Online Privacy Notice for services.citi.com
Issued on May 7, 2026
This Online Privacy Notice explains how Citibank N.A. operating this website collects and processes Personal Information about users (you) that interact with this website, of your rights and ways to request them. We advise you to read this Notice in its entirety, including its EU, California, and other jurisdiction-specific provisions, which apply in certain countries and territories.
If you are a California resident, the California Privacy Rights Act grants you certain privacy rights related to your Personal Information, which are in addition to the main sections in this Notice. Please read the California Supplemental Provision below for additional information.
If you wish to know how we process personal information in banking and financial. Services, please access the link at the top: "Privacy Notices for Clients and Service Recipients."
What is this website for?
This website provides general information to visitors, clients and services recipients. Our Banking and Financial Services encompass treasury, bank and trade banking, investor and issuer services. Within it:
- Cash & Trade delivers an integrated suite of innovative and customized treasury, cash management and trade finance services to meet the needs of multinational corporations, financial institutions and public sector organizations.
- Our investor services arm supports banks, institutional investors, asset managers, and asset owners with local markets expertise, innovative post-trade technologies and data solutions.
- In issuer services, Citi provides end-to-end capital market services through its Agency and Trust, and Depositary Receipt Services.
- Our commercial cards program is present in 100+ countries and provides payment solutions for purchasing and corporate travel and entertainment. We have currency programs in 59 countries and territories and acceptance at more than 90 million merchants worldwide.
STRUCTURE OF THIS PRIVACY NOTICE
Who is Collecting your personal information: DATA CONTROLLER AND CONTACT DETAILS
PERSONAL INFORMATION COLLECTED THROUGH THIS SERVICES
CATEGORIES OF PERSONAL INFORMATION
PURPOSES OF PROCESSING - HOW PERSONAL INFORMATION IS USED
GDPR NOTICE: LAWFUL BASIS OF PROCESSING
HOW PERSONAL INFORMATION IS DISCLOSED OR SHARED
STORAGE AND RETENTION
INTERNATIONAL DATA TRANSFERS
CHILDREN
AUTOMATED PROCESSING AND ARTIFICIAL INTELLIGENCE
LINKS TO OTHER WEBSITES
SECURITY OF YOUR PERSONAL INFORMATION
CHANGES TO THIS NOTICE
Data Controllers and Contact Details- Who is collecting your Personal Information
The Citi entity responsible for this website, and Data Controller (or similar terms), is Citibank N.A. of 388 Greenwich Street, New York, NY 10013, United States of America.
If you wish to exercise any individual rights under this notice, please contact us.
You have a right to complain: If you have any questions or have any complaints in respect of how we process your personal data, you may also contact our independent Data Protection Officers at the regional contact details indicated at the end of this Privacy Notice.
Personal Information Collected Through this Website
California Notice at Collection: The type of personal information we collect is classified as Other Information. "Other Information" is information that does not and cannot reveal an individual's specific identity, such as information that has been de-identified or aggregated.
Citi collects and uses such Personal Information in order to operate and provide you with access to the Services. This includes Personal Information that we collect automatically when you visit or interact with the Website , as follows:
1. Information you provide directly
Depending on your interactions with this website, we collect:
- Your name, email address, phone number or professional contact details
- Name and contact details of your organization, and role or business function;
- Your preferences for subscriptions, updates and alerts;
- Information we collect in the course of maintaining and supporting the Website (troubleshooting information)
- Personal Information submitted through “Contact Us” – demo requests, information requests, support channels or event/webinar registrations;
- Electronic credentials or identifiers we exchange in secure or restricted access pages.
- If you access the Website through your cellphone or mobile device, we also collect information about your mobile services provider and type of mobile device.
If you provide us with personal information from another person, you must have their permission to do so.
2. Information we collect automatically your device
When you access or use this website we collect:
- IP addresses and country of visit
- The pages you request and visit in our Website
- Device identifiers, browser type and version, operating system details
- Information from cookies, telemetry and analytics, subject to cookie and tracker consents – where required (see further below)
- Time and date of visits and referring and exit URLs
- Geolocation and Notification Alerts: If we intend to use these features we will ask for your explicit consent.
