Privacy Policy for Goldman Sachs Ayco

Effective Date: January 8, 2024

Introduction; What this Privacy Policy Covers; and Notice at Collection

Your privacy is important to us. The purpose of this Privacy Policy is to explain the data collection and privacy practices of our businesses, including in scenarios where we provide services directly to individuals and in the context of programs we offer through a Corporate Partner. This Privacy Policy applies to information collected through our websites that link to this policy (the “Websites”) which include: www.ayco.com, wellness.ayco.com, and any of our other websites accessible through portal.ayco.com; any of our mobile applications associated with the Websites or which link to this policy (the “Mobile Applications”) which include Goldman Sachs Ayco Mobile, Goldman Sachs Wellness, and all of our other online offerings that post a link to this Privacy Policy, whether accessed via computer, mobile device, email or other technology or any associated content, material, or functionality contained on the Websites or Mobile Applications (together with the Websites and the Mobile Applications, collectively, the “Services”), as well as information collected from you offline in connection with the services we provide to you.

These links will take you to sections of this Privacy Policy explaining the following topics and, together with the information contained in the below sections, constitute our Notice of Collection:

• The categories of personal information we collect;
• The purposes for which personal information are collected and used;
• Whether we sell or share, as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), personal information and a description of your right to opt out; and
• The criteria we use to determine how long to retain personal information.

Other Privacy Disclosures

If you have applied for, or have or previously had one of our consumer products, our GLBA Consumer Privacy Notice, https://www.goldmansachs.com/privacy-and-cookies/docs/PFMG_Privacy_Notice.pdf will apply to you. This provides more information about how we collect and share your personal information and outlines certain choices you may have. If there is a conflict between this Privacy Policy and any privacy notice, disclosure, policies, or terms related to any consumer product, the privacy notice, disclosure, polices or terms relating to the consumer product will govern.

Other Goldman Sachs Relationships

If you have other relationships with Goldman Sachs that are not covered by this Privacy Policy, please visit the Goldman Sachs Privacy and Cookies Website, https://www.goldmansachs.com/privacy-and- cookies/index.html, for more information about how your personal information is processed and to understand your rights and choices for those services.

Important Terms

We want you to understand the following defined terms that we use throughout this Privacy Policy, when we use:

• "Goldman Sachs,” “we,” “us” or “our”, we mean:
  • The Ayco Company, L.P.  (“Goldman Sachs Ayco”) and Mercer Allied Company, L.P. (a limited purpose broker-dealer) (along with its affiliated insurance agencies, The Ayco Services Agency, L.P., The Ayco Services Insurance Agency, Inc.) (“Mercer”), inclusive of investment advisory services provided by and investment funds managed by Goldman Sachs Asset Management L.P.; and
  • their affiliates, including but not limited to Goldman Sachs Bank USA, Goldman Sachs & Co. LLC., and Goldman Sachs Asset Management L.P., and their respective agents and assigns worldwide.
• “you” or “your”, we mean any user of the Services.
• “Corporate Partner”, we mean corporate sponsor of Goldman Sachs Ayco services on behalf of their employee participants.
• “affiliate”, we mean companies related by common ownership or control.
• “including” or “includes,” we mean “including but not limited to” or “includes but not limited to.”

Personal Information We Collect and Generate

We may collect or generate personal information about you, or a third party acting upon your instruction, in a number of ways and from a number of sources depending on the Services and the relationship we have with you. For example:

• Before you interact with us, we may collect data from: (i) our Corporate Partners, and (ii) when we obtain information to identify marketing prospects from our affiliates and third parties;
• While applying, signing up, or otherwise establishing an account or engaging us to provide services, and over the course of your relationship with us, you provide information directly to us and may give us permission to obtain it from third parties (such as your CPA, attorney, account custodian, other advisers, or websites with your information), and we may collect information about you from third parties such as data analytics providers, the public domain, credit reporting agencies, identity verification and fraud prevention services and government entities, and we also may generate new information about you;
• When you communicate, and interact with us over the phone and online, including via social media or other platforms, we may monitor and record the content of the communications, and collect information about your use and interactions with the Services (such as via the mechanisms described in the “Cookies and Other Tracking Technologies” section below;
• In connection with our marketing and communications, we may collect digital information using cookies, web beacons, or similar tools that we and our Vendors and other third parties have set; and
• When you interact with us via a social media platform, we may collect a copy of the posts and other information, such as account ID or username.

