Skip to main content
Public home
Privacy Policy

Citi Employee Application Privacy Notice

Effective (Last Updated) April 13, 2026

This Employee Application Privacy Notice (the "Notice") governs how Citigroup Inc., its subsidiaries and affiliated companies (collectively, “Citi,” “we,” or “us”) collect, use, and disclose Personal Information (as defined below) from and about users (“you”) of this employee application (“The App”). This application is designed to collect only essential personal data necessary for its correct performance. We advise you to read the Notice in its entirety, including the jurisdiction-specific provisions in the appendix which will apply to users in certain jurisdictions.

This Notice does not replace other privacy notices that may be applicable through those interactions, nor other notices issued for specific contracts or purposes. As an employee other privacy notices may apply to address interactions between you and Citi. For example the Global Workforce Member Privacy Notice.

  • PERSONAL INFORMATION COLLECTED THROUGH THE SERVICES
  • HOW PERSONAL INFORMATION IS USED
  • HOW PERSONAL INFORMATION IS DISCLOSED
  • STORAGE AND RETENTION
  • INTERNATIONAL DATA TRANSFERS
  • SECURITY
  • COOKIED AND TRACKERS
  • CHANGES TO THIS NOTICE
  • CONTACT US
  • APPENDIX

Personal Information Collected Through the Services

Details the type of Personal Information we collect and use: The App collects only the following minimal personal information:

Categories of Personal Information

  • Identifiers such as your SOEID and SSO password
    • Sources: From your use of the app
    • Purposes of Processing: Processed securely for authentication purposes to grant you access to the App and integrated services via Single Sign-On. Your actual password is not stored by the App but is securely handled through Citi's SSO infrastructure.
    • Lawful basis: Contract Necessity (1st), Legitimate interest where available (2nd)
  • Approximate Geolocation Data derived from your IP address
    • Sources: From your use of the app
    • Purposes of Processing: To ensure that the apps/services function properly and otherwise administering and improving them, identifying usage trends, and expanding our business activities;
    • Lawful basis: Consent (1st), Legitimate interest, where available (2nd)
  • Internet or other electronic network activity information
    • Sources: From your use of the app
    • Purposes of Processing: To monitor user interaction with the app
    • Lawful basis: Legitimate interest (1st), Contract Necessity (2nd)
  • Device details – such as phone model, operation system, screen size
    • Sources: From your use of the app
    • Purposes of Processing: For the correct operation and display of our App and to improve user experience
    • Lawful basis: Contract Necessity (1s), Legitimate interest

Information That We Collect About Your Use of the Services

We collect your podcast listening data in order to understand listening engagement, episode popularity and to improve user experience This data is collected in an aggregated non-personally identifiable format.

How Personal Information Is Used

We use the Personal Information we collect to provide you with access, maintain, and improve the application services. We may also use the Personal Information we collect to:

  • Enable secure access and authentication for the App Users.
  • Ensure the proper and efficient functioning of the App's features and improve user engagement and experience
  • Maintain the security and integrity of the App and underlying systems.
  • To support compliance with applicable regulatory and governance obligations, including Citi policies and standards and the Code of Ethics, and detect instances of non-compliance;
  • We process data related to use of the Workplace App at Citi premises in our locations in Florida and Texas, for the purposes of reporting best practice workplace etiquette. We will amend this notice if this purpose is extended to other locations.

How Personal Information Is Disclosed

We use and disclose your Personal Information to affiliated Citi entities as necessary to receive deliverables you provide.

  • For data analysis, measures, such as to improve the efficiency of Citi systems, networks and applications as well. To measure, monitor and improve operational performance of the application.
  • service providers that provide hosting services and technology service providers, business process outsourcing service providers, to the extent necessary to provide these services.
  • Immediate supervisors, line managers, matrix managers and designated people in order for them to carry out their activities; related specifically to the Citi Workplace App.

Storage and Retention

Your Personal Information will be held and managed in accordance with the record retention periods where your data is collected . We delete temporary logs after 30 days and other information approximately 1 year from its collection. Digital records used for technical support and incidents are retained for a period of 6 years after their creation. Additionally, we may retain certain information for the retention period applicable to your contract of employment, in accordance with Citi Records Management Policy.

International Data Transfers

Citi maintains computer systems in data centres at locations in various countries throughout the world, which may change from time to time, including Chile, Costa Rica, China, Singapore, Philippines, Brazil, India, Hong Kong, Mexico, and the United States. Citi may collect, store, process, disseminate, or use the minimal Personal Information collected through the App about our users in a manner that causes the data to be transferred across borders or accessed from computer systems located or operated in another country owned or operated by or on behalf of Citi (or a third-party vendor to Citi).

Citi complies with applicable legal frameworks relating to the international transfer of Personal Information. For example, for certain jurisdictions, Citi transfers personal information on the basis of determinations by the competent authority that certain countries adequately protect personal information (Adequacy Decisions), or use Binding Corporate Rules (BCRs) , Standard Contractual Clauses (SCC), and other valid transfer mechanisms. In certain jurisdicitions, BCRs and SCCs are accompanied by Transfer Impact Assessments (TIAs) and contractual, operational, and technical measures intended to mitigate any risks that are detected by the TIAs.

