Effective Date: March 25, 2020

This Privacy Notice for California Residents (“Privacy Notice”) supplements the information contained in Citadel Securities’ Privacy Policy and provides eligible California residents with specific rights with respect to our collection, retention, and use of Personal Information. Any terms not defined in this section have the same meaning as defined in the CCPA.

A. Information we collect:

In the course of our business, we collect information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“Personal Information”). Depending on how you have interacted with us, we may have collected the following categories of Personal Information from you in the last twelve (12) months, which we may also share with third parties for the purposes outlined in this Privacy Notice. The categories below are those identified in the California Consumer Privacy Act (CCPA).

Please note that we have not collected every type of Personal Information identified in the Examples below, and the types of Personal Information we have collected on any consumer depends on how the consumer has interacted with us.

table, th, td {
border: 1px solid black;
padding:10px;
}

Category	Examples	Collected?
Identifiers.	This category may include: name, postal address, unique personal identifiers, online identifiers, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. Under the CCPA, “unique identifiers” or “unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.	YES
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) and protected classification characteristics under California or federal law.	This category may include: name, signature, Social Security number, physical characteristics, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education or employment information, financial account numbers, medical information, health insurance information, age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex and gender information, veteran or military status, or genetic information.	YES (for certain participants in Citadel trading programs, prospective employees and job applicants)
Commercial information.	This category may include: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	YES
Biometric information.	This category may include: imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a face print, a minutiae template, or a voiceprint, can be extracted.	NO
Internet or other electronic network activity information.	This category may include: browsing history, search history, and information regarding interactions with an Internet Web site, application, or advertisement. Citadel does make reasonable efforts to respect Do Not Track settings in browsers.	YES
Geolocation data.	This category may include: physical location or movements of your device or if you share the information with us at an event.	YES
Sensory data.	This category may include: audio, electronic, visual, thermal, olfactory, or similar information.	NO
Professional or employment-related information.	This category may include: current or past job history or performance evaluations.	YES
Non-public education information	This category may include: education records directly related to a student maintained by an educational institution or party acting on its behalf (e.g., grades, transcripts, schedules, and student ID numbers).	YES (for prospective employees, consultants or contractors)
K. Inferences drawn from other personal information.	This category may include: inferences drawn from the above information that may reflect your preferences, characteristics, predispositions, behavior, interests, attitudes, or similar behavioral information.	YES

Please note that some of the categories of personal information described in the CCPA overlap with each other; for instance, your name is both an Identifier and a type of data described in Cal. Civil Code 1798.80(e).

Personal information does not include publicly available information from government records or any deidentified or aggregated consumer information. In addition, the CCPA excludes the following from its scope: health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

B. Use and Sharing of Personal Information:

We may use or disclose the personal information we collect for the purposes described in the “Information Use” and “Information Sharing” Sections above.

In the preceding twelve (12) months, Citadel has disclosed the following categories of personal information for a business purpose: identifiers; California Customer Records personal information categories; protected classification characteristics under California or federal law; internet or other similar network activity; geolocation data; professional or employment-related information (for prospective employees, contractors or consultants); non-public education information (for prospective employees only); and inferences drawn from other personal information.

C. Sales of Personal Information:

In the preceding twelve (12) months, Citadel has not sold personal information.

D. Your Rights & Choices:

The CCPA provides eligible California residents with specific rights with respect to our collection, retention, and use of Personal Information.

(a) Right to Know About Personal Information Collected, Disclosed, or Sold

You have the right to request that we provide certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Specifically, you have the right to request disclosure of the categories of Personal Information and specific pieces of Personal Information we have collected about you over the last 12 months. Upon the submission of a verifiable consumer request (see Exercising your California Privacy Rights, below), we will disclose to you:

the categories of Personal Information we collected about you;
the categories of sources from which Personal Information was collected;
the business or commercial purpose for collecting Personal Information;
the business or commercial purpose for disclosing or selling Personal Information; and
the categories of third parties with whom we sold or disclosed Personal Information for a business purpose.