See below for a list of the categories of personal information, along with some descriptions and examples, that we may collect or generate through each of the processes described above:

• Personal Identifiers: This includes first and last name, address, email address, telephone number, identifiers assigned to you for our internal use, signature, photographs, and employee  ID;
• Device and Online Identifiers and Related Information: This includes Internet Protocol address (“IP address”), account user name/log-in, device information, device type, device identifier, and other device information;
• Background Information: This includes date of birth, gender, language, estimated retirement age, marital status, number of financial dependents, household income data, family information, vital records information, and any other information we are required to collect by law and regulation;
• Financial Information: This includes account number(s) and other information regarding accounts with us and at other financial institutions, your authority over, beneficial interest in and other information about entities you are associated with that hold accounts with us, public and private company affiliations, source of wealth information, expected activity within your account, investor qualifications, investment goals and experience, net worth and liquidity needs, income, credit scores, litigation and bankruptcy history, tax classification and information, employee benefit information, beneficiary designations, internal assessments about your financial biases, Powers of Attorney, wills and other estate planning documents, attorney/CPA information, life insurance information and other information regarding your financial circumstances;
• Government Identifiers: This includes Social Security number, tax identification number, national identification number, other government-issued identification number (such as driver’s license, tribal card, passport, or alien registration number);
• Protection Classification Characteristics: This includes age, national origin, citizenship, nationality, marital status, ethnicity, association with senior political officials and/or executives of government owned enterprises;
• Internet, Application, and Network Activity: This includes data related to user activity (e.g., when and how you use the Services and interact with our communications including emails), browsing history, search and clickstream history, online website tracking information, other data related to user activity, and URL referral header information; we may collect this type of information automatically via cookies, pixels, browser web storage, web beacons and similar technologies;
• Location Data: This includes information about your geolocation and your mobile device including a unique identifier for your device; in addition, in some instances, location information can be estimated from your IP address or through your Wi-Fi connection;
• Professional or Employment-Related Information: This includes information about your occupation, title, employer information, employment history, industry affiliations, directorships and other fiduciary titles;
• Medical Information (to the extent that you volunteer it): This includes general health status, disability status (to the extent volunteered by you); information associated with completing an insurance product application in connection with carrier underwriting requirements (e.g., medical and prescription history, doctor names and their attending physician statements and tobacco use); and
• Sensitive Personal Information: Some of the personal information that we collect and generate, and which is described above, is considered sensitive personal information. This includes Social Security, driver’s license, state identification card, and passport numbers; account log-in, financial account, debit card, and credit card numbers in combination with credentials allowing access to an account; geolocation; information relating to your health; and biometric information.

Although you don’t have to supply any of the personal information we request, we may not be able to provide Services to you if you do not.

Personal information does not include information that has been anonymized or aggregated so that it does not identify an individual.

How We Use Personal Information

We collect and use personal information for the following business purposes:

• Administering, operating and managing your relationship with us;
• Understanding your needs and offering services to you;
• Complying with contractual obligations, relevant industry standards, and our policies;
• Authenticating identity;
• Mitigating fraud and enhancing the security of our services
• Contacting and communicating with you, including through push notifications and text messages;
• Conducting marketing activity, such as developing marketing and acquisitions models, identifying marketing recipients, developing marketing collateral and delivering advertisements and marketing communications;
• Responding to and reviewing social media messages or postings about us or our services;
• Presenting third-party products and services we think may be of interest;
• Performing analytics concerning the use of the Services, including responses to our emails and the pages and advertisements that are viewed; and
• Operating, evaluating and improving our business and our services (including assessing and managing risk, fulfilling our legal and regulatory requirements, developing new services, improving and personalizing existing services, and performing accounting, auditing and other internal functions).

We may also use your personal information for any other purpose that we disclose at the time you provide, or when we collect, your information, and other purposes permitted by applicable law.

We may also use data that we collect on an aggregate or anonymous basis for various business purposes, where permissible under applicable laws and regulations.

If your relationship with us ends, we will continue to treat your personal information as described in this Privacy Policy or as set forth in the applicable privacy notice.

