PRIVACY POLICY 

Revised and effective 11/2024 

bswift, LLC (“bswift,” “us,” “our,” or “we”), is committed to respecting your privacy. This Privacy Policy (“Privacy Policy”) describes how we collect, process, and share your Personal Data (defined below). We also describe your rights and choices with respect to your Personal Data and other important information. Please read this Privacy Policy carefully. 

NAVIGATION

• SCOPE OF THIS POLICY 
• HOW TO CONTACT US/CONTROLLER
• CATEGORIES AND SOURCES OF PERSONAL DATA
• DATA PROCESSING CONTEXTS / NOTICE AT COLLECTION 
• PROCESSING PURPOSES
• DISCLOSURE/SHARING OF PERSONAL DATA
• INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
• YOUR RIGHTS & CHOICES
• DATA SECURITY
• CHILDREN
• DATA RETENTION
• CHANGES TO OUR POLICY 
• REGIONAL SUPPLEMENTS

This Privacy Policy applies to Personal Data collected through our “Services,” which include:

• Our “Corporate Site,” including data collected when you interact with or reference our services or advertisements online; and
• Our “Platform,” which includes our benefits mobile app (“Mobile App”) and other web-based services, in each case, to the extent we are a controller/business with respect to the operation of the Platform.

Please note: We provide certain services and process information (e.g., benefits enrollment and administration) on behalf of third parties (e.g., your employer) that have entered into an agreement with us to provide our Services (our “Clients”). Similarly, we may link to third party sites, services, or applications (e.g., a benefits plan or provider). This Policy reflects only how we process Personal Data through our Services. This Policy does not apply to information processed by or on behalf of our Clients, benefits plan/provider, or any other third party. Please see the third party’s privacy policy for more information.

This Privacy Policy does not apply to Personal Data collected in the context of your engagement as an employee or contractor for bswift, or for other HR purposes, all of which is covered by our HR Privacy Policy (available through bswift HR).

The controller of your Personal Data under this Policy is bswift, LLC. If you have any comments or questions about this Privacy Policy or privacy practices, please contact our Data Privacy Team at:

bswift, LLC

Attn: bCompliant

500 Monroe Street, Suite 3800, Chicago, IL 60661

General Inquiries and Data Updates: bCompliant@bswift.com

Marketing Choices: If you would like to make changes to your communications preferences, click the link in any email from bswift or send us an email at bCompliant@bswift.com.

Regional Data Rights: Email us at bCompliant@bswift.com, mail to the address below, or call 1-877-927-9438 and select the Privacy option or 1-877-927-9438 and select option ‘3’ for privacy inquiry.

The following describes how we process data relating to identified or identifiable individuals and households (“Personal Data”).

Categories of Personal Data We Process

The categories of Personal Data we process may include:

Audio/Visual Data

• Audio files and records, such as voicemails, call recordings, and the like.

Biographical Data

• Data relating to professional and employment history, qualifications, and similar biographic information.

Transaction Data

• Information about the Services we provide to you and transactions you make with bswift, what Services you received, and transactions were processed and similar information.

Contact Data

• Identity Data that relates to information about how we can communicate with you, such as email, phone numbers, physical addresses, and information you provide to us when you contact us by email.

Device/Network Data

• Information regarding your device or interaction with a web site, application (e.g., IP Address, MAC Address, SSIDs, or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, browsing data, first party cookies, third party cookies, web beacons, clear gifs, and pixel tags.

Identity Data

• Information, such as your name; address; email address; telephone number; date of birth, account login details, including your username and password, license plate number, or other account-related information.

Inference Data

• Personal Data used to create a profile about you reflecting your preferences, market segments, and other data or analytics provided about, and your interests.

General Location Data

• Non-precise location data, such as dates and times of your visit, which properties or locations you visited, and location specified by social media tags/posts.

Sensitive Personal Data

• Personal Data defined as “sensitive personal information” or similar definitions under applicable laws. We collect the following categories of Sensitive Personal Data:
• “Government ID Data” – Data relating to official government identification, such as sSocial sSecurity number, driver’s license, or passport numbers, including similar Identity Data protected as Sensitive Data under applicable law.
• “Payment Data” – Information such as bank account details, payment card information, and information from credit reference agencies, including similar data defined as defined in applicable law, and relevant information in connection with a financial transaction.

User Content

• Unstructured/free-form data that may include any category of Personal Data, e.g., data that you give us in free text fields such as a contact box.

