Citi Privacy

Citi Bank



Effective (Last Updated) March 10, 2026 


Citi Employee Application Privacy Notice – Draft

This Employee Application Privacy Notice (the “Notice”) governs how Citigroup Inc. and our subsidiaries and affiliated companies (collectively, “Citi,” “we,” or “us”) collect, use, and disclose Personal Information (as defined below) from and about users (“you”) of this employee application “The App”). This application is designed to collect only the essential personal data necessary We advise you to read the Notice in its entirety, including the jurisdiction-specific provisions in the appendix to this Notice, which will apply to users in certain jurisdictions. 

  • PERSONAL INFORMATION COLLECTED THROUGH THE SERVICES
  • HOW PERSONAL INFORMATION IS USED
  • HOW PERSONAL INFORMATION IS DISCLOSED
  • STORAGE AND RETENTION
  • INTERNATIONAL DATA TRANSFERS
  • SECURITY
  • YOUR CHOICES
  • CHANGES TO THIS NOTICE
  • CONTACT US
  • APPENDIX

Personal Information Collected Through the Services

  • Details the type of Personal Information we collect and use: The App collects only the following minimal personal information:
    • SOEID (Standard Operating Environment Identifier): Used for authenticating your identity within the App and linking your activity to your employee profile.
    • SSO Password (Single Sign-On Password): Processed securely for authentication purposes to grant you access to the App and integrated services via Single Sign-On. Your actual password is not stored by the App but is securely handled through Citi’s SSO infrastructure.
    • Necessary Cookies: These are small text files placed on your device to ensure the basic functionality and security of the App. They are essential for navigation, maintaining your session, and preventing fraud. These cookies do not track your browsing activity across other applications. 

Information That We Collect About Your Use of the Services

We automatically collect certain information about your use of the App and about the device you use to access the App, which may include: 

  • Information obtained in the course of maintaining or supporting the Services; 
  • If you access the App via your mobile device, we may also collect information about your mobile provider and type of mobile device.

We (and others that control collection of Personal Information) use different technologies to collect this information, including cookies and web beacons. Cookies are small data files stored on your hard drive or in device memory that help us improve our Services and your experience, see which areas and features of our Services are popular, and count visits. Web beacons are electronic images that may be used in our Services or emails and help deliver cookies, count visits, and understand usage and campaign effectiveness. For more information about cookies and how to disable them, please see “Your Choices” below.

How Personal Information Is Used

We use the Personal Information we collect to provide you with access, maintain, and improve the application services. We may also use the Personal Information we collect to:

  • Enable secure access and authentication for the App Users.
  • Ensure the proper and efficient functioning of the App’s features.
  • Maintain the security and integrity of the App and underlying systems.
  • To support compliance with applicable regulatory and governance obligations, including Citi policies and standards and the Code of Ethics, and detect instances of non-compliance;

United States Users of the Citi Workplace App

  • To assess, monitor and report on attendance at Citi premises, ensuring compliance with contractual services requirements, and improving our operational performance.

How Personal Information Is Disclosed

We use and disclose your Personal Information to affiliated Citi entities and to third party service providers, which can include data controllers, as necessary to receive deliverables you provide. 

  • For data analysis, measures, such as to improve the efficiency of Citi systems, networks and applications as well. To measure, monitor and improve operational performance of the application.
  • Immediate supervisors, line managers, matrix managers and designated people in order for them to carry out their activities;
  • service providers that provide hosting services and technology service providers, business process outsourcing service providers, to the extent necessary to provide these services;

Storage and Retention

In general your Personal Information will be held and managed in accordance with the record retention periods applicable to your country of employment or internship, and the nature of the information specified in accordance with Citi Records Management Policy.
 

Personal Information is kept for the period of time that it is needed by Citi in connection with your employment, internship or applicable law.  This includes for the duration of, and following, your employment with us, until the relevant retention period expires as set out in Country Retention Schedules. 