3. Cookies and Tracking Technologies that identify your device
We use cookies and related technologies to operate, enhance and secure this website. These include:
- Essential or Strictly Necessary Cookies- required for core functionality and security.
- Functional Cookies: - optional cookies that remember settings such as language, preference, or regional selections
- Analytics and performance cookies: - optional cookies that help us understand usage and improve site performance
- Advertising or Targeting Cookies- optional cookies deployed by our affiliates, which may communicate or share data with third parties.
Cookies and online trackers are small data files stored on your browser cache memory, in the different categories described above. They intend to help us improve our knowledge of visitors to this website, and to enhance your personal experience. We may also deploy web beacons and pixels – these ‘trackers’ are subject to your consent and are diminutive images stored on Emails, advertisements and social media content that communicate with your web browser to count visits from your device, and help us understand interest and effectiveness in our content and communications.
If we share information collected through cookies and trackers with external analytics providers, or if we serve advertisements, we will provide consent or opt-out options, per regulations in the country or territory from which you access our content.
For more information about interest-based ads, or – if you are in the United States – how to opt-out from behavioral advertising, please visit www.aboutads.info/choices. Your browser may also include a built-in feature (such as “Limit Ad Tracking” on iOS/Safari or “Opt-Out of Interest-Based Ads” and “Opt-Out of Ads Personalization” on Android/Google) that you can use to prevent the collection of information for behavioral cross-contextual advertising.
Categories of Personal Information we process
Depending on your interactions with the website, we may process:
- Identification and contact data, such as name, corporate email address, country and state of residence, telephone number.
- Professional information, including role, business unit, and organization, and office location;
- Technical and usage data, such as IP network address, device details (IMAC, OS, model year and browser version), diagnostics and performance logs;
- Interaction data, including clicks, downloads, content accessed, and enquiries submitted;
- Subscription and communication preferences.
- Geolocation (subject to your consent, if such feature is offered).
- Calendar and attendance information (for events we invite you to).
We do not intentionally collect sensitive, special category or protected characteristics of personal data, nor data from children and vulnerable individuals on this site, and will not ask for your consent to process such data.
In rare instances where security logs reveal possible fraud or unlawful activities, we may rely on a recognized public interest basis or on compliance with applicable law for our processing and for applying appropriate safeguards.
Purposes of Processing: How your Personal Information Is Used
The following principles are the foundation of our commitment to data protection:
- Transparency
- Purpose limitation
- Proportionality
- Accuracy
- Confidentiality
- Storage Limitation
- Accountability
- Compliance with applicable Privacy and Data Protection laws and regulations
We use your Personal Information for the purpose of providing, maintaining, and improving this website. We may also use the Personal Information we collect to:
- Send you technical notices, updates, security alerts, or support and administrative messages (i.e. changes to user terms, and notices) and respond to your comments, questions, and customer service requests;
- Monitor and analyze trends, usage, and activities in connection with this website and our services;
- Develop new website functionalities and enhance current products, detect, investigate, and prevent fraudulent transactions and other illegal activities that may use information on this website, and protect the rights and property of Citi and others; and
- Carry out such additional purposes as disclosed at the time of collecting any other personal information.
Lawful Basis for processing your Personal Information
Notice of Lawful Basis for International (Non-US visitors) and in countries that do not require user consent:
| Purpose | How We Use Data | Primary Legal Basis | Legitimate Interest (where applicable) |
|---|---|---|---|
| Operate and maintain services.citi.com | Load pages, enable navigation, support functionality | Legitimate interest (if applicable); or public interest) | Delivering a secure, reliable services platform |
| Security and fraud monitoring | Detect, investigate and prevent misuse, attacks or anomalies | Legal obligation; legitimate interest (*) | Protecting systems, clients and the integrity of operations |
| Website Functionalities , Analytics and Advertising | Analyse traffic, performance and features used; optimise site | Consent | Improving client experience and platform quality |
| Responding to enquiries | Process contact requests, product queries or support submissions | Legitimate interest (*) or contract necessity | Enabling efficient engagement with institutional clients |
| Digital communications and subscriptions | Send newsletters, product updates, event information | Consent or legitimate interest (only in a B2B context) | Providing relevant information to professional audiences |
| Compliance and regulatory purposes | Meet recordkeeping, audit, legal or regulatory requirements | Legal obligation | — |
Notice about consent In countries that require a lawful basis for processing and international data transfers we will rely on the lawful basis above unless consent is required by law or regulatory guidance, and/or if it is the expected primary lawful basis for processing, subject to other legal conditions for consent where collected.