Sources of Personal Data We Process

We collect Personal Data from various sources, which include:

Data you provide us

• We receive your Personal Data when you interact with us, such as when you when you create an account, fill out a form, interact with Emma™, or when you otherwise input information into our Services.

Data we collect automatically

• We automatically collect Personal Data about or generated by any device you have used to access our Services.

Service Providers

• We receive Personal Data from service providers that perform services on our behalf.

Clients and Providers

• We receive Personal Data from partners, such as benefit providers or our Clients, who may transfer Personal Data to us in connection with the enrollment, maintenance, or termination of benefits plan or program, or otherwise use our Platform.

Data we create or infer

• We, certain partners, and third parties operating on our behalf create and infer Personal Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you. We may combine any Personal Data about you that we receive from you, and from third parties.

Note: Please click the following links to view information on Data Retention or Regional Data Rights for any of the processing contexts listed below.

Corporate Site

Generally

We automatically collect and process Device/Network Data, Identity Data, General Location Data, and Inference Data when you access and use our Corporate Site.

We use this Personal Data as necessary to operate our Corporate Site, such as delivering pages or content, for our Business Purposes, and our other legitimate interests, such as:

• ensuring the security of our Corporate Site and other technology systems;
• analyzing the use of our Services, including navigation patterns, clicks, etc., to help understand and make improvements to the Services; and
• creating aggregate information about users’ content viewing and usage patterns, which we use to help improve our Services and website content.

Cookies and other tracking technologies

We automatically collect and process Identity Data, Device/Network Data, Inference Data, and General Location Data, in connection with our use of cookies and similar technologies on our Platform. We may collect this data automatically.

We and authorized third parties may use cookies and similar technologies for the following purposes:

• for “essential” purposes necessary for our Platform to operate (such as maintaining user sessions, CDNs, and the like);
• for “functional” purposes, such as to enable certain features of our Platform (for example, to allow a client to maintain a basket when they are shopping at an online store);
• for “analytics” purposes and to improve our Platform, such as to analyze the traffic to and on our Platform (for example, we can count how many people have looked at a specific page, or see how visitors move around our Corporate Site when they use it, to distinguish unique visits/visitors to our Services, and what website they visited prior to visiting our Corporate Site, and use this information to understand user behaviors and improve the design and functionality of our Services);
• for “retargeting,” Targeted Advertising, or other advertising and marketing purposes, including technologies that process Preference Data or other data so that we can deliver, buy, or target advertisements which are more likely to be of interest to you; and
• for “social media” e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as Instagram or LinkedIn.

We may also process this Personal Information for our Business Purposes and Targeted Advertising. See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies.

Third parties may view, edit, or set their own cookies or place web beacons on our Corporate Site. We, or third-party providers, may be able to use these technologies to identify you across platforms, devices, sites, and services. Third parties may engage in targeted advertising using this data. Third parties have their own privacy policies, and their processing is not subject to this Policy.

Our Platform

Generally

We automatically collect and process Device/Network Data, General Location Data, and Inference Data when you access and use our Platform. We use this Personal Data as necessary to operate our Platform, such as keeping you logged in, delivering content, for information security operations, and our other Business Purposes.

Account Registration

We may process Identity Data, Biographical Data, Contact Data, and User Data when you sign up for an account through or on behalf of our Clients on our Platform, e.g. when our Clients shares a link and log-in directions with you, or where you are an administrator acting on behalf of the Client. We may also process Device/Network Data.

We process this Personal Data as necessary to perform or initiate a contract with you and our Clients, or for our Business Purposes.

Benefits Plans and Enrollment

We may process Identity Data, Biographical Data, Contact Data, User Data, and Device/Network Data in connection with employee benefits plan enrollment or administration through our Clients on our Platform. We may also process Sensitive Personal Data, including Health Data and Government ID Data.

We process this Personal Data as necessary to perform or initiate a contract with you and our Clients, to inform you of your benefits program, or for our Business Purposes. We do not sell or share Personal Data processed in this context. We process Sensitive Personal Data only for Business Purposes permitted under applicable law.

Mobile Apps

If you access our mobile app or other web-based products, we may process Identity Data, Device/Network Data, and General Location Data.

We process this Personal Data to provide our mobile apps, for our Business Purposes, and our other legitimate interests, such as to optimize the display and functionality of the mobile app on your device, or to deliver features that require the use of General Location Data.

