Last Updated and Effective Date: May 14, 2023
This California Supplemental Provision (the “Supplement”) supplements the information contained in the Citi Authenticator Global Privacy Notice (the “Privacy Notice”) and applies solely to individuals who have rights under the California Privacy Rights Act (“CPRA”) (“California Residents,” “consumers, “you” or “your”) who are authorized Citi Global Workforce Members using the Citi Authenticator App (the “App”) to authenticate their identity to access the Citi IT network and services in performance of their duties for Citi (authorized “User”). Unless otherwise defined in the Privacy Notice, any terms defined in this Supplement have the meaning used in the CPRA.
Under California law, certain types of Personal Information are considered “sensitive” Personal Information or data and require additional data privacy rights and obligations. For example, we collect and process account log-in information, as described in the Types of Information We Collect and Process section in the Privacy Notice, which is considered Sensitive Personal Information under the CPRA. We only collect this Sensitive Personal Information to perform services on behalf of the business, detect security incidents, and resist malicious, deceptive, fraudulent or illegal activities (“Permitted Uses”) or as otherwise permitted or required by law. Because we use this Sensitive Personal Information of California Residents for Permitted Uses, we do not need to provide a Limit Use and Disclosure of Sensitive Personal Information right under the CPRA.
If in connection with your use of the App, Citi collects any information that would be considered Sensitive Personal Information under other applicable privacy-related laws, rules or regulations (laws, rules or regulations collectively “Laws”), we will first obtain your explicit consent if required by Laws, unless otherwise noted in our Privacy Notice.
Citi provides in the chart below a summary of our prior 12-month Personal Information handling practices. We do not have actual knowledge of any collection, use, sale, or sharing of Personal Information of consumers under 16 years of age.
Category of Personal Information | Sources | Business or commercial purpose of processing and recipients of Personal Information |
---|---|---|
Identifiers, such as real name, email address, IP address, online identifiers issued by Citi, or other similar identifiers |
Directly from You, from your use of the App, from or on behalf of the organization providing services to Citi with which you are associated(your “Organization”), or from other third parties. |
Sold
We have not sold your identifiers to third parties. Shared We have not shared your identifiers with third parties for targeted advertising purposes. Service Providers We have disclosed your identifiers to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information
|
Any Personal Information described in Cal. Civ. Code § 1798.80(e), such as name or employment. |
Directly from You, from your use of the App, from or on behalf of your Organization, or from other third parties. |
Sold
We have not sold such Personal Information to third parties. Shared We have not shared such Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information
|
Internet or other electronic network activity information, such as device information, internet service provider information, time of logins, and usage. |
Directly from You, from your use of the App, or parties. |
Sold
We have not sold such Personal Information to third parties. Shared We have not shared such Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT,application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information
|
Sensitive Personal Information, such as consumers’ account log-in information. |
From you, from your use of the App, or from third parties. |
Sold
We have not sold such Sensitive Personal Information to third parties. Shared We have not shared such Sensitive Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Sensitive Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information
|
Professional or employment-related information |
Directly from You, from your use of the App, of your Organization, or from other third parties. |
Sold
We have not sold such Personal Information to third parties. Shared We have not shared such Personal Informationwith third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information
|
Inferences drawn from any of the information identified herein, such App based on your device IP address |
Directly from You, from your use of the App, or from other third parties. |
Sold
We have not sold such Personal Information to third parties. Shared We have not shared such Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information
|
We store Personal Information for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.
Applicable privacy-related Laws may afford Users residing in the California certain rights with respect to their Personal Information, subject to certain exceptions. Subject to certain limitations, you have the following rights in California:
(1) Right to Delete. You have the right to request us to delete the Personal Information we have collected about you.
(2) Right to Correct. You have the right to request us to correct inaccurate Personal Information we maintain about you.
(3) Right to Know and Access. You have the right to know and access the Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific pieces of Personal Information we have collected about you.
(4) Data Portability. You have the right to receive the information under right (4) in a format, to the extent technically feasible, that is portable, usable, and allows you to transmit the Personal Information to a person without impediment, where the processing is carried out by automated means.
(5) Rights Related to Sharing for Cross-Context Behavioral Advertising or Sale. We do not share your personal information for cross-context behavioral advertising or sell your personal information. Please contact us by using the information in the Contact Information section below if you have any questions.
(6) Right to No Discrimination. You have the right not to be discriminated or retaliated against for exercising any of your privacy rights.
To exercise your rights described above, please submit a verifiable consumer request to us by either:
Visiting Citi California Privacy Hub; or
Calling us at 833-981-0270 (TTY: 711)
We will need to verify your identity before honoring your privacy right request. We will verify your identity by asking you to provide personal information related to your employment with us or your engagement with us through your Organization, and/or other personal identifiers. Subject to certain limitations, we will honor your privacy rights request within 45 calendar days of receipt of your request, unless we request an extension as permitted by applicable Laws.
You may exercise your privacy rights through an authorized agent. If we receive your request from an authorized agent, we may ask for evidence that you have provided such agent with a power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please contact us by either:
Visiting Citi California Privacy Hub; or
Calling us at 833-981-0270 (TTY: 711)
If you have any questions about this Supplement, the ways in which Citi collects and processes your Personal Information described in this Supplement, your choices and rights regarding such use, or wish to exercise your rights under the CPRA, please visit Citi California Privacy Hub or call us at 833-981-0270 (TTY: 711)