to their Personal Information. Vestwell reserves the right to verify identities of an End User’s representative. The End User may make a verifiable consumer request for access or deletion no more than twice within a 12-month period. In connection with the request, Vestwell requires the End User to:
- Provide sufficient information that allows it to reasonably verify the End User is the person about whom Vestwell collected Personal Information or is an authorized representative of the End User. Depending on the nature of the request and the sensitivity of the information requested, Vestwell may ask for confirmation of various data elements it already has on file such as mailing address or phone number, or, in case of sensitive Personal Information, Vestwell may require you to submit a copy of a government issued identification.
- Describe their request with sufficient detail that allows Vestwell to properly understand, evaluate, and respond to it.
The End User will not be required to create an account with Vestwell in order to submit a verifiable request, though Vestwell may communicate with the End User about the request via a pre-established account if applicable. However, in order to safeguard the Personal Information in its possession, if Vestwell cannot verify your identity or authority to act on another’s behalf, Vestwell will be unable to comply with the request. Vestwell will only use End User’s Personal Information to confirm the End User’s identity or authority, or to fulfill their request.
16.8. Right to Opt out of Sales of End User’s Personal Information
As a California resident, an End User has the right to direct a business that sells their Personal Information to third parties to refrain from selling their Personal Information. This right is referred to as “the right to opt-out.” Because Vestwell does not sell End User’s Personal Information, it does not provide any mechanism for End User’s to exercise the right to opt out.
16.9. Right to Non-Discrimination
End Users may exercise their rights under the CCPA without discrimination. For example, unless the CCPA provides an exception, Vestwell will not:
- Deny the End User goods or services;
- Charge the End User different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide the End User a different level or quality of goods or services; or
- Suggest that the End User may receive a different price or rate for goods or services or a different level or quality of goods or services.
Vestwell may offer the End User financial incentives to provide it with Personal Information that is reasonably related to the information’s value. This could result in different prices, rates, or quality levels for the Services. Any financial incentive Vestwell offers will be described in written terms that explain the material aspects of the financial incentive program. The End User must opt-in to any financial incentive program and may revoke their consent at any time by contacting Vestwell as indicated below.
16.10. Direct Marketing and Do Not Track Signals
Under California’s “Shine the Light” law, California residents may request and obtain a notice once a year about the Personal Information Vestwell shared with other businesses for its own direct marketing purposes. Such a notice will include a list of the categories of Personal Information that were shared (if any) and the names and addresses of all third parties with which the Personal Information was shared (if any). The notice will cover the preceding calendar year. To obtain such a notice, please contact Vestwell’s Legal Team at Legal@vestwell.com. In addition, under this law End Users are entitled to be advised of how Vestwell handles “Do Not Track” browser signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, Vestwell does not honor Do Not Track requests at this time.
17. How to Contact Vestwell