If consent can be assumed or inferred from your conduct (for example by your navigation and subsequent use of this website’s features) we will use inferred consent. We may use other grounds for processing personal information after that initial consent- if available and you would not be expected to withhold or withdraw it.
IMPORTANT! DECLINING OR WITHDRAWING CONSENT
If we need your consent to process certain personal information and you do not provide it, or if having granted it you then withdraw or revoke it, we may not be able to continue providing a specific feature. We shall inform you if we need your consent as a statutory requirement or where its necessary to provide website features.
How your Personal Information Is Disclosed or Shared
Within our global organization and affiliates
We may disclose your Personal Information within our organization for the legitimate business purposes described above:
- To technology service providers that provide website hosting, data analysis, information technology and related infrastructure, customer services, transaction processing , e-mail delivery, web and cookie auditing, and other IT services;
- To our affiliates in the country where you reside or from where we provide financial services;
To competent authorities and law enforcement, in order to respond to lawful requests, or to provide them with information to enforce our website terms of use, and protect our safety or property, and/or that of our affiliates, against internet fraud and other crimes.
With our Service Providers
We use vetted third-party service providers for:
- Cloud hosting cloud hosting infrastructure, content management and delivery networks;
- Data analytics and user experience measurement;
- Website content and deployment optimization and security;
- Technical maintenance and support.
With Legal and regulatory bodies
We disclose personal information to:
- Financial supervisory authorities (whether banking, or markets regulators, or data protection);
- government or law enforcement agencies;
- courts, arbitration panels or regulators; and
- external auditors and professional advisers, where required or permitted by law.
Storage and Retention
Information collected on our website will only be retained for as long as is necessary to fulfil the purpose for which it was collected. Our retention periods vary in accordance with applicable law in the country where we collect personal information. When the retention of your personal information is no longer necessary, we will securely dispose of it by destroying the data, or we will irreversibly anonymize it, so that it is no longer personal data. As an average, transitory data is retained to a maximum of one year.
International Data Transfers
This website is hosted in the United States by Citibank N.A., of 388 Greenwich Street, New York NY 10013, United States. Personal and device technical information is collected and used in the United States. By using this website and its services, you acknowledge that your personal information is transferred to the United States. Where any of Citi affiliates transfer other personal information to complete information requests, for example events we invite you to (virtual or in person) we will use appropriate safeguards such as data protection clauses supported by data transfer impact assessments and risk mitigations, where legally required.
Children
Our web services are not designed for children, and we do not intentionally collect Personal Information or feedback from persons that cannot enter into contracts with a financial institution, in their own name, without consent from their parents. If you have reason to believe that a child has provided Personal Information to us, please contact us, and we will take appropriate action.
Automated Processing and Artificial Intelligence
We process Personal Information using automated processing or artificial intelligence, including for calibrating and training AI models where legally permitted, including:
- Interpreting website visitor and navigation analytics, and user interest vectoring in our content, using de-identified data.
- Regulatory Compliance: Conducting crime prevention activities, including detecting unusual activity, bots, threats or suspect patterns.
- Operational efficiency: Enhancing the impact of our marketing campaigns using artificial intelligence (AI) models.
- Training Purposes: Training AI models to support marketing and content rationalization.
Citi does not intently collect sensitive information or special category data and does not engage in its automated processing or profiling.
No automated processing on this site can or may result in a legal or similarly significant outcome, and we do not rely on automated processing for assessments or decision-making (whether supervised or unsupervised) about visitors or clients of the bank.
