Privacy Policy - Empower Account

Welcome to the Empower website.

Empower takes data privacy very seriously and is committed to protecting and respecting the privacy, security, and integrity of your personal information. This policy sets out key information regarding Empower and how your personal information will be collected, used, and protected.

Please note that certain portions of this policy may, or may not, be applicable to you based on the services and products in which you are enrolled and applicable laws. This policy is supplemented by specific notices, set out in links within this policy, that provide additional information pertaining to your relationship with Empower or addressing the requirements of the jurisdiction in which you live. In this policy, the terms “Empower,” “we”, “us” and “our” refer to each and all of the Empower family of companies listed at the end of this policy.

In this privacy policy, we will cover:

What data we collect

Empower collects your “personal information” or “personal data” (ie: information that when used alone or with other relevant data may be capable of personally identifying you, or as defined by applicable law). Data that does not identify a natural person (such as data that is aggregated and anonymized) is not “personal information” and is not subject to this Privacy Policy. The information that we collect, and how we use it, depends on your relationship with us and may change as your relationship evolves with us. This Privacy Policy is organized based on those different types of relationships as described below.

Visitors: individuals who visit our public website without logging into an account or using our services.
Users: individuals who establish an account with us or otherwise use our service offerings, including our financial dashboard software. Together with our Terms of Use, this Privacy Policy governs the use of the Empower Personal Dashboard.
Participants: individuals who are enrolled in an employee stock purchase plan (“ESPS participants”); a consumer-directed healthcare plan (“CDH participants”); or retirement plan. Note that in this capacity, Empower is acting as a service provider to provide plan retirement services to your current or former employer (“plan sponsor”). In this context. We collect and process personal data pursuant to the instructions provided by the Plan Sponsor.
Retail customers: individuals who are enrolled directly with Empower for financial services. These products and services include but are not limited to: IRA products, Empower brokerage, managed portfolios, Empower Personal Cash™, and advisory services. Please note that data held by Empower for these “retail” products and services are subject to the data-protection requirements of Gramm-Leach-Bliley and, as such, may be exempt from some data privacy laws.
Insurance customers: Individuals who have engaged in or purchased insurance products from Empower.
Advisory clients: Individuals who open an Empower Personal Strategy^® account and become advisory clients of Empower Advisory Group, LLC or become clients of our Wealth Management and Empower Advisory Services and establish an Empower-managed investment account.
California employees, Job applicants, and independent contractors: For information on how we collect, process, and protect your personal information as well as privacy rights applicable to you, please refer to our Privacy Notice for California Employees, Job Applicants, and Independent Contractors.

You may fall into more than one category concurrently, depending on your relationship with us. For example, if you are a Personal Cash customer you may also be a Visitor before logging into your dashboard, wherein you will also be a User. After your relationship with us ends, the terms of this policy shall continue to be applicable to your data for as long as we retain your data.

The table below describes the personal information we have collected and shared in the preceding 12 months and may continue to collect and share.

Identifiers

This may include your real name, alias, postal address, unique personal identifier, online identifier, internet protocol
(IP) address, email address, account name, Social Security number, driver’s license number, passport number, or other
similar identifiers.

To whom this applies

This applies to visitors, users, participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We do not sell this category of personal information or share it with unaffiliated third parties for the purpose of targeted
advertising; we may, however, disclose this information to third parties for a business purpose as described below.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiaries We may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Financial information*

This may include contact and financial information such as your name, signature, Social Security number, address, telephone number, bank account number, or other financial information.

To whom this applies

We may collect this information from participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We do not sell this category of personal information or share it with unaffiliated third parties for the purpose of targeted advertising; we may, however, disclose this information to third parties for a business purpose as described below.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

* This includes categories listed in the California Records Statute [Cal. Civ. Code § 1798.80(e)].

Characteristics of protected classifications under state or federal law

This may include, for example, your age, marital status, gender, race, and medical conditions.

To whom this applies

We may collect this information from visitors, users, participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Biometric information

We collect voice recordings and voiceprint data.