In-Person Events

We process Identity Data and Contact Data when you register for and attend one of our in-person events, such as an “Idea Exchange” or a “Client Advisory Board.”

We process this Personal Data to provide updates about the event, as well as for our Business Purposes and Marketing Communications.

Contact Us; Support

We collect and process Identity Data, Contact Data, and User Content when you contact us, e.g. through a contact us form, or for support. If you call us via phone, we may collect Audio/Visual data from the call recording.

We process this Personal Data to respond to your request, and for our Business Purposes. If you consent or if permitted by law, we may use Identity Data and Contact Data to send you Marketing Communications.

Feedback and Surveys

We process Identity Data, Contact Data, and User Content collected in connection with feedback surveys or questionnaires.

We process this Personal Data as necessary to respond to concerns, for our Business Purposes, and other legitimate interests, such as:

• analyzing Client and employee satisfaction; and
• to allow our partners and service providers to communicate with users.

We may share feedback/survey data relating to partners and service providers, who may use it for their own purposes.

Marketing Communications

We process Device/Network Data, Contact Data, and Identity Data, in connection with marketing emails, push notifications, telemarketing, or similar communications, and when you open or interact with those communications. You may receive marketing communications if you consent and, in some jurisdictions, if you are a representative of a Client or attendee of our events.

We process this Personal Data to contact you about relevant products or services and for our Business Purposes. We may personalize Marketing Communications based on Personal Data we create or infer. If consent to is required by law, we will seek your consent. See your Rights & Choices to limit or opt out of this processing.

Business Purposes

We and our Service Providers process Personal Data we hold for numerous business purposes, depending on the context of collection, your Rights & Choices, and our legitimate interests. We generally process Personal Data for the following “Business Purposes.”

Service Provision and Contractual Obligations

We process Personal Data as necessary to provide our Services, to authenticate users and their rights to access the Service and as otherwise necessary to fulfill our contractual obligations to you, and provide you with the information, features, and services you request. Similarly, we may use Personal Data as necessary to audit compliance, and log or measure aspects of service delivery (e.g., statistics regarding plan enrollment, or user accounts).

Internal Processing and Service Improvement

We may use any Personal Data we process through our Services as necessary in connection with our legitimate interests in improving the design of our Service, understanding how our Services are used or function, for client service purposes, for internal research, technical or feature development, to track service use, QA and debugging, audits, and similar purposes.

Security and Incident Detection

We may process any Personal Data we collect in connection with our legitimate business interest in ensuring that our properties and locations are secure, identify and prevent crime, prevent fraud, and ensure safety. Similarly, we process Personal Data on our Platform as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns and characteristics, maintain and analyze logs, and process similar Personal Data in connection with our information security activities.

Personalization

We process certain Personal Data as necessary in connection with our legitimate business interest in personalizing our Services. For example, aspects of the Services may be customized to you so that it displays your name and other appearance or display preferences, to display content that you have interacted with in the past, or to display content that we think may be most relevant to you based on your interactions with our Services and other content. This processing may involve the creation and Personal Data that we infer based on your preferences.

Aggregated Data

We process Personal Data about our Clients and users in order to identify trends (to create aggregated and anonymized data about our Clients and users, e.g. feature and service utilization trends, Service performance and satisfaction, and other similar information (“Aggregated Data”). We may pass Aggregated Data to the third parties referred to in the section below to give them a better understanding of our business and to bring you a better service. Aggregated Data that does not contain Personal Data is not subject to this Privacy Policy.

Compliance, Health, Safety, Public Interest

We may also process any Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law and make requests, for the establishment and defense of legal claims, or where we must comply with our legal obligations, lawful requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals, or on certain public interest grounds, each to the extent allowed under applicable law. Please see the How We Share Personal Data section for more information about how we disclose Personal Data in extraordinary circumstances.

Other Business Purposes

If we process Personal Data in connection with our Service in a way not described in this Privacy Policy, this Privacy Policy will still apply generally (e.g., with respect to your rights and choices) unless otherwise stated at collection. We will process such information in accordance with the notice provided at the time of collection or in a manner that is necessary and proportionate to achieve the operational purpose for which the Personal Data was collected or processed or for another operational purpose that is compatible with the context in which the Personal Data was collected.