Links to Other Websites
This website may contain links to other websites. Citi is not responsible for their privacy or information security practices of non-affiliated entities. You should carefully review the applicable privacy and information security policies and notices of other websites you click through this website.
Security of Personal Information
We use reasonable physical, electronic, and procedural measures to safeguard Personal Information within our organization against loss, theft, and unauthorized use, disclosure, or modification. However, no transmission over public communications networks, including the Internet can be guaranteed to be 100% secure. As a result, while we strive to protect your information, we cannot guarantee its security.
Changes to This Notice
From time to time, we may revise this Notice. Changes may be made for any number of reasons, including to reflect industry initiatives, changes in the law, and changes to the scope of the Services, among other reasons. You can tell when we last updated the Notice by checking the date at the beginning of the Notice. Any changes will become effective when we post the revised Notice on the Site.
Supplementary Information
Information for residents of the European Union, European Economic Area, Switzerland, United Kingdom, Bailiwick of Jersey, and other jurisdictions with comprehensive data protection laws.
If you are located in any country named above, or in Nigeria, Kenya, the Republic of South Africa, Malaysia, Bahrain, Qatar, the Kingdom of Saudi Arabia, Argentina, Brazil, Mexico, Peru or Colombia, or are a client of Citibank DIFC or ADGM branches, and certain others, you have statutory legal data subject rights. Please read the following paragraphs, which complement the privacy notice.
Lawful Basis for Processing Personal Data
The laws of the countries named above allow us to process your personal information under the lawful basis of legitimate interest. We will process your personal data on that basis where:
- We need to use your personal data ; and
- We are not processing it for compliance of our own legal obligations.
- We have not asked for your consent to process personal data
Such processing will be proportionate, and within the expectations parties had when collecting your information. If we intend to reuse it for onward processing for a different purpose, we must meet two conditions (a) the new purpose must be closely aligned with the initial purpose for its collection, and (b) we will inform you of the new purpose and seek your consent or give you the possibility to opt-out.
Your Privacy and Data Subject Rights
In certain jurisdictions you have some or all of the following legal rights:
- The right to ask us for a copy of your personal information (Right to access). Please note however that this right may be limited by the rights of other individuals to their own Personal Information. Where appropriate we will redact their personal information when responding to your right of access.
- Right to withdraw any previously given consent to process your personal information (Right to withdraw consent). Withdrawal of your consent will not impact the data that has been collected or processed prior to its withdrawal or revocation.
- Right to correct or update any inaccurate or outdated information about you (Right to rectification). For Personal Information gathered in Switzerland, you may additionally request that a note of contest is added in case if neither the accuracy nor the inaccuracy of the Personal Information in question can be established.
- Rights to ask us to erase or delete your personal information (Right of erasure or ‘Right to be forgotten’) and the associated right to restrict our processing of personal information. This right cannot be availed in circumstances where our lawful basis for processing is compliance with applicable law.
- Right to object to the processing of your Personal Information (Right to object). This right cannot be availed where our lawful basis for processing is compliance with applicable law.
- In certain territories you have an additional right to ask us to transfer your personal information to another data controller (Right to data portability).
- Finally, you have the right to object to decisions being made with your data solely based on automated decision making or profiling (Right to object to automated processing). However, this website does not engage in such activities.
You will not be treated differently (in a negative way) for exercising any of your privacy rights.
To exercise these data rights or if you have questions about how Citi processes your Personal Information, please Contact Us.
If you are making a request on behalf of someone else (as an attorney, relative or representative) we may require further information to ensure that you are duly authorized to make that request.
Your Right to Complain
If you believe your personal data was mishandled, or you have concerns regarding access to, or use of your information, you may contact our independent Data Protection Officer.
Such complaints, where raised in the UK, will be governed under the Digital (Use and Access) Act 2025in relation to any restriction of digital access or misuse of personal data.
