Skip to content
Vestwell Logo

Privacy Policy

1. Purpose and Scope

Vestwell Holdings Inc. and its subsidiaries (referred to as "Vestwell") are committed to protecting the privacy of End Users (as defined in section 2) who visit our websites or who access or use the Vestwell platform and any Vestwell’s related applications and services, including services offered by Vestwell’s subsidiaries and affiliates (collectively, the "Vestwell Platform"). This Privacy Policy explains what information we collect and why we collect it; how we use and disclose that information; and the choices we offer relating to the information we collect from or about End Users. This Privacy Policy applies to all End Users of the Vestwell Platform, a Vestwell application, or who visit our websites (including www.vestwell.com and all marketing sites) (these may be collectively referred to in this policy as the “Sites”). When an End User uses our Services (as defined in section 2), it is agreeing to the terms of this Privacy Policy as well as any other agreements it accepts when registering for a Vestwell account or receiving our Services. We will review and update this Privacy Policy periodically for compliance with applicable laws and regulations. Your use of a Site following the posting of an updated version of the Privacy Policy constitutes your acceptance of the updated Privacy Policy, so please check the Privacy Policy periodically to be sure you are still comfortable with its terms.

Before you use or submit any information through a Site, please carefully review this Privacy Policy and any applicable Terms of Use for that Site.

2. Definitions

There are a few terms used throughout this Privacy Policy that End Users should know.

“Confidential Information” means non-public information clearly identified as proprietary or confidential or which by its nature should be reasonably construed to be confidential. Confidential Information may include, but is not limited to, End Users’ Personal Information (as defined below); information about any Vestwell client or users of the Vestwell Platform; Vestwell’s proprietary software, intellectual property, products, services, strategies, or databases currently existing or under development; all reports and other similar product deliverables posted on the Vestwell Platform; tutorials, guides, and other education materials prepared by or for Vestwell.

“End User” or “End Users” (sometimes referred to as “you” or “your”) means any individual or organization that accesses or uses the Vestwell Platform or any other Vestwell application, visit the Sites, receives Vestwell’s Services, attends a Vestwell marketing event, or otherwise provides, directly or through a third party acting on their behalf, their Personal Information to Vestwell, including employees of Plan Sponsors and Employers that utilize the Vestwell Platform or Vestwell’s Services. When you use our Services or otherwise provide us with Personal Information, you are also agreeing that your Personal Information may be transferred from your current location to Vestwell’s offices and to any authorized and contracted third parties.

“Personal Information” means any information or data collected or maintained for Vestwell’s business purposes that (a) identifies, relates to, describes, or can be reasonably linked or associated with, directly or indirectly, to an End User, including by name, signature, address, telephone number, or other unique identifier; (b) can be used to identify or authenticate an End User, including passwords, PINs, biometric data, unique identification numbers (e.g., social security numbers, EINs), answers to security questions or other personal identifiers, or (c) an account number or credit card number or debit card number, in combination with any required security code, access code, or password, that would permit access to an End User's retirement plan account. Personal Information does not include information that is lawfully made available through federal, state, or local government records, or information that we have a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by you, or by a person to whom you have disclosed the information, unless we are informed that you have restricted the information to a specific audience.

“Plan Sponsor(s),” or “Employers” refers to businesses that offer tax-qualified retirement plans or participate in Secure Choice or other retirement or saving plans sponsored or made available by various states where Vestwell State Savings serves as the program administrator or functional equivalent.

“Services” refers to the services provided by Vestwell to support tax-qualified or state-sponsored retirement or savings plans, including payroll file and participant data processing, recordkeeping, and plan and program administration services set forth in Vestwell’s contracts with clients.

3. What Information Vestwell Collects About You

As part of our Services, and in order to carry out our contractual responsibilities, Vestwell collects information associated with Plan Sponsors, Employers, investment advisors, third party administrators or service providers, and End Users (including any beneficiaries or alternate payees) including, but not limited to:

  • Name
  • End Users’ Contact information such as address, telephone and/or mobile phone numbers, or email address
  • Demographic information, such as date of birth, marital status, or gender
  • Social Security Number, Tax Identification Number, or Employer Identification Number
  • Banking information for purposes of processing plan contributions, distributions, or invoices
  • Employment-related records, such as name of employer, job title, compensation, and years of service
  • The scope of Vestwell services and the name of the Vestwell entity performing those services
  • Marketing channel by which Vestwell acquired End Users’ information and any notice delivery preferences
  • Investment selections and contribution rates
  • Account balances and transactions with us or our partners and vendors
  • Biometric information such as voice recordings

Vestwell is provided with this information by you, your current or former Employer, or others acting on behalf of or authorized by you or your Employer, such as payroll providers and advisors, or proprietary search services.