Targeted Advertising

If you visit our Corporate Site, we and our third-party advertising providers may show you advertisements related to our Services when you visit third-party sites, e.g. social media platforms, web searches, other media platforms (“Targeted Advertising”). Targeted Advertising may involve the processing of Personal Data to make inferences about your interests and tailor the advertisements you see based on those interests. The profiles and interests used for Targeted Advertising may be inferred or derived from Personal Data that we or those third parties obtain or infer from your activities on our Corporate Site, and from other websites, applications, or services (e.g. through cookies and similar tracking technologies, as described above). These third parties (e.g. Google or LinkedIn), may use cookies and/or device identifiers to collect Personal Data such as unique IDs, IP addresses, device information, OS/browser type, and other similar data, as well as information about your visits to our Corporate Site and the ads you see and view to develop and assess aspects of a consumer profile, to deliver more relevant advertisements and offers, and to determine whether and how ads you see are effective. Note that Targeted Advertising includes various parties and service providers, e.g. third-party data controllers, engaged in the processing of Personal Data in connection with Targeted Advertising. These parties may be able to identify you across sites, devices, and over time. In some cases, these third parties may build or augment user profiles using your Personal Data, and may track whether you view, interact with, or how often you have seen an ad, or whether you purchased advertised goods or services.

We may share Personal Data with the following categories of third-party recipients and/or for the following reasons:

Affiliates

• We will share your Personal Data internally within our company, as well as any other current or future affiliated entities, subsidiaries, and parent companies of bswift in order to streamline certain business operations, and in support of our Business Purposes.

Service Providers

• We may share your Personal Data with service providers who provide certain services or process data on our behalf in connection with our general business operations, product/service improvements, to enable certain features, and in connection with our (or our Service Providers’) Business Purposes.

Clients and Providers

• Where allowed by law, or with your consent, we may share your Personal Data with Partners, such as your benefits provider or our Clients, who help us provide our Services to you and in connection with our (or our Partners’) Business Purposes.

Successors

• We may share Personal Data if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.

Lawful Recipients

• In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, in the vital interests of us or any person (such as where we reasonably believe the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety,), or in such other circumstances as may be required or permitted by law. These disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

If you are located outside the U.S., we may transfer or process your Personal Data in the U.S., U.K., European Economic Area (EEA), and other jurisdictions where bswift or our service providers operate. Where required by local law, we ensure your data remains protected in connection with any international transfers. See the “Regional Supplements” section below for more information.

You may have certain rights and choices regarding the Personal Data we process. Please note, these rights may vary based on the country or state where you reside, and our obligations under applicable law. See the following sections for more information regarding your rights/choices in specific regions:

• US States/California
• EEA/UK/Switzerland

Your Rights

You may have certain rights and choices regarding the Personal Data we process. See the “Regional Supplements” section below for rights available to you in your jurisdiction. To submit a request, Contact Us. We verify your identity in connection with most requests, as described below.

Verification of Rights Requests

If you submit a request, we typically must verify your identity to ensure that you have the right to make that request, reduce fraud, and to ensure the security of Personal Data. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

We may require that you match Personal Data we have on file in order to adequately verify your identity. If you have an account, we may require that you log in to the account to submit the request as part of the verification process. We may not grant access to certain Personal Data to you if prohibited by law.

Your Choices

Marketing Communications

You can withdraw your consent to receive marketing communications by clicking on the unsubscribe link in an email. You can also withdraw your consent to receive marketing communications or any other consent you have previously provided to us by contacting us. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails.

Withdrawing Your Consent/Opt-Out

You may withdraw any consent you have provided at any time. The consequence of you withdrawing consent might be that we cannot perform certain services for you, such as location-based services, personalizing or making relevant certain types of advertising, or other services conditioned on your consent or choice not to opt-out.

Cookies and Similar Technologies

General

• If you do not want information collected through the use of cookies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu or our Manage Cookies page. You may need to opt out of third-party services directly via the third party. For example, to opt-out of Google’s analytic and marketing services, visit Google Analytics Terms of Use, the Google Policy, or Google Analytics Opt-out.

Global Privacy Control (GPC)

• Our Platform may support certain automated opt-out controls, such as the Global Privacy Control (“GPC”). GPC is a specification designed to allow Iinternet users to notify businesses of their privacy preferences, such as opting-out of the sale/sharing of Personal Data. To activate GPC, users must enable a setting or use an extension in the user’s browser or mobile device. Please review your browser or device settings for more information regarding how to enable GPC.