Complaints may be submitted via email to our GDPR Data Protection Officers, in the table below. In other jurisdictions please see the contact details further below.
| EU/EEA | Citi EU Data Protection Officer 1 North Wall Quay Dublin, D01 T8Y1, Republic of Ireland Email: GDPRDPO@citi.com |
|---|---|
| UK | Citi UK Data Protection Officer 40 Bank Street , 9th Floor, Canary Wharf London, E14 5NR, United Kingdom Email: GDPRDPO@citi.com |
| Switzerland | Citi Data Protection Advisor Hardstrasse, 201, 8005, Zurich, Switzerland |
Complaints to Data Protection Authorities
If you reside in a Member State of the European Union or the European Economic Area, and you are still dissatisfied with our handling of your personal information or how we responded to your data subject rights, you may file a regulatory complaint to the Data Protection Commissioner in Ireland (our Lead Supervisory Authority) or to the data protection authority in the EU/EEA Member State where you reside.
- Data Protection Commissioner: www.dataprotection.ie
If you reside in the UK you can contact the
- Information Commission (formerly ICO) (www.ico.org.uk )
If you reside in Jersey, you may contact the
- Office of the Jersey Data Protection Commissioner (http://jerseyoic.org )
If you reside in Switzerland, you may contact the
- Federal Data Protection Commissioner (FDPIC) https://www.edoeb.admin.ch
If you reside in Monaco, you may contact the
- Personal Data Protection Authority (http://en.gouc.mc )
Contact Details of our Privacy Officers and enforcement of rights in other countries:
| Republic of South Africa | Information Officer 145 West Street, Sandown 2196, South Africa Tel. +27 1 1 944073 |
|---|---|
| Kenya, Uganda, Tanzania, Zambia | P.O. Box 30711, 00100 Nairobi, Kenya Citibank House, Upper Hill, Nairobi, Kenya Tel +254 20 2754091 Email: yvonne.n.muturi@citi.com |
| Nigeria | Nigeria Data Protection Advisor Citibank Nigeria Limited 27, Kofo Abayomi Street, Lagos, Nigeria |
| Australia | Citi Privacy Officer GPO, Box 304, Sydney, NSW 2001 T: 13 24 84 Email: privacy.officer @citi.com |
| Brazil | Citi Privacy Officer Para exercer os direitos em relação aos seus Dados Pessoais, favor realizar solicitação por meio do link |
| Canada | Citi Privacy Officer Chief Privacy Officer, Quebec Data Protection Officer |
| Colombia | Citi Privacy Officer Si desea presentar una consulta, reclamo o petición de información relacionada con sus datos personales, y/o la protección de éstos por parte de Citibank – Colombia S.A. puede comunicarse a la línea de atención Citiservice 5870000, o en la Sede Principal ubicada en la Cra. 9 A No. 99 – 02, Bogotá – Colombia |
| Mexico and El Salvador | Citi Privacy Officer Para ejercer sus derechos con relación a sus datos personales, puede comunicarse con los Responsables de Datos y Encargados Claves de datos en la siguiente dirección: Citi-Info S. de R.L. de C.V., Moras 850 Acacias, Col. Benito Juarez, Ciudad de Mexico, CDMX 03240, Mexico |
| Hong Kong S.A.R. | Citi Privacy Officer Citibank, N.A., Data Protection, 12/F, Citi Tower, One Bay East, 83 Hoi Bun Road, Kwun Tong, Kowloon, HK |
| Indonesia | DPO: Wedha Marghaputra Email: Indonesia.Privacy@citi.com. |
| Jamaica | DPO: Marcela Jaimes Email DPOJamaica@citi.com Citibank Colombia, S.A., Centro de Servicio, Calle 100, Carrera 9ª, No. 99-02. Piso 1. Local 104., Bogota, Colombia DPO Representative in Jamaica Email: DPOJamaica@citi.com Citibank N.A. Jamaica, 19 Hillcrest Avenue, Kingston 6, Jamaica |
| Philippines | Data Protection Officer 16F, Citi Plaza, 34th Street, Bonifacio Global City Philippines Email: CitiPHDPO@citi.com |
| Saudi Arabia | The Data Protection Officer 20th Floor of Kingdom Tower, P.O. Box 301700, Riyadh 11372, Central Province, Kingdom of Saudi Arabia |
| Korea (South) | Chief Country Compliance Officer: Han Suk Kim 02-3455-2244 |
| Thailand | Data Protection Officer Citibank N.A., Bangkok Branch Interchange 21 Building, 399, Sukhumvit Road, Klongtoey Nua Sub-district, Wattana District, Bangkok, Thailand 10110 Email dpo.officethailand@citi.com Remarks: The above email address is reserved for the contact related to the exercise of Data Subject Rights only. |
Additional Information for persons in Nigeria
Data Controller
The Data Controller in Nigeria is Citibank Nigeria Limited (CNL) a commercial bank licensed by the Central Bank of Nigeria, with registered offices at 27 Kofo Abayomi Street, Victoria Island, Lagos, Nigeria. CNL is responsible for the lawful collection, use, processing and disposal of personal data in Nigeria and its lawful transfer across national borders. CNL has ensured that it has appropriate contractual, technical and operational measures in place with its affiliates and parent companies, and any sub-processors of personal data gathered in Nigeria.