To whom this applies

This applies to participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you when you call our service center	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Internet or other similar network activity

This includes, but is not limited to, browsing history, search history, and information regarding a consumer’s interaction
with an internet website, application, or advertisement. For example, we collect your IP address and cookies from your
browser to recognize you and deliver a consistent experience when you visit our site and to measure the effectiveness of
our marketing. We also collect information about how you interact with our website as well as your preferences when you
elect to receive or opt out of cookies, communications involving email, texting, or telephone calls; these preferences apply
to Empower communications with you and are not shared with nor transferable to third parties.

To whom this applies

We may collect this information from visitors, users, retirement plan participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

While we do not share your personal information with third parties for monetary gain, some data privacy laws have a broader
definition of “sale” and “share” that may be applicable to the use of certain third-party cookies, tags, pixels, or web beacons
(collectively, “cookies”) on our websites or mobile applications. In this context, Empower and our advertising partners use cookies
and the advertising identifier associated with your mobile or internet-connected device.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From our service providers and other third parties• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Geolocation data

We collect your IP address from you when you visit our websites.

To whom this applies

This applies to visitors, users, retirement plan participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Audio, electronic, visual, thermal, olfactory, or similar information

We collect voice recordings, voiceprint data, and pictures to verify your identity.

To whom this applies

This applies to retirement plan participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Professional or employment-related information

This may include information such as your job title, date of hire, employer name, and industry.

To whom this applies

This applies to retirement plan participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Inferences drawn from personal information

This includes inferences about your preferences, characteristics, psychological trends, predispositions, behavior, attitudes,
intelligence, abilities, and aptitudes to create a profile about you.

To whom this applies

This applies to visitors, users, retirement plan participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

Sensitive personal information

Certain information may be considered sensitive personal information depending on your state of residence. We may
collect the following sensitive personal information: government identifiers, certain financial account information, status as
a victim of a crime (in order to process certain hardship distributions for retirement plan participants), demographic information
that may be considered sensitive, your citizenship status (in order to verify eligibility as an Empower Personal Cash
customer), and biometric data. If you are a CDH participant, we will also collect your health information to provide our services
to you. We limit our collection, use, and disclosure of this category of personal information to that which is necessary
to provide our services to you or for another permitted business purpose under applicable data privacy laws, such as
detecting security incidents. We do not use this information to infer characteristics about you.

To whom this applies

This applies to retirement plan participants, retail customers, insurance customers, and advisory clients.

Retention

We retain this information until all applicable legal and business obligations are fulfilled.

We collect this information from the following sources:	Categories of third parties with whom we disclose this category of personal information:	Business purpose for collecting and disclosing this information:
• From you or your representative when you communicate with us through web, email, phone, or other correspondence; complete applications and forms for various products or services; or provide other information on our websites• From your device when you browse our websites or mobile applications and from tracking technologies in emails that we or our suppliers send to you• From activity in your account (for example, data from the administration of your investments, balances, trades, and elections). If you enroll in account aggregation services, we may also collect information from the accounts that you linked as approved by you.• From our service providers and other third parties• From your plan sponsor (your employer or former employer)• From our suppliers, consumer and insurance reporting companies, data providers, and other third parties as permitted by law• From other sources to complete transactions initiated by you or your representative (for example, to transfer balances from another retirement account into a new retirement account)• We may have also obtained this information from our affiliates or if it was held by a business that we acquired.	• Plan sponsors or their agents• Our service providers• Our banking provider (if you are an Empower Personal Cash customer)• Our custodial brokerage providers (if you are an advisory client)• Third-party identity-verification providers and fraud-analysis providers• Persons acting as a fiduciary or representative capacity on your behalf• Our affiliates and subsidiariesWe may also disclose this information in connection with a proposed or actual sale, merger, transfer, or exchange of all or part of our business.For more information on these types of recipients, please see How We Share Data	• To provide our services and products to you or the plan sponsor of your retirement plan.• To detect security incidents and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.• To comply with federal, state, or local laws, rules, and other applicable legal requirements.• To comply with a properly authorized civil, criminal, or regulatory investigation or subpoena.• For institutional risk control, or for resolving customer disputes or inquiries.• To protect the confidentiality or security of our records pertaining to you, the service or product, or a specific transaction.• To undertake internal research for technological development and demonstration.• To verify, maintain, or improve the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business.• For purposes otherwise permitted or required by law.

