Supplemental Provision - California

Last Updated and Effective Date: May 14, 2023

This California Supplemental Provision (the “Supplement”) supplements the information contained in the Citi Authenticator Global Privacy Notice (the “Privacy Notice”) and applies solely to individuals who have rights under the California Privacy Rights Act (“CPRA”) (“California Residents,” “consumers, “you” or “your”) who are authorized Citi Global Workforce Members using the Citi Authenticator App (the “App”) to authenticate their identity to access the Citi IT network and services in performance of their duties for Citi (authorized “User”). Unless otherwise defined in the Privacy Notice, any terms defined in this Supplement have the meaning used in the CPRA.

Sensitive Personal Information

Under California law, certain types of Personal Information are considered “sensitive” Personal Information or data and require additional data privacy rights and obligations. For example, we collect and process account log-in information, as described in the Types of Information We Collect and Process section in the Privacy Notice, which is considered Sensitive Personal Information under the CPRA. We only collect this Sensitive Personal Information to perform services on behalf of the business, detect security incidents, and resist malicious, deceptive, fraudulent or illegal activities (“Permitted Uses”) or as otherwise permitted or required by law. Because we use this Sensitive Personal Information of California Residents for Permitted Uses, we do not need to provide a Limit Use and Disclosure of Sensitive Personal Information right under the CPRA.

If in connection with your use of the App, Citi collects any information that would be considered Sensitive Personal Information under other applicable privacy-related laws, rules or regulations (laws, rules or regulations collectively “Laws”), we will first obtain your explicit consent if required by Laws, unless otherwise noted in our Privacy Notice.

Summary of Personal Information Handling Practices

Citi provides in the chart below a summary of our prior 12-month Personal Information handling practices. We do not have actual knowledge of any collection, use, sale, or sharing of Personal Information of consumers under 16 years of age.

Category of Personal Information	Sources	Business or commercial purpose of processing and recipients of Personal Information
Identifiers, such as real name, email address, IP address, online identifiers issued by Citi, or other similar identifiers	Directly from You, from your use of the App, from or on behalf of the organization providing services to Citi with which you are associated(your “Organization”), or from other third parties.	Sold We have not sold your identifiers to third parties. Shared We have not shared your identifiers with third parties for targeted advertising purposes. Service Providers We have disclosed your identifiers to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi, and to operate our business; to secure, maintain and improve our authentication services; to respond to your communications, concerning the App, Citi IT network access, and authentication services; to monitor and analyze trends, usage, and activities in connection with the App; to develop new functionalities and enhance current authentication services; to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citis IT network and services and other illegal or unpermitted activities, and protect the rights and property of Citi; to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management; and to to fulfill our compliance or legal obligations or as otherwise permitted by applicable Laws.
Any Personal Information described in Cal. Civ. Code § 1798.80(e), such as name or employment.	Directly from You, from your use of the App, from or on behalf of your Organization, or from other third parties.	Sold We have not sold such Personal Information to third parties. Shared We have not shared such Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi, and to operate our business; to secure, maintain and improve our authentication services; to respond to your communications, concerning the App, Citi IT network access, and authentication services; to monitor and analyze trends, usage, and activities in connection with the App to develop new functionalities and enhance current authentication services; to detect, investigate and prevent fraudulent or unauthorized attempts to access or use illegal or unpermitted activities, and protect the rights and property of Citi; to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management; and to fulfill our compliance or legal obligations or as otherwise permitted by applicable Laws.
Internet or other electronic network activity information, such as device information, internet service provider information, time of logins, and usage.	Directly from You, from your use of the App, or parties.	Sold We have not sold such Personal Information to third parties. Shared We have not shared such Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT,application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi, and to operate our business; to secure, maintain and improve our authentication services; to respond to your communications, concerning the App, Citi IT network access, and authentication services; to monitor and analyze trends, usage, and activities in connection with the App; to develop new functionalities and enhance current authentication services; to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citis IT network and services and other illegal or unpermitted activities, and protect the rights and property of Citi; to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management; and to fulfill our compliance or legal obligations or as otherwise permitted by applicable Laws.
Sensitive Personal Information, such as consumers’ account log-in information.	From you, from your use of the App, or from third parties.	Sold We have not sold such Sensitive Personal Information to third parties. Shared We have not shared such Sensitive Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Sensitive Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in of Citi, and to operate our business; to secure, maintain and improve our authentication services; to respond to your communications, concerning the App, Citi IT network access, and authentication services; to monitor and analyze trends, usage, and activities in connection with the App to develop new functionalities and enhance current authentication services; to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citis IT network and services and other illegal or unpermitted activities, and protect the rights and property of Citi; to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, terrorism, and for risk management; and to fulfill our compliance or legal obligations or as otherwise permitted by applicable Laws.
Professional or employment-related information	Directly from You, from your use of the App, of your Organization, or from other third parties.	Sold We have not sold such Personal Information to third parties. Shared We have not shared such Personal Informationwith third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi, and to operate our business; to secure, maintain and improve our authentication services; to respond to your communications, concerning the App, Citi IT network access, and authentication services; to monitor and analyze trends, usage, and activities in connection with the App; to develop new functionalities and enhance current authentication services; to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citis IT network and services and other illegal or unpermitted activities, and protect the rights and property of Citi; to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management; and to fulfill our compliance or legal obligations or as otherwise permitted by applicable Laws.
Inferences drawn from any of the information identified herein, such App based on your device IP address	Directly from You, from your use of the App, or from other third parties.	Sold We have not sold such Personal Information to third parties. Shared We have not shared such Personal Information with third parties for targeted advertising purposes. Service Providers We have disclosed such Personal Information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. This includes service providers who provide us with IT, application services, messaging services. See the Disclosure of Personal Information section in the Privacy Notice for more details. Purposes of Processing such Personal Information to authenticate you in order to provide you with access if you are authorized by Citi, to the Citi IT network and services in performance of your duties for or on behalf of Citi, and to operate our business; to secure, maintain and improve our authentication services; to respond to your communications, concerning the App, Citi IT network access, and authentication services; to monitor and analyze trends, usage, and activities in connection with the App; to develop new functionalities and enhance current authentication services; to detect, investigate and prevent fraudulent or unauthorized attempts to access or use Citis IT network and services and other illegal or unpermitted activities, and protect the rights and property of Citi; to monitor your compliance with our policies and standards and protect our IT network, services and systems against fraud, crime, illegal activity, money laundering, or terrorism, and for risk management; and to fulfill our compliance or legal obligations or as otherwise permitted by applicable Laws.