You can request or enforce your personal data rights by emailing or writing to the Data Protection Officer at our registered address or by Email to CNL Data Protection Officer at dponigeria@citi.com
Legal Basis for Processing personal information
CNL relies on various lawful basis as permissible by law for the collection and processing of Personal Data in Nigeria and will rely on your consent of personal information, where appropriate. These will be gathered, for example in the Release of Permission to Record images, sounds or videos.
We may rely on other lawful basis for processing, including for compliance with applicable law or in the public interest recognized in a statute, or if it is necessary for the establishment, exercise or defense of legal claims.
Silence
Your silence will never be assumed to be consent to the processing of your Personal Information.
Your Rights when our processing is for Legitimate Interests
Citi shall discontinue the processing of your Personal Information upon your request, unless Citi demonstrates a public interest or other legitimate grounds, which overrides your fundamental rights and freedoms and interests
Further Protections for Processing of Sensitive Personal Data
Citi shall not process your sensitive personal data, unless:
- you have given and not withdrawn consent to the processing for the specific purpose or purposes for which it will be processed;
- processing is necessary for the purposes of performing the obligations of Citi or exercising your rights under employment or any other similar laws;
- processing is necessary to protect your vital interests or of another person, where the data subject is physically or legally incapable of giving consent;
- processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, association, or such other non-profit organization with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes, and the —
- processing relates solely to the members or former members of the entity, or to persons, who have regular contact with it in connection with its purposes, and
- sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject;
- processing is necessary for the establishment, exercise, or defense of a legal claim, obtaining legal advice, or conduct of a legal proceeding;
- processing is necessary for reasons of substantial public interest, since a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject;
- processing is carried out for purposes of medical care or community welfare, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality;
- processing is necessary for reasons of public health and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject; or
- processing is necessary for archiving purposes in the public interest, or historical, statistical, or scientific research, in each case since a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and freedoms and the interests of the data subject.
Notification of Security Incidents and Breaches of Personal Information
The safety, security and integrity of your personal information are paramount to our operations. We will promptly notify the Data Protection Authorities within 72 upon becoming aware of any accidental or intentional damage, alteration, destruction, unauthorized disclosure, loss, misuse, inability to access, extraction or theft of personal information that is stored or processed by Citi, where there is a risk to your rights or freedoms. If the risks are significant, we will also communicate directly with you, providing details of the data exposed to risk, with advice and measures we take to mitigate any adverse effects.
In the event that the protection of your Personal Information is compromised or interfered with, you may lodge a complaint with the Nigeria Data Protection Commission No.12 Clement Isong Street, Asokoro, Abuja or info@ndpc.gov.ng.
Supplemental provision applicable to users from the Republic of Korea
By your use of this website you agree to the Terms of Use and also agree that your personal information will be controlled, not by Citibank Korea Inc. nor other subsidiaries and affiliates in Korea ("Citi Korea"), but by Citibank, N.A. in the United States of America.
Citi Korea is solely responsible for the use of your personal information within Korea, when used by Citi Korea, under the applicable Korean laws including; Personal Information Protection Act, Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., and other relevant Korean laws.
