Fidelity Investments Supplier Privacy Policy

Last Updated: May 5, 2023

This Privacy Policy covers our (“Fidelity Investments”, “we”, “us”) relationship with current, former or prospective suppliers (businesses from which Fidelity Investments obtains products and services) and explains how we collect, use and disclose personal information and other information about you (hereafter “You” or “Your”) or the firm you represent or are associated with (“Your Firm”). This Privacy Policy applies to the personal information we obtain through Your use of this website (“Website”) and through Your offline business interactions with us.

How we obtain Personal Information 

As used in this Privacy Policy, “personal information” means information about an individual that is collected or maintained for business purposes and by which the individual can be identified. Please note that information by which an individual cannot be identified (for example, anonymous, de-identified, or aggregate information) is not considered personal information and therefore is not subject to this Privacy Policy. 

We may collect or obtain, either directly or through our services providers, personal information and other information about You when You or Your Firm interact with us. For example, we obtain personal information about You when You or Your Firm:

  • engage with our associates that manage Your business relationship;
  • automatically, via technologies such as cookies when you interact with our Website or electronic communications;
  • communicate with us such as to provide information to us or request information from us;
  • visit our offices or facilities;
  • request or schedule meetings with us;
  • sign up for or participate in a program or event that we make available;
  • participate in our surveys, questionnaires, research or evaluations; or
  • otherwise interact with us. 

We also may obtain personal information about You from other sources. For example, we may obtain personal information about You from the following sources:

  • Your Firm;
  • publicly available sources;
  • other third-party sources;
  • third parties that perform services for us or on our behalf; or
  • other sources with Your consent.

The types of Personal Information we obtain 

The personal information we obtain may include:

  • contact information (such as name, title, email address(es), telephone number(s), postal or other physical address(es)) for You or for others at Your Firm (e.g., billing contacts);
  • IP address and location data (such as data derived from Your IP address, country and zip code);
  • billing and financial information;
  • business profile and practices information used to evaluate Your Firm as a supplier;
  • clickstream data and other information about Your online activities on our Website (such as information about Your devices, browsing actions and usage patterns while on our Website) that we obtain through the use of cookies, web beacons and similar technologies as further described in the section below entitled “Cookies and Similar Technologies”;
  • information related to Your visit of our offices and facilities or Your attendance at meetings or events;
  • where applicable, information necessary to provide you access to our facilities or networks;
  • information that we obtain from publicly available sources;
  • information necessary to provide training to You and other representatives of Your Firm;
  • information contained in content You submit to us (such as through a “Contact Us” feature); and
  • other information we obtain through our Website and offline interactions.

How we use Personal Information 

We may use personal information about You:

  • to manage our relationship with You and Your Firm, including, to negotiate, contract, and fulfill obligations under contracts;
  • to communicate with You and Your Firm, including, in connection with scheduled meetings or events, for transactional purposes (such as communications related to our use of Your Firms’ products and services) and to provide training;
  • to respond to Your inquiries and fulfill requests from You or Your Firm;
  • to facilitate and personalize Your and Your Firms interactions and experiences with us;
  • to operate, evaluate and improve our business (such as by administering, developing, enhancing and improving our products and services; managing our communications and supplier relationships; and performing accounting, auditing, billing, and reconciliation activities);
  • to conduct business analysis, such as projections and to identify operational improvements;
  • to maintain the accuracy and integrity of our records;
  • for quality-control measures;
  • to provide, administer, and enhance our Website;
  • to verify Your identity ;to comply with and enforce relevant industry standards and contractual obligations with our suppliers;
  • to protect the health, safety and security of our employees;
  • for our security purposes, including to detect and prevent fraudulent, malicious or illegal activity, and for risk control and mitigation purposes;
  • to comply with laws and regulations and to fulfill legal, judicial, or contractual requirements; and 

in connection with corporate business transactions, such as a merger or sale of a business.We may combine information collected from You with other sources to help us improve the accuracy of our communications as well as to help expand or tailor our interactions with You or Your Firm.

How we protect information about you 

We implement and maintain physical, administrative, technical and organizational measures designed to protect personal information and we regularly adapt these controls to respond to changing requirements and advances in technology. 

How we share information about you with our affiliates 

We may share information about you, including personal information, within our family of companies. 

How we share information about you with third parties 

We may share certain information about You with the following third parties:

  • Your Firm;
  • service providers and other third parties with which we have a business relationship;
  • government agencies, other regulatory bodies and law enforcement officials;
  • other organizations as permitted or required by law (for example, for fraud prevention or to respond to a subpoena);
  • other third parties, as directed by You or Your Firm;
  • third parties in connection with corporate business transactions, such as a merger or sale of a business; and
  • third parties to complete background checks, as applicable. 

Our service providers are obligated to keep the personal information we share with them confidential and use it only to provide the services specified by us. 