To Whom We Disclose Personal Information

We disclose personal information as set forth below:

• Goldman Sachs affiliates: We may disclose personal information to members of the Goldman Sachs family of companies in order to service accounts, improve services or for other purposes permissible under applicable laws and regulations.
• Vendors: We may disclose personal information to non-affiliated companies and partners that perform support services for us, such as data analytics, fraud analysis, identity verification, risk management, security services, advertising and marketing, customer support, mail services, email delivery, information technology, and payment processing.
• Legal process and emergency circumstances: We may disclose personal information to third parties as permitted by, or to comply with, applicable laws and regulations. Examples include responding to a subpoena or similar legal process, protecting against fraud and cooperating with law enforcement or regulatory authorities. We may also disclose information if we believe it is necessary or appropriate to protect our rights, property or safety, or the rights, property or safety of our employees, customers or others, or to enforce our contractual rights.
• Corporate Transactions: In the event of a corporate transaction, such as a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of any or all of our assets or liabilities, some of the personal information that we hold may be among the assets or liabilities transferred to a buyer or other successor. We may also transfer personal information to another entity or its affiliates or service providers in connection with, or during negotiations of, any merger, acquisition, sale of assets or liabilities or any line of business, change in ownership control or financing transaction.

Our Consumer Privacy Notice provides additional information about how we share personal information and choices that you may have.

We also may disclose personal information to others where permissible under applicable laws and regulations or when you provide your consent or direction.

Cookies and Other Tracking Technologies

“Cookies” are small text files that may be placed on your browser when you visit websites. When you quit your browser, some Cookies are stored in your computer’s memory, while some expire or disappear. Cookies allow your browser to remember some specific information that the web server can later retrieve and use.

“Web Beacons”, also known as Internet tags, pixel tags or clear GIFs, are a type of technology placed on a webpage or in an email.  They are generally used to transmit information back to a web server.

We and our vendors use tracking technologies such as cookies, web beacons, session replay, device advertising IDs and similar technologies on the Services for a number of business purposes, such as to monitor our advertising, remember your preferences, personalize your experience, understand how you use and interact with the Services, suggest products tailored to you, for security purposes, to improve the Services, and for marketing campaign performance assessment. These technologies collect information about your browser/device and your use of the Services, such as the time/date of access and time spent on the Services, pages visited, language preferences, whether you open our emails, and other traffic data. You may be able to configure your web browser to decline cookies and/or configure your email client not to load web beacons in emails. Please note that, if you choose to decline cookies, certain features of the Services may not function properly or may not be accessible to you. Please see the “Interest-Based Advertising” and “Do Not Track” sections below for information on the choices we provide regarding Cookies, Web Beacons, and other tracking technologies.

Interest-Based Advertising

Interest-based advertising refers to collecting information about your online activities over time and across different websites, devices, and other online services to deliver advertisements based on online activity. We use interest-based advertising to deliver advertisements and other targeted content to you, including through third-party advertising partners which we may permit to track your visits to the Services. These third parties may use these technologies to collect information about you when you use the Services using the technologies described above. These third parties may collect information about your online activities over time and across different websites and other online services.

Some of the third parties advertising partners that place tracking tools on the Services may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior for purposes of targeted advertising. Some of our ads that are displayed on third-party websites will feature an AdChoices icon inside the ad. Clicking on the AdChoices icon inside the ad will provide you an opportunity to opt out of interest-based advertising by the third parties that participate in the program. In addition, you can learn more about the options available to limit these third parties’ collection and use of your information on our websites by visiting: Goldman Sachs Ayco’s opt- out page, https://preferences-mgr.trustarc.com/?pid=gs01&aid=ayco01&type=ayco; and  the websites for the Network Advertising Initiative, https://optout.networkadvertising.org, and the Digital Advertising Alliance, https://optout.aboutads.info. Users of our mobile applications may install the Digital Advertising Alliance’s AppChoices mobile app, available here, https://youradchoices.com/appchoices, and choose to opt out of participating advertising networks’ use of mobile app activity for interest-based advertising purposes.