Your personal information and the submitted materials on this website can be shared with Citi Korea but Citi Korea will not collect and use such personal information and materials for any marketing purpose without your prior consent. When Citi Korea obtains personal information collected in the United States via this website, the use will be controlled by and be bound to the necessary process and procedure following the applicable Korean laws.
Supplemental provision applicable to California residents
This California Supplemental Provision (the “Supplement”) supplements the information contained in Privacy Notice and applies solely to residents of California who have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”). These persons are further referenced as “consumers” or “you”. Unless otherwise defined in the Privacy Notice, any terms defined in this Supplement have the meaning used in the CCPA.
We do not collect forms of Personal Information including “sensitive” Personal Information which are subject to additional protections. Because we do not collect “sensitive” Personal Information, we do not need to provide a Limit Use and Disclosure of Sensitive Personal Information right under the CCPA.
Summary of Personal Information Handling Practices
We provide in the chart below a summary of Personal Information handling practices for the prior 12 months.
Notes:
1) We do not sell or share your Personal Information to third parties for monetary consideration. However, we may share your Personal Information with third parties for advertising purposes subject to your cookie options.
2) We do not have actual knowledge of any collection, use, sale, or sharing of Personal Information of consumers under 16 years of age.
| Categories of Personal Information | Sources | Purposes of Processing Personal Information | Recipients of Personal Information |
|---|---|---|---|
| Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. | From You |
|
SoldWe have not sold this information to third parties. SharedWe have not shared this information with third parties for targeted advertising purposes. Service ProvidersWe have disclosed this information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. See the How Personal Information is Disclosed section in the Privacy Notice for more details. |
| Geolocation data | From your usage of the site |
|
Sold We have not sold this information to third parties. Shared We have not shared this information with third parties for targeted advertising purposes. Service Providers We have disclosed this information to our affiliates and to other parties that provide services to us or act on our behalf in connection with the operation of our business. See the How Personal Information is Disclosed section in the Privacy Notice for more details. |
Retention of Personal Information - California
We store Personal Information for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.
Your Rights and Choices
The CPRA affords consumers residing in California certain rights with respect to their Personal Information, subject to certain exceptions. Subject to certain limitations, you have the following rights in California:
- Right to Delete. You have the right to request us to delete the Personal Information we have collected about you.
- Right to Correct. You have the right to request us to correct inaccurate Personal Information we maintain about you.
- Right to Know and Access. You have the right to know and access the Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific pieces of Personal Information we have collected about you.
- Data Portability. You have the right to receive the information under right (3) in a format, to the extent technically feasible, that is portable, usable, and allows you to transmit the Personal Information to a person without impediment, where the processing is carried out by automated means.
- Right to Opt-Out. You have the right to opt out of certain processing, such as opting out of profiling or our sale or sharing of your Personal Information.
- Right to No Discrimination. You have the right not to be discriminated against for exercising any of your privacy rights. This includes us not: (a) denying you goods or services; (b) charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (c) providing you a different level or quality of goods or services; and (d) suggesting to you that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
Exercising Your Rights
To exercise your rights as described above, please submit a verifiable consumer request to us by either:
- Visiting Citi Privacy Hub; or
- Calling us at (833) 971-1191 (TTY: 711)
Except for the right to opt-out related to selling or sharing your Personal Information, we will need to verify your identity before honoring your privacy right request. Subject to certain limitations, we will honor your privacy rights request within 45 calendar days from its receipt, unless we request an extension as permitted by the CCPA. However, we will honor opt-out of sale and sharing requests within 15 business days.
Authorized Agents
You may exercise California privacy rights through an authorized agent.
If we receive your request from an authorized agent, we may ask for evidence that you have provided such agent with a power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please contact us by either:
- Visiting Citi Privacy Hub; or
- Calling us at ((833)-981-0270 (TTY: 711)
Contact Information
If you have any questions about this Supplement, the ways in which we collect and process your Personal Information described in this Supplement, your choices and rights regarding such use, or wish to exercise your rights under the CPRA, please visit Citi Privacy Hub or call us at (833) 971-1191 (TTY: 711).
