Privacy Statement: Live Well at Citi (Citi Fitness Challenge)

Operative date: January 1, 2023

This Privacy Statement (Statement) describes how Citigroup Inc. and/or any of its affiliates, subsidiaries or branches wherever located (Citi) may collect, use and disclose information gathered from employees who register in the Live Well at Citi / Fitness Challenge which is offered periodically (Program) through the Live Well at Citi online and mobile applications (collectively, the Services).

We advise you to read the Statement in its entirety, including the jurisdiction-specific provisions in the appendix to this Statement, which will apply to users in certain jurisdictions. Additionally, please note that Section I of this Statement, which describes our collection and use of information through our Services, also serves as our Notice At Collection for California residents for purposes of the California Consumer Privacy Act (CCPA), which you can view by clicking here. By using the Services, you agree to this Privacy Statement.

As you review this Privacy Statement, here are a few important things to keep in mind:

• If you have a financial product or service with us for personal, family or household use with one of our U.S. businesses, that business would also have delivered to you a U.S. Customer Privacy Notice (Customer Privacy Notice) that explains how that business collects, uses and discloses information about you, and offers you certain choices with respect to the use and sharing of your personal information.
• The Services are not intended for children under 13 years of age. We do not knowingly solicit information from, or market to, children under 13 years of age. Citi has no actual knowledge that it sells or shares the Personal Information of minors under 16 years of age.
• Wireless service providers, Internet service providers, device manufacturers and/or social media platforms may have their own privacy notices that are different from this one for the information they may access through your use of the Services. We encourage you to read their privacy notices as the collection, uses and disclosure of information by those third parties may be different than Citi.
• Our mobile, social media, or other services, sites, pages or materials may have additional terms about the privacy or use of your information. Please review the privacy notice for the specific Site/Service you are using.

Please also note that when using the Services, you will be requested to agree to provide access to Personal Information (as defined below) and to the collection, storage, transmission, disclosure and use of such Personal Information by automated means, as set out in this Statement. In the context of this document 'you' (or 'your') and 'Participant' mean an individual Citi employee who has signed up for the Services. Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Program Terms and Conditions (Terms).

You may withdraw at any time from the Program (including separately, the Coworker Challenge, as further described below), and may choose not to provide certain Personal Information, or change your device or cookie settings at any time. However, if you choose to do so, certain functionalities in connection with the Services may no longer function.

Read our full notice with details about your rights here.

1. Collection and Use of Personal Information
2. Which Citigroup Entity Controls My Personal Information?
3. Sources of Personal Information
4. Disclosure of Personal Information
5. Your Choices Regarding Your Personal Information
6. Security of Personal Information
7. Other Important Information
8. Contact Us
9. Appendix

1. Collection and Use of Personal Information
   

We collect two types of information: Personal Information and Other Information.

Personal Information is any information:

• that identifies or can be used to identify you or your household;
• that relates to, describes, is capable of being associated with, or could reasonably be linked (directly or indirectly) with you or your household;
• that can be used to authenticate you or provide access to an account;
• that relates to you and that might be sensitive (such as personal medical or health information, account number, account value).

Personal Information includes Protected Health Information (as that is defined by the U.S. Health Insurance Portability and Accountability Act) and Sensitive Personal Information (as that is defined by applicable state laws) and Special Categories of Data (as that is defined by the E.U. General Data Protection Regulation). Please note that Citi does not collect Protected Health Information.

Other Information is information that does not and cannot reveal an individual's specific identity, such as information that has been de-identified or aggregated. This Other Information is described in more detail in the Collection and Use of Information section below.