If you choose to opt-out via the web-based tools, a cookie will be placed on your browser indicating your decision. This cookie is specific to a particular device and browser, so if you use different browsers or devices, you will need to opt-out on each. In addition, because the opt-out is facilitated via cookies, if you clear your cookies you will need to opt-out again. Likewise, mobile app opt-outs via AppChoices are based on your mobile device’s advertising identifier, so if you reset it, you will need to opt-out again via AppChoices.

Additional Technology

We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”), on the Services. Google Analytics uses cookies or other tracking technologies to help us analyze how users interact with and use the Services, compile reports on the Services’ activity and provide other services related to Services’ activity and usage. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a return visitor and any referring website. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google’s privacy policies. To learn more about Google’s partner services and to learn how to opt out of tracking of analytics by Google, click https://www.google.com/policies/privacy/partners/.

We may use Google Maps API and Places API features and content, for example to help auto-complete address information on the Services. By using the Services, you agree to be bound by the then-current Google Maps/Google Earth Additional Terms of Service and Google Privacy Policy. To learn more about Google Maps/Google Earth Additional Terms of Service  and  the  Google  Privacy  Policy,  please  visit https://maps.google.com/help/terms_maps/ and https://www.google.com/policies/privacy/, respectively.

We use Adobe Analytics, a web analytics service provided by Adobe on the Sites. Adobe Analytics uses cookies or other tracking technologies to help us analyze how users interact with and use the Sites, compile reports on the Sites’ activity and provide other services related to Site activity and usage. The technologies used by Adobe may collect information such as your IP address, time of visit, whether you are a return visitor and any referring website. The information generated by Adobe Analytics will be transmitted to and stored by Adobe and will be subject to Adobe’s privacy policies. To learn more about Adobe’s services and to learn how to opt out of tracking of analytics by Adobe, visit https://www.adobe.com/privacy/policy.html.

How We Protect Information

We take the security of personal information, including U.S. Social Security numbers, seriously and work to limit access to personal information to authorized employees, agents, contractors or vendors. We also maintain physical, electronic and procedural safeguards designed to protect the information against loss, misuse, damage or modification and unauthorized access or disclosures while in our possession.

Reporting Security Vulnerabilities

We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered with our Services. We will investigate all legitimate reports and follow up if more details are required. Goldman Sachs has engaged with HackerOne to manage all submissions. You can submit vulnerability reports at https://hackerone.com/goldmansachs.

Retention of Personal Information

We retain personal information for varying time periods depending on our relationship with you and the status of that relationship. When determining how long to keep personal information, we take into account our legal and regulatory obligations and our legitimate business interests (such as, managing the Services, preventing fraud, responding to regulatory or supervisory inquiries, and establishing, exercising or defending legal claims, disputes or complaints).

Do Not Track

We do not respond to the “Do Not Track” browser-based signal.  However, our websites are designed to support the Global Privacy Control, described at https://globalprivacycontrol.org/ which you can enable by downloading a participating browser or browser extension.

Linked Websites

Solely for your convenience, the Services may contain certain hyperlinks, QR codes and other functionality that connects with certain sites and applications not provided by us, including social media sites and sites hosted by third party service providers (the “Linked Websites”). We are not responsible for and have no liability for the content, features, products, services, privacy policies or terms of service of any Linked Websites. The fact that we have provided a link to a Linked Website is not an endorsement of that linked Website (including any information or content made available throughout such site) or its owners, sponsors or operators, and we do not make any representations about any Linked Website or any associated products or services. You should read each Linked Website’s privacy policies to understand how any personal information that is collected about you is used and protected.

California Residents

California residents should be aware that this section does not apply to:

• Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and its implementing regulations, the California Financial Information Privacy Act, and the Driver’s Privacy Protection Act of 1994; or
• Other information subject to a CCPA exception.

In the past 12 months, we may have disclosed each category of personal information listed in the “Personal Information We Collect and Generate” section to one or more of the categories of recipients listed in the “To Whom We Disclose Personal Information” section for the business purposes listed in the “How We Use Personal Information” section.

We may create, maintain and use deidentified information of California residents, and if we do, we will not attempt to reidentify that information unless permitted by California law.