We do not collect nonpublic personal education information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

How we use data

Empower uses your personal information to respond to your requests and inquiries and to provide you with services and products you receive from us. In the event you are enrolled in a retirement plan that is administered by Empower pursuant to a services agreement with the plan sponsor of your retirement plan (your employer or former employer), Empower will process your data to perform its services to the plan sponsor. If you contract directly with Empower or its affiliates for other services offered by Empower to individual customers, such as advisory services, financial products or financial wellness services, Empower will use your data to process transactions and perform its obligations in connection with such services. Empower will also use your data as permitted by law to make you aware of other financial products or services that may be of interest to you. Empower may use your data on an anonymized basis to conduct and publish aggregated research about the retirement or investment industries.

Empower will use your data for other purposes as permitted by law, including to protect your interests and ours in the detection, prevention and mitigation of fraud, to meet the requirements of applicable laws and regulations, to comply with requests of regulators with jurisdiction over our services, and for product development and delivery.

How we share data

We limit the information we share and the parties we share it with. What we share depends on the types of products or services you have procured and applicable law.

Further, personal information may be shared as necessary to effect, administer, or enforce a transaction you request or authorize, with your consent, at your direction, or as allowed by applicable law. Your health information will not be shared except as required or permitted by law. The chart below describes the categories of third parties with whom we share your data.

Sharing Category	What do we share and why?
Plan Sponsors	If you are enrolled in a retirement plan offered by a plan sponsor (your employer or former employer), your personal information may be shared with the plan sponsor and with that plan sponsor’s third-party administrators, advisors, service providers, and other third parties as authorized or directed by the plan sponsor.
Our service providers	Like most businesses, we use third-party service providers to deliver some of the services mentioned in this Privacy Policy. In doing so, we provide some of your data (including your personal information) to those third-party service providers, on a need-to-know basis. Our contracts with those service providers require them to safeguard your information and prohibit them from using your data for any purpose other than to provide services to us or to improve their services.
Empower Personal Cash account service provider	If you are an Empower Personal Cash customer, you will own a program account provided through the bank provider. The bank provider for our Empower Personal Cash customer program accounts is UMB Bank, National Association (“UMB”), and we will share detailed account information with UMB. Our contract with UMB requires them to treat your information as confidential information. UMB’s Privacy Policy is available here
Identity verification and fraud analysis providers	We will share some of your personal information and detailed account information with third-party identity verification providers and fraud-analysis providers for the sole purpose of verifying your identity and preventing fraudulent transactions. These providers are required under contract with us to safeguard your information and not provide it to any third parties except as required to provide the services or as otherwise required by law, regulation, or court order.
Your brokerage account(s)	If you are an Advisory Client of Empower, you will have a custodial brokerage account that will hold your personal portfolio. Our custodial brokerage provider for our Advisory Clients’ accounts is Pershing, and we will share detailed advisory account information with them. You will have direct visibility, access, and interaction with Pershing while you are an Empower Advisory Client. Pershing’s Privacy Policy is available here
Affiliate sharing	Certain personal information may be shared among our affiliates as permitted by law to provide our services to you, to make it easier to do business with us, and for their everyday business purposes. We do not share your personal information with affiliates for their marketing purposes. From time to time, we may make you aware of products and services that are available from our affiliates. Our affiliates are listed below in this policy and include, but are not limited to, our broker-dealer, our advisory service provider, and our trust company.
Nonaffiliated third parties	Your personal information may be shared with nonaffiliated third parties to provide services on our behalf. These third parties agree to maintain the confidentiality of the personal information and use it solely to provide their services to us.
Security, legal, and regulatory sharing	We also reserve the right to disclose information about you that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability; (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity; (iii) investigate and defend ourselves against any third-party claims or allegations; (iv) protect the security or integrity of the services we provide and any facilities or equipment used to make those services available; (v) comply with any law or regulatory requirement, including pursuant to a subpoena, court order, or other legal process; or (vi) protect our property or other legal rights (including, but not limited to, enforcement of our agreements) or the rights, property, or safety of others.