4. How and When Vestwell Collects Information

Vestwell collects information in the following ways:

  • Information that is collected from End Users who visit the Sites (section 4.1);
  • Information provided to Vestwell when an End User registers to attend any of Vestwell’s events, responds to surveys, requests a proposal, contacts Vestwell for more information about the Services, or applies for employment opportunities with Vestwell (section 4.2);
  • Information that Plan Sponsors or Employers provide to Vestwell pursuant to an agreement with Vestwell to support its benefit plan or program; when an End User registers for an account on the Vestwell Platform; when an advisor, its affiliated home office, or any other organization enters into an agreement or arrangement with Vestwell to use or market the Vestwell Platform; or when an Employer or individual provides information to Vestwell in connection with its participation in a state-sponsored retirement or savings program or receives the Services (section 4.3); and
  • Vestwell may also collect information about you from other sources like service providers, other savings programs in which you participate or may have participated in, which we may combine with other information that we have about you.

4.1 Anonymous information Vestwell collects from End Users

Anytime an End User visits the Sites, even without affirmatively providing any Personal Information or Confidential Information to us, certain information may be passively collected using various technologies. This information may not reasonably identify you or your household personally, but it is linked to your computer or device. (“Device Identifiable Information”). We collect Device Identifiable Information from you in the normal course of providing the Services or when you visit the Sites. For example, when you visit our website to browse, read, or download information, we utilize commonly-used browser storage mechanisms and information-gathering tools such as cookies, unique identifiers, internet tags, web beacons, website analytics, and navigational data collection. This includes device-specific information (such as whether End Users are accessing the Vestwell Platform or the Sites from a mobile phone or laptop), the website URL that directed End Users to the Sites, the End User’s Internet Protocol address, the browser version of End User’s device, the date and time of access to the Sites, and the pages or screens that End Users access while using the Sites.  Our use of Device Identifiable Information, like our use of other aggregated or deidentified information, is not directly associated with Personal Information, and so is not restricted under this Privacy Policy.

4.2 Information provided to Vestwell when an End User schedules or attends a Vestwell event, responds to a survey, requests a proposal for Services, applies for employment, or other similar contact with Vestwell

Vestwell collects and uses the information that an End User, or someone acting on their behalf, affirmatively provides to us by phone, email, chat, social media, applying for employment, completing forms on the Sites or otherwise voluntarily providing to us for any reason. When End Users register to attend any of Vestwell’s webinars, seminars, or online programs or events; respond to any surveys, emails, or questionnaires; or contact Vestwell to request information, End Users may be requested to provide their name, address, email addresses, name of employer, and contact information. When End Users provide that information, Vestwell uses it to keep in contact with End Users to inform them about Vestwell’s Services, product enhancements, and related educational and promotional materials.

4.3 Information End Users provide to us when using our Services

End Users, by using our Services, are consenting to provide Vestwell with information needed to service the retirement plan in which they participate or for their accounts in a state-sponsored retirement or savings program. That consent includes permission for Vestwell to collect, store, use, and share with other contracted service providers their Personal Information as well as name, address, compensation, years of service, job title(s), contributions, investment selections, information necessary to qualify you to open or utilize a savings product, and other data that Vestwell or contracted service providers need in order to perform their respective contractual obligations and Services. By registering for a Vestwell account or by using the Services, End Users, Employers, and Plan Sponsors agree to Vestwell’s use of Personal Information and cannot opt out, remove consent, or delete Personal Information or certain other information from the Sites that we need in order to perform our Services.

5. How Vestwell Uses the Information Collected

Vestwell uses the information collected to provide the Services, including to diagnose and remediate technical and service-related issues.

Vestwell may also use collected information for its own general business purposes, which may include, but is not limited to, helping it analyze, research, report on, and improve the Services; assessing the effectiveness of the Services; detecting, understanding and resolving any technical issues with the Sites or servicing End User accounts; or better serving its current and prospective clients’ and investment advisors’ needs with respect to products, services, and support.

Vestwell may also use collected information for marketing communications, either directly or through a third party, in relation to existing or new services, for education information it thinks might benefit the End User, or for keeping End Users up to date on industry and regulatory information and trends. End Users may opt out of receiving these marketing communications at any time (see "Choice/Opt-Out" below).

Vestwell may also use End Users’, Employers’, and/or Plan Sponsors’ contact information to inform them about additional or changes to Vestwell’s services, market trends, legislative changes, general retirement plan education materials, or other information related to the use of the Vestwell Platform or our Services. By registering for a Vestwell account or an account with a state-sponsored retirement or savings program or when using the Vestwell Platform, End Users, Employers, investment advisors, and Plan Sponsors agree to Vestwell’s uses of Personal Information and cannot opt out or remove consent, or delete Personal Information or other information from the Sites that Vestwell needs to perform its Services and to comply with any relevant regulatory requirements.

6. Cookies and Tracking Technologies

Vestwell uses cookies to help track user traffic patterns and analyze its marketing activities. A "cookie" is a small data file that certain websites write to End Users’ hard drives when they visit a website. A cookie file can contain information such as a unique user ID that a website uses to track the pages End Users visited on the Sites. Cookies can help save time. For example, if an End User personalizes a web page, or navigates within a website, a cookie tracks and recalls the specific information for future visits.