Please note: We may not be able to link GPC requests to your Personal Data in our systems, and as a result, some sales/sharing of your Personal Data may occur even if GPC is active. See the “Regional Supplements” section below for more information regarding other opt-out rights.

Do-Not-Track

• Our Services do not respond to your browser’s do-not-track request.

We implement and maintain commercially reasonable security measures to secure your Personal Data from unauthorized processing. While we endeavor to protect our Services and your Personal Data unauthorized access, use, modification, and disclosure, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.

Our Services are neither directed at nor intended for use by persons under the age of 18. We do not knowingly collect information from such individuals. If we learn that we have inadvertently done so, we will promptly delete such Personal Data if required by law. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.

We retain Personal Data for so long as it is reasonably necessary to achieve the relevant processing purposes described in this Privacy Policy, or for so long as is required by law. What is necessary may vary depending on the context and purpose of processing. We generally consider the following factors when we determine how long to retain data (without limitation):

• Retention periods established under applicable law;
• Industry best practices;
• Whether the purpose of processing is reasonably likely to justify further processing;
• Risks to individual privacy in continued processing;
• Applicable data protection impact assessments;
• IT systems design considerations/limitations; and
• The costs associated for continued processing, retention, and deletion.

We will review retention periods periodically and may pseudonymize or anonymize data held for longer periods.

We may change this Policy from time to time. We will post changes on this page. We will notify you of any material changes, if required, via email or notices on our Services. Your continued use of our Services constitutes your acknowledgement of any revised Policy.

U.S. States/California

U.S. States & California Privacy Rights & Choices

Under the California Consumer Privacy Act (“CCPA”) and other state privacy laws, residents of certain U.S. states may have the following rights, subject to regional requirements, exceptions, and limitations:

Confirm

• Right to confirm whether we process your Personal Data.

Access/Know

• Right to request any of following: (1) the categories of Personal Data we have collected, sold/shared, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the purposes for which we collected or sold/shared your Personal Data; (4) the categories of third parties to whom we have sold/shared your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.

Portability

• Right to request that we provide certain Personal Data in a common, portable format.

Deletion

• Right to delete certain Personal Data that we hold about you.

Correction

• Right to correct certain Personal Data that we hold about you.

Non-Discrimination

• California residents have the right to not receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA.

List of Direct Marketers

• California residents may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year (if any).

Submission of Requests

You may submit requests, as follows (please review our verification requirements section). If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at bCompliant@bswift.com. We will respond to any request to appeal within the period required by law.

Categories of Personal Data Disclosed for Business Purposes

For purposes of the CCPA, we have disclosed to Service Providers for “business purposes” in the preceding 12 months the following categories of Personal Data, to the following categories of recipients:

Categories of Personal Data Sold, Shared, or Disclosed for Commercial Purposes

For purposes of the CCPA, we do not “sell” or “share” Personal Data.

Categories of Sensitive Personal Data Used or Disclosed

For purposes of CCPA, we may use or disclose the following categories of Sensitive Personal Data: Government ID Data and Payment Data. We do not sell or share Sensitive Personal Data or use it for purposes other than those listed in CCPA section 7027(m).

EEA/U.K./Switzerland

Controller

The controller of Personal Data relating to residents of the U.K./EEA/Switzerland is: bswift, LLC, 500 Monroe Street, Suite 3800, Chicago, IL 60661.

Rights & Choices

Residents of the EEA, U.K., and Switzerland have the following rights. Please our review verification requirements. Applicable law may provide exceptions and limitations to all rights.

Access

• You may have a right to access the Personal Data we process.

Rectification

• You may correct any Personal Data that you believe is inaccurate.

Deletion

• You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.

Data Export

• You may request that we send you a copy of your Personal Data in a common portable format of our choice.

Restriction

• You may request that we restrict the processing of personal data to what is necessary for a lawful basis.

Objection

• You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing for direct marketing purposes (we will cease processing upon your objection).

Regulator Contact

• You have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.

Submission of Requests

Lawful Basis for Processing

International Transfers

We process data in the United States, and other countries where our subprocessors are located. In cases where we transfer Personal Data to jurisdictions that have not been determined to provide “adequate” protections by your home jurisdiction, we will put in place appropriate safeguards to ensure that your Personal Data are properly protected and processed only in accordance with applicable law. Those safeguards may include the use of EU standard contractual clauses, reliance on the recipient’s Binding Corporate Rules program, or requiring the recipient to certify to a recognized adequacy framework.