We will also provide the specific pieces of Personal Information we collected about you, subject to certain exceptions under applicable law, if you also request access to such information.

We do not provide these access and data portability rights for B2B personal information.

(b) Right to Request Deletion of Personal Information

You also have the right to request that we delete Personal Information that we have collected and maintain about you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will conduct a reasonable search of our records in order to locate any Personal Information we have collected about you that is eligible for deletion, and delete such Personal Information. To the extent we have shared any Personal Information collected about you with service providers that is eligible for deletion, we will direct those service providers to delete that Personal Information as well. For the sake of clarity, however, Citadel may not be able to comply entirely with your request to delete all of your Personal Information as set forth under the CCPA. Specifically, we are not required to delete any PI we have collected about you that is necessary for us and our service provider(s) to:

Complete the transaction for which the PI was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
Debug to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent.
Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us.
Comply with a legal obligation, such as retaining records for a period of time as set out in local, state, or federal laws.
Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided your information.

Following a deletion request, any Personal Information about you that was not deleted from our systems due to the above exceptions will only be used for the purposes provided for by the applicable exceptions. Thus, all Personal Information about you that is not subject to a deletion exception will either be (1) permanently deleted on our existing systems (with the exception of archived or back-up systems maintained for emergency disaster recovery and business continuity purposes); (2) de-identified; or (3) aggregated so as to not be personal to you.

We do not provide these access and data portability rights for B2B personal information.

(d) Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights

We will not discriminate against you for exercising any of your privacy rights. Unless permitted by applicable law, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

(e) Exercising Your California Privacy Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Emailing us at [email protected]
Calling us at +1-833-548-0389

Requests to exercise your rights under the CCPA require verification of your identity, and may be made only by you, your parent or guardian (if you are under 18 years of age), a person to whom you have given power of attorney pursuant to California Probate Code sections 4000 to 4465, or an authorized agent that is registered with the California Secretary of State. If a parent or guardian is submitting a request on behalf of a minor, the parent or guardian must submit proof that they are the parent or guardian of the subject consumer, and must verify the consumer’s identity (e.g., provide a notarized letter). If someone with power of attorney is making a request on behalf of a consumer, they must verify the individual consumer’s identity and submit documentation establishing the power of attorney. If an authorized agent is submitting a request on behalf of a consumer, they must verify the individual consumer’s identity, provide written permission from the consumer to submit the request on the consumer’s behalf, and submit documentation establishing registration with the Secretary of State. If Citadel cannot verify that the requestor is authorized by the consumer to act on such consumer’s behalf, Citadel is not obligated to provide information or respond to the request. If you have any questions about making a request on behalf of another consumer, please email us at [email protected].

Your verifiable consumer request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information or that you are an authorized representative of such person. We will not respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. While we may ask for Personal Information to verify the requestor or consumer’s identity when making a request, we will only use that Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. Making a verifiable consumer request does not require you to create an account with us. Additionally, you may only make a verifiable consumer request for access twice within a 12-month period.

(f) Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Within ten (10) business days of receiving the request, we will confirm receipt and provide information about our verification and processing of the request. Citadel will maintain records of consumer requests made pursuant to the CCPA as well as our response to said requests for a period of at least twenty-four (24) months.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. If you have an account with us, we may require you to take delivery of our written response through that account. If you do not have an account with us, we will deliver our written response electronically, though you may alternatively choose to receive delivery by mail. The response will also explain the reasons we cannot comply with a request, if applicable. Requests for the specific pieces of information that we have collected about you will be sent in a portable, readily useable format that you may transmit to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

(g) Your Rights Under “Shine the Light”

In addition to your rights under the CCPA, California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure, if any, of their Personal Information to third parties for their direct marketing purposes. To make such a request, please either email us or write to us using our information provided in the “Contact Us” section above.

Non-affiliated third parties are independent from Citadel and if you wish to receive information about your disclosure choices or stop communications from such third parties, you will need to contact those non-affiliated third parties directly.