In addition to cookies, Vestwell and the Sites use a variety of other methods and tools for tracking purposes, including Internet tags and web beacons, which are small pieces of data that are embedded in images and pages of the Sites. While most web browsers automatically accept cookies, some browsers allow End Users to modify browser settings to decline cookies and/or "opt-out" of tracking technologies. As each browser is different, it is solely your responsibility to determine whether to activate or deactivate those tracking technologies. Please note however, if an End User turns off cookies, some of the functionality of the Sites and/or our Services may be reduced or impaired.


Vestwell also utilizes proprietary and third-party analytics tools, such as Google Analytics, Facebook pixels, Heap, and other solutions, to gather information about End Users and visitors to the Sites designed to help Vestwell gain insight into how End Users and visitors to the Sites interact with and use the Sites and utilize Vestwell’s content and other services.

7. How and With Whom Vestwell Shares Information

Vestwell does not sell or rent Personal Information and only directly or knowingly shares Personal Information with service providers, business partners, or other third parties under the following limited circumstances:

  • With Plan Sponsors, Employers, payroll providers, investment advisors, third party administrators, mutual fund providers, or other service providers associated with the End User’s retirement plan or savings account.
  • Vestwell subsidiaries and its service providers to carry out, improve, or maintain the Services to End Users.  These may include vendors or subcontractors of Vestwell, such as hosting, data management, and information technology providers, identity verification and fraud prevention services, data analytics, payment processors, payroll companies, and customer support services. These providers may have access to Personal Information needed to perform their designated functions, but are generally contractually restricted to the best of our ability from using such Personal Information for purposes other than providing services for Vestwell. We do not authorize them to sell, use, share, or disclose your Personal Information for their own marketing or other unauthorized purposes. Such third parties’ use of information we disclose to them may also be subject to the third party’s own privacy policy.
  • When legally required to access, use, preserve, or disclose the information to satisfy any applicable law, regulation, legal process, or enforceable governmental request, including preparing and filing to government agencies or providing support relating to our Services.
  • To detect, prevent, or otherwise address security or technical issues involving the Sites or the Vestwell Platform.
  • To protect against harm to the rights, property, or safety of Vestwell, its employees, End Users, or the public as required or permitted by law.
  • Market or improve our Services or third party products or services that may be of interest or benefit to you. This includes information sharing to analyze trends and track online movement of End Users.
  • To audit, investigate, enforce the terms of Vestwell’s service agreements.
  • Disclosure to federal, state or local regulators as required by applicable law.
  • Other information sharing or disclosure as permitted by you.

Vestwell may also share End Users’ aggregated or de-identified information with third parties regarding trends about the general use of its services or the URL used to contact or communicate with Vestwell or the Sites.

Vestwell intends to keep End Users of the Services current about new Vestwell Platform features, important Vestwell announcements that are relevant to Vestwell Platform users, industry or regulatory updates, or other information it believes End Users would like to hear about either from it or from its business partners, and Vestwell may be using the information provided for those purposes as well as the activities noted in section 4.

In addition, Vestwell may share anonymized aggregate information about End Users, such as demographics of Vestwell Platform, with the media, business partners, and other third parties for Vestwell’s business purposes, such as to customize or enhance the content and functionality of the Sites.

Lastly, as Vestwell continues to develop its business, it might sell or buy assets. In such transactions, End User information may be one of the transferred business assets. If either Vestwell or any of Vestwell’s assets are merged or acquired, End User’s Personal Information may be one of the transferred assets.

The Sites may reference or provide links to third party websites, including social media bookmarking buttons that enable or require the End User to share certain content on or communicate with the Sites or the Vestwell Platform. Vestwell is not responsible for any activities of third party websites, and the End User should review the terms of use, cookie policies and privacy policies posted on such sites. Please be aware that Vestwell does not control, nor is it responsible for, the privacy policies, operation, or data collection or information practices or use of third parties or their websites. When an End User uses third party links, these third parties may collect Personal Information about you or your online activities.

From time to time, we may also engage third parties to track and analyze statistical usage and volume information from individuals who visit our Sites. We may also use other third-party cookies, pixels, and similar technologies to track site and advertisement performance. The information provided to and received from these third parties does not include Personal Information, but we may re-associate this information with Personal Information after we receive it; that combined information is considered Personal Information under this Privacy Policy. We may also contract with third-party advertising networks that collect IP addresses and other Device Identifiable Information on our website and emails. Third-party use of such re-associated or combined information as Device Identifiable Information is restricted and we will use it for our business purposes, including for providing or enhancing our Services. Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services that you do not want them to track your online activities. Our Sites and Services do not currently support Do Not Track requests at this time. We contract with other companies to provide advertising content, social networking services, or other services on our website. These companies may collect information about your visits to the Sites in order to measure and assess the effectiveness of online advertising and to provide and better target advertisements about goods and services of interest to you through our Services. While the information collected by these third parties from you while you are visiting our Sites may or may not be personally identifiable, we may combine such information with other information we have collected from your other interactions, such as their own past online information and web usage from other sites. Such other information may include Personal Information, as well as demographic and behavioral information.