For at least the past 12 months, we have collected and used the following categories of Personal Information from Participants for the following business purposes (depending on the nature of your interactions with us):
Category of Personal Information	Our Business Purpose(s) for Collecting this Information
Submission Information, including Personal Identifiers like your name, username (SOEID), email, city, state and country, some of which may be loaded by your Citi single sign on or SSO, along with other Submission Information like your preferred charity, target activity, the type and level of physical activity, as well as length (in minutes) of exercise that you may submit when you use the Services. By making any Submission, you accept that Citi may collect, use and disclose certain Personal Information for the purposes of providing the Program and accompanying Services. Without certain information, the Services will not function. Please note that Submissions should not include any personal health information, including but not limited to height, weight, calorie intake or body mass index.	Administering, managing and providing the Services; Processing and facilitating your participation in the Program; Enabling you to share your materials and Submissions with other users, through the Coworker Challenge; Enabling Citi and other users in the Coworker Challenge to share their data with you; Customizing the service to you and other users; monitoring compliance with the Terms and complying with applicable law or regulations and Citi policies; Investigating any complaints; and Protecting our legal rights, privacy, safety, security or legitimate interests including those of its employees and contractors.
Internet or other Electronic Network Activity Information, such as usage data through Citi's mobile apps (e.g. the date and time the app on your device accesses our servers and what information and files have been downloaded to or presented through the app), information collected through cookies, web beacons and other technologies (e.g. operating system name and version, browser type and version), and aggregated information about your visits to, or use of, our Services, as well as across other sites, and various attributes associated with your device (e.g. device manufacturer and model, unique ID assigned to your device, IP address, installed fonts, language preference and browser settings, and time zone in order to create a device fingerprint or identifier so that we can recognize your device). While that information alone may not reveal your specific individual identity, we may associate this usage and Other Information we collect with Personal Information about you.	For security or quality control purposes; Facilitating navigation; Displaying information more effectively; Better tailoring and personalizing our Service to you (both online and offline); Recognizing your device; Assisting your use and experience of the Services; Improving the design and functionality of the Services; Understanding how the Services are used; Assisting us with resolving questions regarding the Services; Operation, maintaining, and protecting our Services; Account maintenance and servicing; Improving, upgrading, or enhancing our products and services; Improving your experience on our Services; Performing research and business analytics; Understanding your interests and preferences; Tailoring and sending you marketing communications for ourselves and for selected third parties; Engaging in fraud monitoring and prevention; Protecting our business and our customers against illegal activity; and Compliance applicable laws and regulations.
Activity Tracker Information, such as information we collect about activity level, exercise description, challenge date, start date, end date, Apple Health/Fitbit/ /Misfit/Strava/Withings/MapMyFitness/Google Fitness/UnderArmor access token (where applicable) the updates to the application you install, and your approximate physical location, only if you choose to sync your activity tracker account data to the Services. Once synched, activity and minutes data can be streamed uni-directionally (pulled) from your activity tracker account for activity submission. Data from your activity tracker only syncs to the Services during the Program. If you wish to remove your activity tracker from the Program, you may do so at any time and you will still be able to manually record activity submissions via the Services. The Program will not 'pull' your activity tracker data past the end date of the Program. All data obtained from activity tracker as well as the data entered manually will be deleted at the end of the Program.	Administering, managing and providing the Services; Processing and facilitating your participation in the Program; Enabling you to share your materials and Submissions with other users, through the Coworker Challenge; Enabling Citi and other users in the Coworker Challenge to share their data with you; Customizing the service to you and other users; monitoring compliance with the Terms and complying with applicable law or regulations and Citi policies; Investigating any complaints; and Protecting our legal rights, privacy, safety, security or legitimate interests including those of its employees and contractors.




In addition to Personal Information you provide directly to us, we may collect Other Information about you, including acquiring and using services provided by other parties who collect and analyze customer data. In some instances, we may combine Other Information with Personal Information where permissible by law and applicable industry guidelines.

We will retain your information for as long as reasonably necessary for the purposes described above.

We do not sell or share your personal information, as described in California law.

We do not use any Sensitive Personal Information for any purpose outside of the purpose for which it was shared with us. Please do not include in your Submissions or elsewhere any Sensitive Personal Information about yourself or any other person (including, for example, any financial information).

If you are a California resident, please see supplemental provisions in the Appendix of this Notice for information about your rights as a consumer under the CCPA.

2. Which Citigroup entity controls my Personal Information?
   

Personal Information provided through the Services is controlled by Citigroup Inc., whose principal place of business is at 388 Greenwich Street, New York, NY 10013 and will processed by Citi and suppliers who operate the Services on behalf of Citi (Ruder Finn).

If you would like additional information regarding the applicable Citi entity or entities, please contact us at Questions@livewellatciti.com.

3. Sources of Personal Information
   

We collect and obtain information from:

You. We collect information directly from you through the Services. For example, we collect information if you contact us or register for the Services.

Service Providers. We work with service providers who collect information on our behalf in order to provide services to us. We only allow our service providers to collect and use your personal information in connection with the services they provide us.

We may collect information from your activity tracker account (only with your permission).

Cookies and Similar Technologies. We may use cookies, web beacons/pixel tags, log files, and other technologies to collect certain information about visitors to our Website, use of our online features, and interactions with our e-mails. For example, through these means, we may collect your browser type and operating system, viewed web pages, links that are clicked, IP address, sites visited before coming to our Website, e-mails we send that you open or forward or click through to our Website. Collecting the foregoing information, and linking it with other information that you may provide, helps us to best tailor our Website to you and enhance your online experience by saving your preferences while you are visiting a particular page, and to help identify Website features and offers that may be of particular interest to you.