Deidentified or pseudonymous data

We maintain and use deidentified data in such a way that any information can no longer be linked to you or any device associated with you. After data has been deidentified, i) we maintain and use such deidentified data without attempting to reidentify the data or re-associate it with specific individuals; ii) we take reasonable measures to ensure that the information cannot be reassociated with you or your household; and iii) we have implemented technical and organizational safeguards as well as business processes designed to prohibit the reidentification of your information. Such data is used for research and benchmarking purposes. We contractually obligate all recipients of the deidentified data to comply with applicable laws pertaining to deidentification and we monitor compliance with any contractual commitments.

Children

Empower does not knowingly collect personal information from children under the age of 16 without seeking prior parental consent (if required by applicable law). We only use or disclose personal information about a child to the extent permitted by law, to seek parental consent pursuant to local law and regulations or to protect a child. The definitions of “child” or “children” may be slightly different as set forth in various applicable laws.

Security

We use physical administrative, and technical safeguards designed to protect the confidentiality, integrity and availability of your personal information. Any third-party service providers with whom we share your personal information agree to maintain the confidentiality and security of the personal information and use it solely to provide their services to us. In addition, Empower provides the Empower Security Guarantee to its customers and participants as described here.

Website and mobile application use

When you access our websites or mobile applications, we or our third-party suppliers use a variety of technologies, such as tags and web beacons, that automatically collect data (such as: without limitation, your device type, browser type, internet protocol address, operating system used, number of visits, average time spent on the site and pages viewed). This data is used to operate the websites more efficiently, maintain the security of your online session, improve our websites’ design and navigation, and perform online advertising (where permitted by law). If you have created an account with us, we may combine the data collected through the tracking systems described herein with other information we know about you, as permitted by law. We use this information internally to provide you with a better user experience and to offer you products and services that may be of interest to you.

Some of our websites include links or navigation to third-party sites. These third-party sites may include informational sites, sites providing financial wellness tools and services, or services offered to you solely by a third party, as further described in the disclosures provided on such sites.

Cookies and web beacons

A cookie is a piece of information that is stored on your computer, tablet, phone or other device by your web browser. Web beacons (also known as clear gifs, web bugs or pixels) are small graphics with a unique identifier and are embedded invisibly on web pages. Empower and third- party service providers we hire may use such cookies and web beacons (collectively referred to below as “cookies”) to track the online movements of users of our websites and mobile applications, and to collect other data such as IP address, type of device used, and browser information. Empower and its third-party service providers use such data to customize your experience on our website and personalize our communications with you. With respect to emails that are sent to you, we or our service providers also use cookies and web beacons to determine when you receive and open our emails, whether you click any links in the email, and other information about the device from which you access the email, as permitted by law.

If you do not want to have cookies on your computer or device, you can use the link at the bottom of the webpage that is titled “Do not sell or share my personal information” to access a cookie manager in which you may refuse or deny certain types of cookies. Additionally, you can use the settings or tools offered on your browser to delete cookies that have already been stored. If you refuse or delete cookies, you may notice an impact on your use of Empower’s (and its affiliates’) websites; for example, you may not be able to sign in and access your account without additional authentication, or we may not be able to recognize you, your device, or your online preferences.