Except where “opt-in” consent is required by law (e.g., for processing of Sensitive Personal Information of a Virginia consumer), we will provide you an “opt-out” notice that clearly and conspicuously describes your right to opt out of such sharing if we disclose your information with a third party other than as described in this Privacy Policy. If you become aware of any unauthorized use of your Personal Information by us or our Service Providers, please contact us at Legal@vestwell.com.

This Privacy Policy only applies to Vestwell’s privacy practices. Vestwell’s Sites and the Vestwell Platform may contain links to other websites or applications operated by third parties. Some of these third-party sites may be co-branded with a Vestwell logo even though they are not operated or maintained by Vestwell. End Users may be directed through links to those sites while visiting the Sites or using the Vestwell Platform. Although Vestwell chooses its business partners carefully, Vestwell is not responsible for the privacy practices or security issues of websites operated by any third parties.

8. Sale of Personal Information

A “sale” of Personal Information under the Virginia Consumer Data Protection Act and similar data protection laws is defined as the exchange of Personal Information with a third party for monetary consideration. A “sale” of Personal Information under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and similar data protection laws includes an exchange of Personal Information with a third party for monetary or any other valuable consideration, and “sharing” includes providing Personal Information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. We do not sell Personal Information to or “share” Personal Information with any third parties as defined under applicable law. We also do not disclose Personal Information to third parties for purposes of “targeted advertising” as defined by applicable law. We do not have actual knowledge that we have sold the Personal Information of consumers we know are less than 16 years of age.

9. How Does Vestwell Protect My Personal Information

End Users’ privacy matters to Vestwell and Vestwell works hard to protect it. End User’s personal information is protected by physical, electronic, and procedural safeguards. We utilize reasonable security technologies to protect Personal Information in accordance with industry and regulatory standards, which may include monitoring and recording transactions to help detect potential fraudulent activity, and utilizing encryption, two-factor authentication, automatic logout after a specified period of inactivity, or other controls to help protect End User’s Personal Information. These safeguards also include appropriate procedures for access and use of electronic data, provisions for the secure transmission of sensitive personal information on the Vestwell Portal, and telephone system authentication procedures. Additionally, Vestwell limits access to Personal Information to those Vestwell employees who need access in order to offer and provide the Services to you. Vestwell requires our service providers to protect Personal Information by utilizing the privacy and security safeguards required by law.

However, the security of this information is conditioned and dependent in part on the security of the computer or device the End User uses to communicate with Vestwell, the security provided by the End User’s internet access services provider, and activities of the End User or others beyond Vestwell’s control. You should review the security and privacy policies of your internet access services provider carefully. Information that you access by using the Sites and the Vestwell Platform may be stored on your computer during your session. If others have access to your computer or device or email accounts, they may be able to access this information. Vestwell is not responsible for the security or privacy of information communicated to or from or stored on an End User’s computer, device or internet service provider. The End User is responsible for keeping all such records confidential. Your use of the Vestwell Platform and the Sites are also governed by the Platform Terms of Use, which is incorporated herein by reference.


Vestwell does not send unsolicited communications asking for account information, such as your password. Report suspected phishing emails or calls to us at help@vestwell.com Our privacy and security practices are independently certified annually, including SOC certification.

Please be aware that, despite Vestwell’s efforts, no security measures are perfect or impenetrable. While Vestwell strives to protect End User’s Personal Information, it cannot and does not guarantee the security of the information an End User transmits, and urges End Users to take every precaution to protect their Personal Information. Vestwell suggests changing passwords often, using a combination of letters and numbers, taking advantage of multi-factor authentication features where available, installing an antivirus and anti-malware software, and making sure that an up-to-date and secure browser is being used. Vestwell recommends that End Users not store passwords in browsers or share log-in credentials to any website with anyone.

10. Retention of Personal Information

Vestwell retains Personal Information for as long as necessary to provide the Services, carry out the purposes described in this Privacy Policy, or as required in order to comply with records retention periods and applicable law. For example, Vestwell may retain information about End Users in order to comply with legal, record keeping and regulatory obligations, or to protect its interests as part of providing the Services.

11. Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Iowa Privacy Act and Indiana Consumer Data Protection Act

Virginia, Colorado, Connecticut, Utah, Iowa and Indiana have enacted comprehensive consumer data privacy laws. The laws have several provisions in common, such as the right to access and delete Personal Information and to opt-out of the sale of Personal Information, among others. Other provisions require commercial websites or online services to post a privacy policy that describes the types of personal information collected, what information is shared with third parties, and how consumers can request changes to certain information. Vestwell’s privacy policies adhere to these State requirements in its overall Privacy Policy.