If You or Your Firm choose to use or indicate an interest in using a service that is offered by a third party and made available through us, we may share personal information with that third party in connection with such use or interest in that product or service.

Cookies and similar technologies 

Our Website and our third-party service providers may use cookies and similar technologies (“Cookies”) to support the operation of and maintain our Website. Cookies are small amounts of data that a website with a web browser or application on a visitor's device (for example, computer, tablet, or mobile phone). Cookies help us to collect information about users of our Website, including date and time of visits, pages viewed, amount of time spent using our Websites and or general information about the device used to access our Websites and Services. The cookies on our Website are also used for security purposes and to personalize Your experience, such as customizing Your screen layout. 

Our Website and third-party service providers we hire may use cookies and other technologies, such as web beacons, pixel tags, or mobile device ID, in online advertising as described below. Most browsers and mobile devices offer their own settings to manage cookies. If you use those settings to refuse or delete cookies it may negatively impact Your experience using our Website, as some features and services on our Website may not work properly. For example, you may not be able to sign in and access Your account, or we may not be able to recognize you, Your device, or Your online preferences. Depending on Your device and operating system, you may not be able to delete or block all cookies. 

We may collect analytics data or use third-party analytics tools such as Google Analytics to help us measure traffic and usage trends for our digital offerings and to understand more about the demographics of our users. You can learn more about Google’s practices with Google Analytics by visiting Google’s privacy policy. You can also view Google’s currently available opt-out options.

Third Party Services 

We use a third-party vendor, Supplier.io, to help manage our supplier diversity program. If you choose to submit Your Firms’ information to the Supplier.io database, our Website contains a link to the Supplier.io website. We are not affiliated with, nor do we control, Supplier.io. This Privacy Policy does not address the privacy, security, cookie policy and settings, or other practices of Supplier.io, and we are not responsible for the privacy practices or the content of Supplier.io. Consult the Supplier.io privacy policy for additional information on their privacy practices and advertising opt-out instructions.

Children's privacy 

Our Website is not directed to individuals under the age of thirteen (13). We do not intentionally collect information on our Website from those we know are under thirteen, and we request that these individuals do not provide personal information through our Website.

Updates 

We may change this Privacy Policy at any time. When we make changes to this Privacy Policy, we will change the “Last Updated” date specified at the beginning of this Privacy Policy. All changes shall be effective from the date the updated Privacy Policy is published, unless otherwise specifically stated in the updated Privacy Policy. We encourage You to review this Privacy Policy on a regular basis so that you will be aware of any changes to it.

Additional Information for California Residents 

This section is provided for purposes related to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CPRA”) and applies solely to the personal information that IS subject to the CPRA. As used in this section, “personal information” means information that meets the definition of “personal information” as set forth in the CPRA and is not otherwise excluded from the scope of the CPRA.

Your Rights Under the CPRA 

The CPRA gives certain rights to California residents and imposes certain obligations on those businesses that are subject to the CPRA. As required by the CPRA, set forth below is a description of certain rights that California residents generally have under the CPRA. As used below, a “consumer” means a resident of the State of California and a “covered business” means a business that is subject to the CPRA.

  • Right to Know/Right to Access. A consumer has the right to request that a covered business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of information the business has collected. A consumer also has the right to request that a covered business that collects a consumer’s personal information disclose to that consumer the following: 
    1. The categories of personal information it has collected about that consumer 
    2. The categories of sources from which the personal information is collected 
    3. The business or commercial purpose for collecting, selling or sharing (if applicable) personal information; 
    4. The categories of third parties to whom the covered business discloses personal information; and 
    5. The specific pieces of personal information that the covered business has collected about that consumer. These disclosures are not required to include any information about activity that occurred prior to January 1, 2022. Please also note that a covered business is not required to honor more than 2 of these requests from the same consumer during any 12-month period.
  • Right to Delete. A consumer has the right to request that a covered business delete any personal information that the business has collected from the consumer, subject to certain exceptions.
  • Right to Correct. A consumer has the right to request that a covered business correct inaccurate personal information that a business maintains about a consumer.
  • Right to Opt-Out of Sale/ Sharing. If a covered business sells or shares personal information, a consumer has the right to opt-out of the sale or sharing of their personal information by the business.
  • Right to Limit Use and Disclosure of Sensitive Personal Information. If a covered business uses or discloses sensitive personal information for reasons other than those set forth in the CPRA, a consumer has the right to limit the use or disclosure of sensitive personal information by the business.
  • Non-Discrimination. A consumer has the right not to receive discriminatory treatment by the covered business for the exercise of privacy rights conferred by the CPRA.