Retention of Personal Information

We store Personal Information for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.

Your Rights and Choices

Applicable privacy-related Laws may afford Users residing in the California certain rights with respect to their Personal Information, subject to certain exceptions. Subject to certain limitations, you have the following rights in California:

(1) Right to Delete. You have the right to request us to delete the Personal Information we have collected about you.
(2) Right to Correct. You have the right to request us to correct inaccurate Personal Information we maintain about you.
(3) Right to Know and Access. You have the right to know and access the Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific pieces of Personal Information we have collected about you.
(4) Data Portability. You have the right to receive the information under right (4) in a format, to the extent technically feasible, that is portable, usable, and allows you to transmit the Personal Information to a person without impediment, where the processing is carried out by automated means.
(5) Rights Related to Sharing for Cross-Context Behavioral Advertising or Sale. We do not share your personal information for cross-context behavioral advertising or sell your personal information. Please contact us by using the information in the Contact Information section below if you have any questions.
(6) Right to No Discrimination. You have the right not to be discriminated or retaliated against for exercising any of your privacy rights.

Exercising Your Rights

To exercise your rights described above, please submit a verifiable consumer request to us by either:

Visiting Citi California Privacy Hub; or
Calling us at 833-981-0270 (TTY: 711)

We will need to verify your identity before honoring your privacy right request. We will verify your identity by asking you to provide personal information related to your employment with us or your engagement with us through your Organization, and/or other personal identifiers. Subject to certain limitations, we will honor your privacy rights request within 45 calendar days of receipt of your request, unless we request an extension as permitted by applicable Laws.

Authorized Agents

You may exercise your privacy rights through an authorized agent. If we receive your request from an authorized agent, we may ask for evidence that you have provided such agent with a power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please contact us by either:

Visiting Citi California Privacy Hub; or
Calling us at 833-981-0270 (TTY: 711)

Contact Information

If you have any questions about this Supplement, the ways in which Citi collects and processes your Personal Information described in this Supplement, your choices and rights regarding such use, or wish to exercise your rights under the CPRA, please visit Citi California Privacy Hub or call us at 833-981-0270 (TTY: 711)