Colorado, Connecticut, and Virginia all require the performance of data protection assessments (“DPAs”), prior to performing certain processing activities considered “high risk.” This includes processing of “sensitive data,” which includes health data, genetic or biometric data, children’s data, or data that would reveal an individual’s race, ethnicity, sexual orientation, sex life, or citizenship status. Sections 3, 4 and 5 of this Privacy Policy discusses what information is collected and processed by Vestwell during the course of providing the Services.

12. Opting Out of Certain Communications

Vestwell wants End Users to have the tools necessary to manage their Personal Information. It is important that End Users ensure that the information Vestwell has is accurate and current so that it can properly and timely perform the Services. End Users’ ability to manage their Personal Information will differ depending on their relationship with Vestwell and the Services provided.

With respect to anonymous information that Vestwell collects about End Users that browse its Sites described in Section 4.1 above, End Users may be able to set their own Internet browser to alert them when a tracking cookie is sent or to refuse cookies altogether. Each browser setup is different. Please be aware that certain features of the Sites may not work without cookies enabled.

In some areas of the Sites, such as when subscribing to marketing communications, End Users are provided with an opportunity to opt out of receiving future communications, which is how End Users give, or decline to give, their consent to use Personal Information for the purpose(s) covered by the applicable opt-out choice. End Users may also indicate their desire to opt-out when receiving marketing and promotional communications from Vestwell by clicking the "unsubscribe" hyperlink and following the instructions or at any time by sending an email request to help@vestwell.com (please indicate "Opt-Out" in the subject line). Vestwell maintains records of opt-out requests consistent with applicable law. If End Users wish to remove their name and information from marketing communications, Vestwell may not be able to immediately delete residual copies from its active or backup servers, and it may take up to 30 days to completely remove the End User’s information.

12.1 Right to Opt-In

If you are a resident of the Commonwealth of Virginia (and beginning on July 1, 2023, Colorado or Connecticut), applicable law requires us to receive your opt-in consent before processing certain Sensitive Personal Information, including (1) Personal Information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) Personal Information collected from a known child; or (4) precise geolocation data. We do not process your Sensitive Personal Information as defined under applicable Virginia law in connection with the Services but will ask for your opt-in consent before doing so.

12.2 Right to Know

You have the right to know and confirm that we are processing your Personal Information. You also have a right to access to see what Personal information we have collected about you. To the extent feasible, you may request for us to also provide a copy of your Personal Information that you previously provided to us in readily usable format to permit you to transfer your data to another entity.

12.3 Right to Correct

You have the right to request that we correct any inaccuracies in the Personal Information we have collected from you.

12.4 Right to Delete

You have the right to request that we delete the Personal Information we have collected from you and direct our Service Providers to do the same. There are a number of exceptions, however, that include, but are not limited to, when the information is necessary for us or a third party to do any of the following:

  • Comply with a federal, state, or local laws, rules, regulations, or other legal obligations;
  • Investigate, establish, exercise, prepare for, or defend any legal claims;
  • Provide you a good or service;
  • Perform a contract between us and you;
  • Protecting an interest that is essential for your or another natural person’s life or physical safety;
  • Prevent, detect, protect against, or response to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; or prosecute those responsible for any such action;
  • Preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
  • Protect the free speech rights of you or other users;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interests that adheres to all other applicable ethics and privacy laws; or
  • Conduct internal research to develop, improve, or repair our products, services, or technology.

12.5 Exercising Your Rights

If you want to access, review, update, or correct inaccuracies in your Personal Information, or delete your Personal Information in accordance with this Privacy Policy, you can contact us at help@vestwell.com or call us at (917) 979-5358. If you are an End User, you also have the right to view and correct information we collect about you, such as your name, phone number, email address(es), business information, and mailing address, from your Vestwell portal  or by contacting us at help@vestwell.com. IP information and other Device Identifiable Information cannot be viewed or changed, except for persistent cookies which can be blocked by changing the settings on your website browser. Upon receiving your communication, we will take appropriate steps to update or correct such information in our possession, or to remove you from our mailing list. Your preferences may depend on the services we provide you, and may include, if applicable, your profile information, any payment and account information, or whether you want to receive communications from us. We may request certain Personal Information for the purposes of verifying the identity of the individual seeking access to their Personal Information records.

If you have agreed to receive communications or solicitations from us, and you later change your mind, you can revise your preference by contacting us at help@vestwell.com. You also may opt out of receiving future promotional emails from us by clicking on the opt-out or “unsubscribe” link within the promotional email you receive. Please understand that if you opt out of receiving promotional correspondence from us, we may still send you transactional emails and contact you in connection with your other relationship, activities, and communications with us. You may opt-out of receiving ads from network advertisers by clicking the AdChoices icon on advertisements that are sent to you or by visiting the opt-out pages on the NAI website and the DAA website. Opting out does not prevent you from seeing ads; it simply means that network advertisers will no longer collect data for the purpose of providing you targeted ads. The NAI and DAA opt-out tools are cookie-based. They signal network advertisers so that they do not collect data online or deliver specific ads targeting you, and only affect the Internet/web browser on the computer where the cookies are installed. These opt-out tools will only function if your browser is set to accept third-party cookies. If you delete an opt-out cookie or all your cookies from a browser’s cookie files, change web browsers, or change computers, you will no longer be opted out of our data collection and ad targeting, and we may place a new cookie unless an opt-out cookie is again reset on that browser. Opting out using one browser on one computer will not opt you out using any other browser on the same or another computer.