Do not track and global privacy control

Some web browsers have the ability to activate a “do not track” signal. At this time, Empower does not respond to “do not track” signals; however, you may exercise your right to opt out of the sale and sharing of your personal information through the use of the Global Privacy Control (“GPC”) signal which allows you to communicate your privacy preference without having to make individualized opt out requests. To learn more about the GPC and how you can use it to opt out of the sale or sharing of your personal information, you can visit their website here. If you’ve enabled the GPC signal in your browser, we will honor your opt out request as communicated via the GPC signal. Please note that these opt outs are specific to the device or browser you’re using so you’ll need to opt out again when you use a different device or browser, change your browser settings, or clear your cookies.

Analytics

We use a tool called “Google Analytics” to help us understand how you interact with our website and mobile applications, to market our products and services to you, and to improve the user experience, , or regarding your receipt and access to information in emails we send to you. Google Analytics collects information such as how often users visit our websites, what pages they visit when they do so, and what other sites they used to navigate to this site. For more information about how Google uses data, see the site “How Google uses information from sites or apps that use our services,” here.

Interest-based advertising and communications

Empower advertises its products and services on its websites and mobile applications and on websites not affiliated with Empower, and we contract with third-party advertisers to place ;those advertisements. Empower and its suppliers may also send you advertising and communications that are tailored to you or that provide you with products or services that may be of interest to you, based on information that we or that such third-party service providers have collected about you. Such advertising may include advertising on websites not affiliated with Empower, such as social media. Our third-party advertising providers might use information collected from cookies or beacons about your use of our websites to provide interest-based advertisements based on your online activity as permitted by applicable law. If you would like information about how to opt-out of such interest- based advertising, you may find more information through the Network Advertising Initiative here.

Additional privacy rights under applicable state laws

Under the Health Insurance Portability and Accountability Act (HIPAA), and state data privacy laws, you may have additional privacy rights as described below. As of the date of this privacy notice, this includes residents of California, Connecticut, Minnesota, New Hampshire, Oregon, Texas, and Virginia (“you” or “your”). If you are an ESPS participant, CDH participant, or retirement plan participant, you will need to contact the plan sponsor (current or former employer) to submit a request.

Right to access: Subject to exemptions under applicable law, you have the right to request that we disclose certain information to you about our collection, use, and disclosure of your personal data.

Specifically, you have the right to request the following:

The categories of personal information we collected about you;
The categories of sources from which the personal information was collected;
The business or commercial purpose for which we collected or sold the personal information;
The categories of third parties with whom we share personal information;
The categories of personal information that we sold, and for each category identified, the categories of third parties to whom we sold the particular category of personal information;
The categories of personal information that we disclosed for a business purpose, and for each category identified, the categories of third parties to whom we disclosed that particular category of personal information; and
The specific pieces of personal information we have collected about you.

Right to obtain a list of third parties: If you live in Minnesota or Oregon, you have the right to request a list of third parties to whom we have disclosed your data. Upon receipt of your request, we will provide you with a list of specific third parties to whom we have disclosed your personal data or a list of third parties to whom we have disclosed any consumers personal data.

Right to correct: You have the right to request correction of your personal data that is inaccurate. Once we receive your verifiable request, we will use commercially reasonable efforts to correct the inaccurate personal data as described in your request. You may be required to provide additional documentation if necessary to determine the accuracy of your personal data.

Right to delete: You have the right to request that we delete any of your personal data that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will deidentify or delete (and direct our service providers to delete) your personal data from our records, unless an exception applies.

Right to limit use and disclosure of sensitive personal information: If you are a California resident you also have the right to limit the collection and processing of your sensitive personal information. We limit the collection, use, and disclosure of your sensitive personal information to that which is necessary to provide our services to you or for another permitted purpose under applicable law (such as detecting security incidents) and we do not use this information to infer characteristics about you. Our service providers are contractually obligated to limit their use and disclosure of your sensitive personal information to that which is necessary for the business purpose set forth in our contract with them. Since we already limit the collection and use of your sensitive personal information, an opt out is not necessary.

Right to opt out: You have the right to opt out of the sale of your personal data as well as the processing of your personal data for the purposes of targeted advertising and certain instances of profiling. If you reside in a state that requires an opt out for targeted advertising (as such term may be defined under applicable law), we will not engage in such activities, and will not engage in “profiling” in any way that would require an opt out.