Please note that Live Well at Citi's use of cookies is limited to:

• Essential cookies, which allow our services to operate in a secure and reliable manner, and provide basic service functionalities within our sites. These cookies are essential for Live Well at Citi and your device will accept them by default. You can set your device to delete them after each session or at any time thereafter.
• Functional cookies, which provide enhanced personalization, functionality and navigation. These cookies may be set by us or a third party.
• Analytical cookies, which allow us to recognize and count the number of visitors and to see how visitors move around our websites when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. We use third-party service providers, such as Google Analytics, which uses analytical cookies to collect and analyze this type of information about your use of the Sites/Services.

Can You Opt Out? Visit the Your Choices Regarding Your Personal Information section below for more information on how to opt out from tracking technologies.

4. Disclosure of Personal Information
   

During at least the past 12 months, we have disclosed all categories of Personal Information for business or commercial purposes:

• All categories of Personal Information listed above to our affiliates to the extent permissible under applicable law. The Citi entities that may access your Personal Information are Citigroup Inc, Citigroup Technologies Inc., and Citigroup Technologies Limited. Their details can be found on http://www.citigroup.com/citi/about/countrypresence/ .
• All categories of Personal Information listed above to our service providers, who provide services such as sending you communications on our behalf, website hosting, data analysis, information technology and related infrastructure provision, customer service, processing your transactions, e-mail delivery, auditing, and other services.
• All categories of Personal Information listed above may be disclosed to a third party in the event of any proposed reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

We also may use and disclose your Personal Information as we believe to be necessary or appropriate: (a) under applicable law, which may include laws outside your country of residence; (b) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence; (c) to enforce our terms and conditions; and (d) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.

Where appropriate, we will limit disclosure of your Personal Information in accordance with the choices you have provided us in response to privacy choices that we may make available.

We may provide de-identified and aggregated information to our affiliates and third parties to help deliver products, services, and content that are tailored to the users of our Services and for other business purposes.

We may transfer information to Citi affiliated companies or other parties throughout the world to process transactions and provide you with products and services. Regardless of where we process your information, we still treat it in accordance with this Statement and applicable law.

5. Your Choices Regarding Your Personal Information
   

You have certain rights and choices with regard to your Personal Information.

1. Program Participation

   Personal Information that you include in your Submissions or materials (Submission Data) will be retained in accordance with applicable law for a short period after the Program ends, not to exceed one year, unless applicable law requires otherwise.

   If you no longer wish to participate in the Program, you may contact us at Questions@livewellatciti.com to request that your Submission Data be deemed inactive. Even where your Submission Data is deemed inactive, Citi may retain your Submission Data in accordance with applicable law, the terms of this Privacy Statement, and the Terms regarding the Program.

   If you cease to be an employee during the Program, your profile will be retained in accordance with applicable law but may be altered so that it is clear on the Services that you no longer work for Citi and may not share fitness information with coworkers. The Coworker Challenge is an opt-in functionality, enabling you to share with other users at Citi (who have also consented to sharing) your minutes of exercise. You (and other co-workers) may join and leave the Coworker Challenge at any time. Citi will not access or keep records of your information even if you share it with coworkers.

2. Cookies

   Live Well at Citi's use of cookies is limited to the following types of cookies: essential cookies, functional cookies, and analytical cookies.

   You can choose whether to accept cookies through your browser settings (check the Help file). For example, most browsers allow you to automatically decline cookies or decline or accept a particular cookie (or cookies) from a particular site when browsing. If you decide not to accept cookies, some features of the Service may not work properly because we may not be able to recognize your device and associate you with your Citi account(s).

3. Do Not Track

   Some browsers have a Do Not Track feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do respond to browser do not track signals.

6. Security of Personal Information
   

The security of your Personal Information is a priority. We seek to protect this information by implementing and maintaining reasonable physical, electronic, and procedural security measures and safeguards designed to protect Personal Information within our organization. We provide employee training in the proper handling of Personal Information. Unfortunately, no data transmission over the Internet or wireless network or data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately contact us in accordance with the Contact Us section below.

You are responsible for maintaining the security of your password, and other registration or participation enrollment information, as applicable, and for controlling access to your phone (especially where another person's fingerprints are also registered on your device) and email communications at all times.

7. Other Important Information
   

1. Notice of Changes

   We may change this Privacy Statement from time to time. Please take a look at the Last Updated legend at the beginning of this Privacy Statement to see when this Privacy Statement was last revised. When we do, we will post the revised Privacy Statement on this page with a new effective date. Any changes will become effective when we post the revised Privacy Statement on the Site. Your use of the Services following these changes means that you accept the revised Privacy Statement.