International Data Transfers

Citi maintains computer systems in data centres at locations in various countries throughout the world, which may change from time to time, including Chile, Costa Rica, China, Singapore, Philippines, Brazil, India, Hong Kong, Mexico, and the United States. Citi may collect, store, process, disseminate, or use the minimal Personal Information collected through the App about our Employee App Users in a manner that causes the data to be transferred across borders or accessed from computer systems located or operated in another country owned or operated by or on behalf of Citi (or a third-party vendor to Citi).

Citi complies with applicable legal frameworks relating to the international transfer of Personal Information. For example, for certain jurisdictions, Citi transfers personal information on the basis of determinations by the competent authority that certain countries adequately protect personal information, or use Binding Corporate Rules, Standard Contractual Clauses (SCC), and other valid transfer mechanisms. In certain cases, BCRs and SCCs are accompanied by Transfer Impact Assessments (TIAs) and contractual, operational, and technical measures intended to mitigate any risks that are detected by the TIAs.

Further, for certain jurisdictions, Citi relies on Binding Corporate Rules (BCRs) for the transfer of Workforce Data from those geographies to a number of Citi entities globally which implemented a data security program to comply with BCR commitments. Our principal employment database service providers are Workday, Inc, which operates a private cloud divided in ‘tenancies’ (one per country) that maintains HR information for Data Controllers (except in countries that have data localization requirements). Each tenancy is separated by technical means (including encryption) from information in other ‘tenancies.’ We also use the services of Eightfold AI for advanced analytics and Salesforce for database management.

Security

Citi takes reasonable steps to preserve the security of personal information. All personal information is held in a protected environment with sufficient organisational and technology measures appropriate to a professional financial organisation. We have implemented security controls, procedures and protocols across our different business lines, physical premises, and IT networks to minimize loss, misuse, unauthorized access, modification, or disclosure of personal information. All information shared with external third parties is encrypted during transmission and in storage, and information held internally is protected using security passwords and logons or other security procedures. However, due to the inherent nature or electronic communications, we cannot guarantee the security of personal information outside our networks. You are responsible for maintaining the secrecy of your password and any credentials provided by Citi and supervising your end-user computational devices.

Your Choices

When you visit any app, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of our Services. For additional information on our cookies policy please refer to the Citi Employee Application Cookie Policy

Managing your Cookie preferences

We respect your right to privacy, and you can choose not to allow some types of cookies. You can disable cookies by clicking on the different category headings that is available in the pop-up cookies banner when you first access the site. 

Cookie List 

Strictly Necessary Cookies

Always Active

Allow our services to operate in a secure and reliable manner and provide basic functionalities. These cookies are essential and are used for app operations, navigation and allowing images to load. Strictly Necessary cookies cannot be disabled, and your internet browser will accept them by default. You can set your browser to delete them after each online session or at any time thereafter.

Functional Cookies

These cookies allow the app to remember choices you make, like what language you prefer and your location. Functional cookies can include first-party, third-party, persistent or session cookies. Like Strictly Necessary cookies, Functionality cookies are used to provide services that you request. These cookies can remember preferences to boost the user experience on a app.

Performance Cookies

These cookies collect information about how you use the app, like which pages you visit, and which links you clicked on. Their sole purpose is to improve app functions. This includes cookies from third-party analytic services as long as the cookies are for Citi’s exclusive use.

Targeting Cookies

These are also known as “marketing” cookies. These cookies track online activity to help advertisers deliver more relevant advertising or to limit how many times you see an advertisement. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance.

Changes to This Notice

From time to time, we may revise this Notice. Changes may be made for any number of reasons, including to reflect industry initiatives, changes in the law, and changes to the scope of the services, among other reasons. You can tell when we last updated the Notice by checking the date at the beginning of the Notice. Any changes will become effective when we post the revised Notice on the app.

Contact Us

If you have any questions about this Notice, please contact us using the contact information listed below.