If you wish to opt out of the sale or sharing of your personal data pertaining to Empower’s use of third-party cookies as described here, you may do so by clicking on the do not sell or share my personal information link at the bottom of this webpage, or if you are using a mobile app, by opting out in the Privacy Preference Center under the “Settings” section of your Profile. In the future if you change browsers, devices, or clear your cookies, you will need to opt out again as described above. You may also opt out of the sale and sharing of your personal information through the Global Privacy Control as described above.

Please note that Empower will continue to share your data with service providers as permitted by law and described in this Privacy Policy.

EXERCISING YOUR RIGHTS

If you have an Empower dashboard account, you can access a report of your personal data or correct any inaccuracies in your personal data through your dashboard account. You can do this by logging into your account and going to the privacy section under Settings or you can contact support@personalwealth.empower.com; additionally, if you are an Advisory Client, you can also contact your financial advisor.

For all other requests or if you do not have an Empower dashboard account, you may fill out a Privacy Request Form and email it to privacymatters@empower.com or call our toll-free number at 855-756-4738. You will need to provide your full name, phone number, email, and address so we can authenticate your request and locate your information. In certain circumstances, if we believe it is necessary to authenticate your request and protect the security of your information, we may require additional information.

When making a request, in order to maintain the security of your personal information and verify your identity, we may require you to call our service center or log in to your account to answer a few identity-related questions, including providing additional information about yourself. We may deny your request in the event there is an exemption under applicable law that pertains to your request or if we are not able to verify your identity.

DESIGNATING AN AUTHORIZED AGENT

You may use an authorized agent to submit a request on your behalf. To do so, the authorized agent should provide a copy of your signed authorization to privacymatters@empower.com. You will also be required to verify your identity directly with us or confirm that you provided the authorized agent with permission to submit a request on your behalf.

RESPONDING TO REQUESTS AND YOUR APPEAL RIGHTS

Upon receiving your request, we will confirm receipt of your request as required by applicable law. Such confirmation will include our verification process and when you should expect a response. We will respond to a verifiable consumer request as required by law. If we require more time (if permitted by applicable law), we will inform you of the reason and extension period in writing.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

If we decline to take action on your verifiable request, we will provide you with a notice that includes our reason for not taking action and instructions for submitting an appeal. Should you wish to submit an appeal, you will have 60 days from the date of the notice to do so. You may submit your appeal by emailing us at privacymatters@empower.com.

NONDISCRIMINATION

We will not discriminate or retaliate against you for exercising any of your rights under applicable consumer privacy laws. To the extent prohibited by applicable law, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services, or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by applicable law that can result in different prices, rates or quality levels. Any legally permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior consent, which you may revoke at any time.

International data transfers

EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension

This section only applies to you if you are an ESPS participant and reside in the United Kingdom, a member state of the European Union, or the European Economic Area.

“Data Protection Legislation” means, as applicable to a party and its Processing of Personal Data: (i) CCPA and any state or national data protection laws made under the CCPA, and (ii) EU Data Privacy Framework, including the UK Extension to the EU-U.S. DPF;

“EU/UK Data Privacy Framework” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the
protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data
(General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3
of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive
2002/58/EC); and (iv) all applicable national data protection laws made under, pursuant to or that apply in conjunction with
any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
22

“Personal Data” means any information that (i) is protected as “personal data,” “personal information,” or “personally
identifiable information” under Data Protection Legislation.

Empower Stock Plan Services (“ESPS) complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF) and the
UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. ESPS is responsible for the processing
of personal data it receives, under these data protection legislation frameworks, and subsequently transfers to a third
party acting as an agent on its behalf. In addition to compliance with current Data Protection Legislation, ESPS complies
with the EU-U.S. DPF Principles for all onward transfers of personal data from the EU, and to the UK Extension to the
EU-U.S. DPF Principles with regards to onward transfers of personal data from the UK, including the onward transfer
liability provisions.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, ESPS commits to cooperate and comply
respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK
Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human
resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the
employment relationship.