Categories of personal information we may collect about you 

We may collect the following categories of personal information about you:

  • Personal identifiers, such as Your name, postal address, email address, online identifier, internet protocol address, or other similar identifiers;
  • Information covered by California’s records-destruction law (California Civil Code §1798.80);
  • Characteristics of protected classifications under California or federal law, such as gender;
  • Commercial information, including products or services you provide to Fidelity Investments;
  • Internet or other electronic network activity information, including, but not limited to, browsing history and search history while using our Websites, and other information regarding Your interactions with our Websites;
  • Audio, electronic, visual, and similar data;
  • Professional or employment-related information, such as job title and business contact information;
  • Geolocation information; and
  • Sensitive personal information such as government issued ID. 

The retention periods for data elements within each category listed above vary depending on the nature of the data element and the purposes for which it is collected and used. Our retention period for the data elements within each category is set based on the following criteria: (1) the length of time that the data is needed for the purposes for which it was created or collected, (2) the length of time the data is needed for other operational or record retention purposes, (3) the length of time the data is needed in connection with our legal, compliance and regulatory requirements, for legal defense purposes and to comply with legal holds, (4) how the data is stored, (5) whether the data is needed for security purposes and fraud prevention, and (6) whether the data is needed to ensure the continuity of our products and services.

Categories of sources from which personal information is collected 

Please see the section above entitled “How we obtain Personal Information” for a description of the sources from which we collect Your personal information.

Why we collect personal information 

Please see the section above entitled “How we use Personal Information” for a description of the business or commercial purposes for which we collect personal information, including sensitive personal information. 

Categories of personal information disclosed for business purposes 

Depending on the nature of Your interactions with us, we disclose to third parties for business purposes the personal information that is encompassed by one or more of the categories described in the “Categories of personal information we may collect about you” section above, with the categories of third parties listed in the section above entitled “How we share information about You with third parties”.

Other information about our handling of personal information 

Please note that we do not “sell” or “share” (as defined in the CPRA) personal information about You to any third party and have not done so at any time during the 12-month period preceding the date this Privacy Policy was last updated. In addition, we do not sell or share personal information of minors under 16 years of age. 

Because we do not sell or share personal information, Fidelity Investments does not have any obligation under the CPRA to accept CPRA requests requesting that Fidelity Investments not sell or share a consumer’s personal information.

CPRA Exemptions 

Please note that certain types of personal information collected or maintained by a covered business are exempt from the CPRA. For example, a covered business has limited obligations, or in some cases, no obligations, under the CPRA with regard to the following types of personal information:

  • Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations, or pursuant to the California Financial Information Privacy Act (Division 1.4 [commencing with Section 4050] of the California Financial Code) 

Medical information governed by the Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate pursuant to the Health Insurance Portability and Accountability Act of 1996.

In addition, some businesses are not subject to the CPRA, such as:

  • A business that does not do business in the State of California;
  • A business that is not organized or operated for the profit of financial benefit of its shareholders or other owners;
  • A business that does not determine the purposes and means of the processing of consumers’ personal information; and
  • A business that has annual gross revenue of $25,000,000 or less 

Furthermore, under the CPRA, there are a number of situations where a covered business under the CPRA may refuse to honor a CPRA request to delete a consumer’s personal information and is allowed to continue to maintain the personal information. Some examples include situations where retention of the personal information is reasonably necessary to:

  • Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer or reasonably anticipated within the context of the covered business’s ongoing business relationship with the consumer, or otherwise perform a contract between the Fidelity company and the consumer;
  • Help to ensure security and integrity to the extent the use of the personal information is reasonably necessary and proportionate for those purposes;
  • Debugging to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided by law;
  • To enable solely internal uses that are reasonably aligned with consumer expectations based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information; and
  • Comply with a legal obligation. 

Please note that the description of the CPRA set forth in this Privacy Policy is a summary of only certain aspects of the CPRA and is not and should not be considered a complete description of the CPRA. In addition to what is described above, the CPRA includes other exemptions that apply to particular types of personal information and particular businesses, as well as additional situations where a covered business is not required to honor a consumer’s request to delete the consumer’s personal information.

Submitting a CPRA Request 

If you wish to submit a CPRA request to us, please email privacyrightsrequests@fmr.com explaining your request and a representative will contact you with further instructions. You may also call 800-343-3548 to submit a CPRA request. Before submitting Your request, please ensure You have reviewed all the CPRA exemptions, including those described above under the section entitled “CPRA Exemptions”. 

You should generally expect to receive a response within 45 days of the date we receive Your request. However, in some instances, we may require an additional 45 days to process Your request in which case we will notify You and explain why the extension is necessary. 

We will need to verify Your identity before we can process Your request. Through the request process, we will make You aware of any information that You will need to provide to us to process Your request. You may have to confirm that You are a California resident and verify Your identity or the identities of those authorized to submit requests on Your behalf. Additionally, the information You provide will be used to help verify Your identity. 

To understand how You can designate an authorized agent with the ability to make a request under the CPRA on Your behalf, please refer to our California Privacy Rights Request page.