Your Rights

California residents have certain rights to their personal information pursuant to the CCPA. These include the right to:

• Information about the personal information that we collect about you and the manner in which we use, process and disclose that information;
• Obtain the specific pieces of personal information that we have collected about you;
• Effective January 1, 2023, correct inaccurate personal information that we maintain about you;
• Delete certain personal information that we have collected from you;
• Opt out of the sale and sharing of your personal information to third parties under certain circumstances; and
• Not be discriminated against as a result of exercising any of the aforementioned rights.

Although we collect certain categories of sensitive personal information as described in the “Personal Information We Collect and Generate” section, we do not use sensitive personal information in ways that the CCPA permits you to limit.

Selling and Sharing

The CCPA requires that we describe disclosures of personal information where:

• We receive monetary or other valuable consideration (i.e., selling, as defined under the CCPA); or
• Effective January 1, 2023, we disclose personal information about you through our website to a third party for cross-context behavioral advertising (i.e., sharing, as defined under the CCPA).

We do not sell, and have not sold in the preceding 12 months, personal information to third parties.

Effective January 1, 2023, We may share, and may have shared in the preceding 12 months, personal information from the “Personal Identifiers”, “Device and Online Identifiers and Related Information”, and “Internet, Application, and Network Activity” categories of personal information with advertising and marketing partners to facilitate the delivery and measurement of cross-context behavioral advertising. To opt-out of sharing, please click the “Your Privacy Choices” link on the footer of the website you are visiting. Please see the “Do Not Track” section to learn how you can use opt-out preference signals and how they are processed.

If you choose to opt out via the web-based tools, a cookie will be placed on your browser indicating your decision. This cookie is specific to a particular device and browser, so if you use different browsers or devices, you will need to opt out on each. In addition, because the opt-out is facilitated via cookies, if you clear your cookies you will need to opt out again.

We do not knowingly sell or share the personal information of minors under 16 years of age.

Exercising Your Rights

If you would like to discuss or exercise your rights to access, delete or correct your personal information, please contact:

• Goldman Sachs Ayco/Mercer at 1-800-587-6544 or at https://www.ayco.com/privacypolicy/california-consumer-privacy-act.html.

The CCPA requires us to verify the requests we receive from you when you exercise certain of the rights listed above. To verify your request, we will check the information you provide us in your request against third party identity verification tools or verified information you have provided to us. As part of this process, we may call you after you submit your request to verify information. You may also designate an authorized agent to exercise certain of the rights listed above on your behalf by providing the authorized representative with power of attorney pursuant to the California Probate Code or by executing other documentation we may require, and the authorized representative may make the request on your behalf by following the instructions above. If an authorized representative submits a request on your behalf, we will contact you to verify that they represent you.

Other Important Information

The Services are not intended for use or view by children under 13 years of age. Consistent with the Children’s Online Privacy Protection Act, we will not knowingly collect any information from children under the age of 13. If you are under the age of 13 do not submit any personal information or use Services.

The Services may only be used in the United States, including its territories, or on a United States military base. If you are using the Services from outside the United States, please be aware that your information may be transferred to, stored or processed in the United States, where our servers are located and our central database is operated. The data protection and other laws of the United States and other countries might not be as comprehensive as those in your country, but please be assured that we take steps to protect your privacy. By using the Services, you understand and consent that your information may be transferred to our facilities and those third parties with whom we share it as described in this Privacy Policy.

Unsubscribe/ Contact Us

If you decide at any time that you no longer wish to receive marketing emails from one of our lines of business, please follow the “unsubscribe” instructions provided in such emails. Please note that even if you unsubscribe, we may continue to send transactional or administrative emails, such as legally required, regulatory, billing, or service notifications. Your device settings may provide functionality to control push notifications that we may send.

If you need to contact us for more information about our Privacy Policy and practices, or because you have questions or concerns, you may do so using the information listed below:

Goldman Sachs Ayco/Mercer
By phone: (866) 325-2215
By email: info@ayco.com

Subject to applicable law, if you communicate with us by telephone, we may monitor and may record the call.

Updates to this Privacy Policy

We may change this Privacy Policy from time-to-time. If we make changes to this Privacy Policy, we will update the “Effective Date” and post to https://www.goldmansachs.com/privacy-and-cookies/docs/PFMG_Privacy_Policy.pdf. Changes to this Privacy Policy will become effective when posted unless indicated otherwise. Your continued use of the Services following the posting of any changes will mean that you accept those changes.