Onward Transfers

ESPS may provide Personal Data to third parties performing services on ESPS’s behalf for the benefit of such individuals
whose Personal Data is being disclosed (agent third parties) provided that such third parties have agreed in writing with ESPS that they will provide at least the same level of privacy protection as is required by the Principles. Such agent third
parties may include the following:

• Web hosting service providers that host Empower Stock Plan Services software and servers,
• Financial brokers where the client entity or individual has a brokerage account and authorized Empower Stock Plan
Services to share data for equity transaction execution,
• Client entity transfer agent/ share registrars providing share settlement and delivery services,
• Client entity payroll/ HR system providers,
• Client entity accounting system or service providers,
• Data exchange service providers where the client entity has requested system integration and a data exchange service provider is used to format, configure, or exchange the data as requested.

Other than as permitted in the prior paragraph, prior to disclosing Personal Data for any other purpose, ESPS shall
notify the individual or company administrator employee of such disclosure and allow the individual the choice (opt out)
of such disclosure. ESPS shall ensure that any third party for which Personal Data may be disclosed subscribes to the
Data Protection Legislation or are subject to law providing the same level of privacy protection as is required by the Data
Protection Legislation and agree in writing to provide an adequate level of privacy protection.

With respect to our agents, we will transfer only the Personal Data covered by this Privacy Policy needed for an agent
to deliver to ESPS the requested product or service. Furthermore, we will (i) permit the agent to process such Personal
Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection
as is required by the Data Protection Legislation; (iii) take reasonable and appropriate steps to ensure that the agent
effectively processes the Personal Data transferred in a manner consistent with ESPS’s obligations under the Data Privacy
Legislation; and (iv) require the agent to notify ESPS if it makes a determination that it can no longer meet its obligation
to provide the same level of protection as is required by the Data Privacy Legislation. Upon receiving notice from an
agent that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy
Legislation, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.

ESPS remains liable under the Data Privacy Legislation if an agent processes Personal Data covered by this Privacy Policy
in a manner inconsistent with the Data Privacy Legislation, except where ESPS is not responsible for the event giving rise
to the damage.

Recourse, Enforcement, and Liability

With respect to personal data received or transferred pursuant to the EU-U.S. DPF or the UK Extension to the EU-U.S. DPF,
ESPS is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. With respect to personal
data received or transferred pursuant to the EU-U.S. DPF or the UK Extension to the EU-U.S. DPF, in certain situations,
ESPS may be required to disclose personal data in response to lawful requests by public authorities, including to meet
national security or law enforcement requirements.

In compliance with the EU-U.S. Data Privacy Framework program and the UK Extensions to the EU-U.S. DPF Principles,
ESPS commits to resolve complaints about your privacy and our collection or use of your personal information transferred
to the United States pursuant to the DPF Principles. European Union, United Kingdom individuals with DPF inquiries or
complaints should first contact ESPS at:

Empower
Attn: Vice President, Privacy Compliance
8525 E Orchard Rd, 2T3
Greenwood Village, CO 80111

ESPS has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute
resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely
acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.
org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This
service is provided free of charge to you.

Finally, as a last resort and under limited circumstances, if your DPF complaint cannot be resolved through the above channels, EU and UK individuals may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Data Privacy Framework.

Notice to Nevada residents

We are providing you this notice under Nevada state law. You may be placed on our internal Do Not Call List by contacting us.

In addition to contacting us, Nevada residents can contact the Bureau of Consumer Protection, Office of the Nevada Attorney General, in writing at 555 E. Washington St., Suite 3900, Las Vegas, NV 89101; by calling (702) 486-3132; or by emailing: AgInfo@ag.nv.gov

Modifications to our privacy policy

We may modify or amend this privacy policy from time to time as the need arises. We advise you to visit our website regularly to check for any amendments. Any material changes will be communicated to you in accordance with applicable law through an appropriate channel, depending on how we normally communicate with you.