12.6 Response Timing and Format

Upon receiving your communication, we will take appropriate steps to update or correct such information in our possession, or to remove you from our catalog and mailing list. We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another forty-five (45) days), we will inform you of the reason and extension period in writing. Your preferences may depend on the services we provide you, and may include, if applicable, your profile information, any shipping, payment, and account information, or whether you want to receive communications from us. If you are a registered User, you can access some preferences by logging into your Vestwell portal. We may request certain Personal Information for the purposes of verifying the identity of the individual seeking access to their Personal Information records. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. The “Right to Appeal” below describes how you can appeal our refusal to take action on a request to exercise your rights.

12.7 Right to Appeal

If we refuse to take action on your request to exercise your rights, you may appeal our refusal. To appeal a refusal, please submit a copy of your request for an appeal and the original request to us as indicated in this Privacy Policy.  Unless otherwise indicated in this Privacy Policy, within sixty (60) days of our receipt of your request for an appeal, we will inform you, in writing, of any action taken or not taken in response to your appeal. We will include a written explanation of the reasons for the decisions.  If we deny your appeal, you may contact your local privacy enforcement authority to submit a complaint based on the below information.

12.8 Virginia residents

If you are a resident of the Commonwealth of Virginia, you can file a complaint with the Consumer Protection Section of the Office of the Attorney General of Virginia at 202 North Ninth Street, Richmond, VA 23219

Toll Free: (800) 552-9963
Phone number: (804) 786-2042
Fax number: (804) 225-4378
Online: https://www.oag.state.va.us/consumercomplaintform/form/start

12.9 Colorado residents

Effective July 1, 2023, if you are a resident of Colorado, we will inform you, in writing, of any action taken or not taken in response to your appeal within forty-five (45) days of receipt of your appeal. If we require more time (up to another sixty (60) days), we will inform you of the reason and extension period in writing. If we deny your appeal, you can file a complaint with the Office of the Attorney General of Colorado at: Ralph L. Carr Judicial Building, 1300 Broadway, 10th Floor, Denver, CO 80203
Phone number: (720) 508-6000
Online: https://coag.gov/file-complaint/

12.10 Connecticut residents

Effective July 1, 2023, if you are a resident of Connecticut, you can file a complaint with the Office of the Attorney General of Connecticut at: 165 Capitol Avenue, Hartford, CT 06106
Phone number: (860) 808-5420
Online: https://www.dir.ct.gov/ag/complaint/

13. Privacy Notice for California Residents

This California Resident Privacy Notice supplements the Vestwell Privacy Policy and applies to California residents’ Personal Information collected in relation to the Sites.

13.1 What is Personal Information?

“Personal Information" has the same meaning as under the California Consumer Privacy Act (“CCPA”): information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include information that is de-identified or aggregated.

13.2 Personal Information Vestwell Collects

Vestwell collects the following types of information in connection with the Sites:

  • Unique identifiers (such as names or an ID number)
  • Contact information (such as telephone number, email address, or mailing address)
  • Professional information (such as employer’s name and title)
  • Commercial information (such as communication preferences, survey data, or other information provided in order for Vestwell to respond to inquiries)
  • Audio, video, or visual information (such as a recording of voice or image if an End User participates in a corporate event. End Users will always be notified of any recording in advance)
  • End User profile information (such as dietary preferences if End User registers for an event with a meal included)
  • Internet and technical information (such as IP address, device identifiers, browser type, ISP, and data from cookies and web beacons)

13.3 Sources of Personal Information Vestwell Collects.

Vestwell collects Personal Information used in relation to the Sites from the following sources:

  • Directly from End Users (e.g., through a submission made on Vestwell’s “Contact Us” page or when registering for an event)
  • From third parties acting on End User’s behalf (e.g., your employer when it provides information about its employees)
  • From first and third party cookies that helps Vestwell operate and assess the Sites (see our “Cookies” section above for more information)

13.4 Vestwell’s Business or Commercial Purposes for Collecting, Using and Disclosing Personal Information.

Vestwell collects, uses, and discloses Personal Information for the following purposes:

  • To provide End Users with a requested service
  • To verify identity and registration
  • To communicate with End Users and to respond to inquiries or service requests
  • To gather feedback or survey responses
  • To host corporate events on behalf of Vestwell and its affiliates or partners
  • For Vestwell and its affiliates or partners marketing and analytics purposes
  • To administer, assess, personalize, and improve the Sites and Services
  • To conduct research, statistical analysis, survey/demographic interpretation, and other data studies based on the data collected
  • To maintain network security and performance and protect against cyber-attacks
  • To comply with and enforce applicable laws, industry standards, and Vestwell’s own policies and terms
  • For auditing, reporting, corporate governance, and internal operations
  • For due diligence and implementation of commercial transactions, including reorganizations, mergers or other disposition of all or any portion of Vestwell’s business, assets or stock
  • To exercise and defend legal rights
  • As otherwise described to End Users at the point of collection or pursuant to the End User’s  consent