   If your country requires you to reaccept any changes to this Statement in order for such changes to be enforceable, we will facilitate such approval. Otherwise, your continued use of the Services will indicate your agreement to the new Statement.

2. Third Party Sites and Services

   This Privacy Statement does not address, and we are not responsible for, the privacy, security, or other practices of any third parties, including any third party operating any site or service to which the Site links. The inclusion of a link on the Site does not imply endorsement of the linked site or service by us or by our affiliates.

   In addition, we are not responsible for the information collection, usage, disclosure, or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, or any other third-party app provider, social media platform provider, operating system provider, device manufacturer, or wireless service provider, including with respect to any Personal Information you disclose to other organizations through or in connection with the Services.

3. Jurisdictional Issues

   Citi manages and transfers your Personal Information securely, via the Services to its data and processing centers located around the globe. Such transfers are made in accordance with this Statement, the Terms and your own settings. Some data centers and processing locations may be in countries that have less stringent data protection laws and regulations than those in the country where you reside. Personal Information collected through the Services is hosted in the United States on behalf of Citi in third party servers accessed and used by its Citi Fitness supplier, Ruder Finn. By using the Services you consent to the export of personal data for the purposes of contract performance under the Program in accordance with applicable law.

8. Contact Us
   

If you have questions concerning this Statement, you may submit them to Questions@livewellatciti.com. Please do not send emails to this address for any other purposes.

APPENDIX — Jurisdiction Specific Provisions

1. Supplemental provisions for European Union, European Economic Area, Switzerland and Jersey residents.

Participation in the Coworker Challenge is subject to your opt-in, in compliance with the EU Privacy and Electronic Communications Directive 2002/58/EC (as amended), and the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable legislation.

We rely on the following legal bases as applicable in your jurisdiction: (i) contract necessity (to enter into, and for the performance of a contract); (ii) for legitimate purposes of the Citigroup entity controlling your Personal Information (as indicated below) such as managing and administering the application and our networks (including resolving any errors or complaints), to communicate with you in relation to the Program, and to prevent, investigate and respond to security incidents and cyber investigations; and (iii) to comply with our obligations under applicable law.

Under the GDPR or equivalent laws outside the EU you have data subject rights, including the right to access and correct personal data we have about you, and in some circumstances to require us to delete your personal data or to object to or require us to restrict the processing of your data, for data that is processed by or on behalf of any Citi branch or affiliate in the EU/EEA, Switzerland or Jersey. You may exercise these rights by sending a written request to the contact address indicated below. You may be asked to supply valid means of identification to assist us in preventing unauthorized disclosure of your personal data. We will process your request free of charge and respond within the time provided by applicable law.

Data Protection Officer (Chief Data Privacy Officer - EMEA)

EU/EEA	UK
EU/EEA Data Protection Officer Citi 1 North Wall Quay Dublin D01 T8Y1 Ireland Email: dataprotectionofficer@citi.com	UK Data Protection Officer Citi Citigroup Centre 25 Canada Square London E14 5LB United Kingdom Email: dataprotectionofficer@citi.com



2. Supplemental provisions applicable to California residents


1. Requests. California residents have certain rights with respect to Personal Information under the California Consumer Privacy Act (CCPA). For purposes of this subsection, the terms consumer, categories of personal information, business purpose, third party, sell, and share have the meanings ascribed to them respectively in the CCPA. Terms defined under the CCPA may differ in meaning from the common usage of the same terms used elsewhere in this Privacy Statement.

1. You have the right to request, up to two times every 12 months, that Citi disclose to you the following: (i) the categories of Personal Information that Citi has collected about you; (ii) the categories of sources from which Citi has collected Personal Information about you; (iii) the business or commercial purpose for collecting , selling, or sharing your Personal Information; (iv) the categories of Third Parties to whom the Personal Information was disclosed and (v) the specific pieces of Personal Information that Citi has collected about you. Please note that Personal Information we have collected in connection with your personal account with us is not subject to the requirements of CCPA because it is already protected under existing federal and California state privacy laws, including the Graham Leach Bliley Act.

2. You have the right to request a portable copy of your Personal Information.

   In response to verified requests pursuant to #1 or #2 above, we will confirm receipt of the request within 10 business days of receipt of the request, and disclose and deliver the required information to you free of charge within 45 days of receiving a verifiable consumer request. We may extend this time period to deliver information once by an additional 45 days when reasonably necessary. We will provide notice of the extension within the first 45-day period.