13.5 Categories of Third Parties With Whom Vestwell Shares Personal Information.

Vestwell may share End Users’ Personal Information with:

  • Affiliates to enable them to provide services to End User, and to enable them to contact an End User regarding additional products and services that may interest them
  • Agents and service providers who perform services on Vestwell’s behalf, such as hosting the Sites, sending communications, operating a call center, or hosting/managing corporate events
  • Third parties involved in events the End User registers to attend, including physical and virtual sites that host the event or third party social media providers as a result of its use of the tracking technologies explained in this Privacy Policy
  • With the End User’s employer, to the extent the End User uses the Services in connection with their employment
  • Any entity that acquires all or a portion of Vestwell’s business, assets, or stock, including in connection with a merger, reorganization, or other commercial transaction.  In such transactions, End User’s information generally is one of the transferred business assets. Also, if either Vestwell or any of Vestwell’s assets are acquired (including through bankruptcy proceedings), the End User’s Personal Information may be one of the transferred assets
  • Authorities, subject to applicable laws, including to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside the End User’s country or state of residence

Vestwell’s third-party affiliates, service providers and successors to whom it discloses information are required by law and/or contractual requirements to keep End User’s Personal Information confidential and secure. These third-party affiliates may not use or disclose information except as reasonably necessary to provide the Services to End Users of the Vestwell Platform or as otherwise permitted by law.

Vestwell may also use or share de-identified information that is not reasonably likely to identify the End User for commercially legitimate business purposes with its affiliates, service providers, and business partners.

Vestwell does not sell Personal Information to any third parties, and has not done so in the preceding 12 months. As Vestwell explains in this Privacy Policy, it and its third-party partners use cookies and other tracking technologies to analyze website traffic and facilitate marketing or advertising.

13.6 Children’s Personal Information. Please refer to section 14 of this Privacy Policy.

13.7 Rights as a California Resident.

Under California law, some California residents have specific rights regarding their Personal Information.  These rights are subject to certain exceptions as described below.  Further, if the End User is a current, former, or prospective Vestwell employee, or if Vestwell has collected or processed your Personal Information in connection with its business with a company, partnership, sole proprietorship, nonprofit or government agency, and the End User is an employee, owner, director, officer, or contractor of that entity, some of these rights do not go into effect until at least January 1, 2023 or later. When required, Vestwell will respond to most requests within 45 days, unless it is reasonably necessary for it to extend its response time.

  • Right to Disclosure of Information

    End Users have the right to request that Vestwell disclose certain information regarding its practices with respect to Personal Information. If an End User submits a valid and verifiable request and Vestwell confirms the End User’s identity and/or authority to make the request, Vestwell can disclose to the End User any of the following:
    • The categories of Personal Information it collected about the End User in the last 12 months
    • The categories of sources for the Personal Information it collected about the End User in the last 12 months
    • Vestwell’s business or commercial purpose for collecting that Personal Information
    • The categories of third parties with whom Vestwell shared that Personal Information
    • The specific pieces of Personal Information Vestwell collected about the End User
    • If Vestwell sold the End User’s Personal Information for a business purpose, a list of the Personal Information types that each category of recipient purchased
    • If Vestwell disclosed the End User’s Personal Information to a third party for a business purpose, a list of the Personal Information types that each category of recipient received
  • Right to Delete Personal Information

    End Users have the right to request, and if you are the parent or guardian of a minor child, you may also make a request related to your child’s Personal Information, that Vestwell deletes any of their Personal Information that was collected and retained, subject to certain exceptions.  If the End User submits a valid and verifiable request and Vestwell can confirm their identity and/or authority to make the request, Vestwell will determine if retaining the information is necessary for it or its service providers to:
    • Complete a transaction for which Vestwell collected the Personal Information, provide a good or service that the End User requested, take actions reasonably anticipated within the context of Vestwell’s ongoing business relationship with the End User, or otherwise perform its contractual obligations
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
    • Debug products to identify and repair errors that impair existing intended functionality
    • Exercise free speech, ensure the right of another End User to exercise their free speech rights, or exercise another right provided for by law
    • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.)
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if End User previously provided informed consent
    • Enable solely internal uses that are reasonably aligned with End User’s expectations based on your relationship with us
    • Comply with a legal obligation
    • Make other internal and lawful uses of that information that are compatible with the context in which the End User provided it

If none of the above retention conditions apply, Vestwell will delete the End User’s Personal Information from its records and direct its service providers to do the same.

  • How to exercise the above rights

    End Users may exercise their rights to disclosure or deletion described above by submitting a verifiable consumer request to Vestwell’s Legal Team via email at Legal@vestwell.com or by telephone at (917) 979-5358 extension 103. Only the End User or a person legally authorized to act on their behalf may make a verifiable consumer request related to their Personal Information.  Vestwell reserves the right to verify identities of an End User’s representative without modifying any of its other contractual obligations.  The End User may make a verifiable consumer request for access or deletion no more than twice within a 12-month period. In connection with the request, Vestwell requires the End User to:
    • Provide sufficient information that allows it to reasonably verify the End User is the person about whom Vestwell collected Personal Information or is an authorized representative of the End User. Depending on the nature of the request and the sensitivity of the information requested, Vestwell may ask for confirmation of various data elements it already has on file such as mailing address or phone number, or, in case of sensitive Personal Information, Vestwell may require you to submit a copy of a government issued identification.
    • Describe their request with sufficient detail that allows Vestwell to properly understand, evaluate, and respond to it.

      The End User will not be required to create an account with Vestwell in order to submit a verifiable request, though Vestwell may communicate with the End User about the request via a pre-established account if applicable.  However, in order to safeguard the Personal Information in its possession, if Vestwell cannot verify your identity or authority to act on another’s behalf, Vestwell will be unable to comply with the request.  Vestwell will only use End User’s Personal Information to confirm the End User’s identity or authority, or to fulfill their request.

13.8. Right to Opt out of Sales of End User’s Personal Information

As a California resident, an End User has the right to direct a business that sells their Personal Information to third parties to refrain from selling their Personal Information.  This right is referred to as “the right to opt-out.”  Because Vestwell does not sell End User’s Personal Information, it does not provide any mechanism for End User’s to exercise the right to opt out.

13.9. Right to Non-Discrimination

End Users may exercise their rights under the CCPA without discrimination.  For example, unless the CCPA provides an exception, Vestwell will not:

  • Deny the End User goods or services;
  • Charge the End User different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide the End User a different level or quality of goods or services; or
  • Suggest that the End User may receive a different price or rate for goods or services or a different level or quality of goods or services.

Vestwell may offer the End User financial incentives to provide it with Personal Information that is reasonably related to the information’s value.  This could result in different prices, rates, or quality levels for the Services.  Any financial incentive Vestwell offers will be described in written terms that explain the material aspects of the financial incentive program.  The End User must opt-in to any financial incentive program and may revoke their consent at any time by contacting Vestwell as indicated below.

13.10. Direct Marketing and Do Not Track Signals

Under California’s “Shine the Light” law, California residents may request and obtain a notice once a year about the Personal Information Vestwell shared with other businesses for its own direct marketing purposes.  Such a notice will include a list of the categories of Personal Information that were shared (if any) and the names and addresses of all third parties with which the Personal Information was shared (if any).  The notice will cover the preceding calendar year. To obtain such a notice, please contact Vestwell’s Legal Team at Legal@vestwell.com.

14. Children

Vestwell Services are not targeted or directed at children under the age of 13, and it does not intend to or knowingly collect or solicit Personal Information from children under the age of 13. Vestwell does, however, process Personal Information about children when necessary for the Services and when provided by the End User. For example, if an End User has a college savings account supported by our Services, Vestwell may collect information relating to the beneficiaries of that account, which may include children under age 13. Personal Information about individuals under age 13 will be treated the same as Personal Information described in this Privacy Policy.

15. International Use Statement

Vestwell is based in the United States and our Services are provided and targeted only to residents of the United States. Personal Information provided to us may be transferred to or controlled and processed in the United States, but in certain circumstances, service providers or business partners may process data in or outside of the United States. By providing Vestwell with Personal Information and by using the Sites or the Vestwell Platform, End Users consent to this transfer and acknowledge that Personal Information stored or processed in the United States will be subject to the laws of the United States, including the ability of governments, courts, law enforcement, and/or regulatory agencies of the United States that have valid jurisdiction over Vestwell to obtain disclosure of End User’s Personal Information. The End User also understands and accepts that their Personal Information may be transferred to and processed in the United States and other countries that may not provide the same level of data protection and privacy as the United States or the country of the End User’s residence, and may have been deemed to have inadequate data protection and privacy laws. If an End User accesses the Sites from a location outside of the United States, the End User agrees that the use of Vestwell’s Sites is subject to the terms of this Privacy Policy.

16. How to Contact Vestwell

Privacy matters to Vestwell. Vestwell welcomes comments regarding this Privacy Policy and practices. If you have reason to believe that Vestwell has not adhered to this Privacy Policy, or any other questions or complaints relating to our privacy practices, please contact Vestwell by email at help@vestwell.com or by mail at Vestwell Holdings Inc., Legal Department, 1410 Broadway, 23rd Floor, New York, New York 10018 (917) 979-5358. All complaints are recorded, reviewed, and handled by the Vestwell Legal Department, which can also be reached at Legal@vestwell.com. Complaints are generally responded to within thirty days.

Revised: May 2023