3. You have the right to request that Citi delete Personal Information collected from you, subject to certain exceptions allowed under applicable law.

   In response to verified requests pursuant to #3 above, we will confirm receipt of the request within 10 business days of receipt of the request. Following verification of your request, we may require you to separately confirm that you want your Personal Information to be deleted. We will delete the information within 45 days of receiving a verifiable consumer request (subject to certain exceptions). We may extend this time period once by an additional 45 days when reasonably necessary. We will provide notice of the extension within the first 45-day period.

4. You have the right to request that Citi correct inaccurate Personal Information collected from you, subject to certain exceptions allowed under applicable law. We will accept, review, and consider any documentation that you provide in connection with your right to correct, provided you make a good-faith effort to provide Citi with all relevant information available at the time of the request.

   In response to verified requests pursuant to #4 above, we will confirm receipt of the request within 10 business days of receipt of the request. Following verification of your request, we may require you to provide documentation if necessary to rebut our own documentation that the Personal Information is accurate. If, we determine, based on the totality of the circumstances, that the information is not accurate, we will respond to the request by correcting the information or deleting the information (if deletion of the information does not negatively impact you). We will correct within 45 days of receiving a verifiable consumer request. We may extend this time period once by an additional 45 days when reasonably necessary. We will provide notice of the extension within the first 45-day period.

5. You have the right to opt out of the sale of your Personal Information to, or the sharing of it with, Third Parties. CCPA defines sale very broadly, covering both monetary and other consideration. The same is true of the CCPA's definition of share, except that sharing under the CCPA relates only to the targeting of advertising based on Personal Information from an individual's interaction with other websites and services. We do not sell or share your Personal Information, as described in California law.

6. You have the right to limit the use of your Sensitive Personal Information to those uses that are necessary to perform the services or provide the goods reasonably expected by an average consumer and to certain other permitted business purposes. These business purposes include helping to perform services or provide goods reasonably expected by consumers who have requested such services or goods, ensure security and integrity (to the extent the use of the information is reasonably necessary and proportionate for these purposes), ensure physical safety of natural persons (to the extent the use of the information is reasonably necessary and proportionate for these purposes), short-term, transient use (subject to certain conditions), performing certain services, and engaging in certain activities related to quality or safety of our services or products. We do not use any Sensitive Personal Information for any purpose outside of the purpose for which it was shared with us.

7. Citi will not discriminate against you because you elect to exercise these rights, including by:

   • Denying goods or services to you.
   • Charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
   • Providing a different level or quality of goods or services to you.

   • Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

     None of the foregoing, however, prohibits Citi from charging you a different price or rate, or from providing a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to Citi by your data.

2. Submission of Requests. You may exercise these rights by managing this information through Citi's Privacy Hub at online.citi.com/dataprivacyhub or by calling us at (833) 981 0270 (TTY: 711). If you wish to submit a request to have your Personal Information deleted or corrected (see sections II.A.3 and II.A.4 in this Appendix), or to opt-out of the selling or sharing of your Personal Information, call us at (833) 981 0270 (TTY: 711). If you wish to submit any type of CCPA request through an authorized agent, please follow the process in Section II.C. below.

3. CCPA Authorized Agent. CCPA permits consumers to designate authorized agents to submit requests on their behalf. Under CCPA, an authorized agent is a natural person or a business entity in California that a consumer has authorized to act on their behalf subject to the requirements. If you would like to designate an authorized agent to submit a request to know, a request to delete, or a request to correct Personal Information on your behalf, please call us at (833) 981 0270 (TTY: 711).

   You or your authorized agent may provide us with a written power of attorney, executed by you, confirming the authority of the authorized agent with respect to your CCPA request(s).

   If we have not received a power of attorney, we may require your authorized agent to provide proof that you gave the agent signed permission to submit your CCPA request(s).

   In addition, we may also require you to do the following directly with us:

   1. Verify your own identity with us;
   2. Confirm you have provided the authorized agent permission to submit the CCPA request(s).

   Once verified (see Section II.D. below), your authorized agent may create a unique account for you through Citi's Privacy Hub at online.citi.com/dataprivacyhub and manage your requests through that account.

4. Verification. Whether you submit a request directly on your own behalf, or through an authorized agent, we will take reasonable steps to verify your identity prior to responding to your requests under CCPA. Upon receiving a request pursuant to II.A.2, II.A.3 or II.A.4 above, we will confirm receipt within 10 days and provide you with information about how we will verify and process the request. In order to verify your request, we will require you to provide your social security number, tax ID number or passport number and issuing country, in addition to your first and last name, e-mail address and mailing address.