Security

Citi takes reasonable steps to preserve the security of personal information. All personal information is held in a protected environment with sufficient organisational and technology measures appropriate to a professional financial organisation. We have implemented security controls, procedures and protocols across our different business lines, physical premises, and IT networks to minimize loss, misuse, unauthorized access, modification, or disclosure of personal information. All information shared with external third parties is encrypted during transmission and in storage, and information held internally is protected using security passwords and logons or other security procedures. However, due to the inherent nature or electronic communications, we cannot guarantee the security of personal information outside our networks. You are responsible for maintaining the secrecy of your password and any credentials provided by Citi and supervising your end-user computational devices.

Cookies and Trackers

We use essential or strictly necessary cookies to make the app work. These include core or essential analytics that are needed to safeguard the security and lawful use of the app.

  • For example , cookies used for storing authentication data, essential to verify a user's identity and allow them to log in, making them necessary for the basic operation and security of the service.

Changes to This Notice

From time to time, we may revise this Notice. Changes may be made for any number of reasons, including to reflect industry initiatives, changes in the law, and changes to the scope of the services, among other reasons. You can tell when we last updated the Notice by checking the date at the beginning of the Notice. Any changes will become effective when we post the revised Notice on the app.

Contact Us

If you have any questions about this Notice, please contact us using the contact information listed below.

Appendix

Additional information for individuals in the European Union and European Economic Area member States (EU/EEA), Switzerland, the United Kingdom, the Bailiwick of Jersey, and other countries with comprehensive Data Protection legislation, similar to the GDPR.

If you are in any EU/EEA European or other applicable jurisdiction in this subtitle, you have certain specific rights and protections under applicable data protection laws in your place of residence. Please read the following paragraphs, which complement the main provisions.

1. Lawful Basis for Processing Personal Data

We process your personal data under the lawful basis of legitimate interest where:

  • We need to use your personal data for the purposes indicated in section "How Personal Information is Used" AND
  • We are not under an obligation to process your personal data.

We find such processing is proportionate and within your expectations when providing your personal data. If we intend to use personal data collected under the lawful basis of legitimate interest, such repurposing shall meet two conditions (a) the new purpose will have to be closely aligned with the original purpose for processing and (b) we will inform you of the new purpose and provide you the ability to opt-out, or decline such further processing, within a certain period.

2. Data Subject Requests and Enforcement of Rights

You have rights with respect to the personal data which Citi holds about you. To request or enforce any of these rights please Contact Us.

You have a right to complain: If after receiving our replies you are dissatisfied with the way that we have processed your personal information or have further concerns, you may complain to our independent Data Protection Officer using the contact details indicated below.

IN EUROPE

  • EU/EEA: Citi EU Data Protection Officer 1 North Wall Quay Dublin D01 T8Y1 Republic of Ireland Email GDPRDPO@citi.com
  • UK:Citi UK Data Protection Officer 40 Bank Street , 9th Floor Canary Wharf London E14 5NR United Kingdom Email: GDPRDPO@citi.com
  • Switzerland: Citi Data Protection Advisor Hardstrasse, 201 8005 Zurich Switzerland swissdataprotectionadviso@citi.com

IN AFRICA

REST OF THE WORLD

  • Australia: Citi Privacy Officer GPO Box 304 Sydney NSW 2001 T: 13 24 84 Email privacy.officer@citi.com
  • Brazil: Para exercer os direitos em relação aos seus Dados Pessoais, favor realizar solicitação por meio do link https://corporateportal.brazil.citibank.com/formularios/lgpd/index.htm
  • Canada: Chief Privacy Officer Quebec Data Protection Officer canada.privacy.office@citi.com
  • Colombia:Si desea presentar una consulta, reclamo o petición de información relacionada con sus datos personales, y/o la protección de éstos por parte de Citibank –Colombia S.A. puede comunicarse a la línea de atención Citiservice 5870000, o en la Sede Principal ubicada en la Cra. 9 A No. 99 – 02, Bogotá – Colombia, DPO: Marcela Jaimes Email DPOColombia@citi.com Citibank Colombia, S.A. Centro de Servicio, Calle 100 Carrera 9ª, No. 99-02. Piso 1. Local 104. Bogota, Colombia
  • Mexico and El Salvador: Para ejercer sus derechos en relación a sus datos personales, puede comunicarse con los Responsables de Datos y Encargados Claves de datos en la siguiente dirección: Citi-Info S. de R.L. de C.V. Moras 850 Acacias, Col. Benito Juarez Ciudad de Mexico, CDMX 03240 Mexico
  • Hong Kong S.A.R.: Citibank, N.A., Data Protection 12/F, Citi Tower, One Bay East, 83 Hoi Bun Road, Kwun Tong, Kowloon, HK.
  • Indonesia: DPO: Wedha Marghaputra Email: Indonesia.Privacy@citi.com
  • Jamaica:DPO Representative in Jamaica Email: DPOJamaica@citi.com Citibank N.A. Jamaica 19 Hillcrest Avenue Kingston 6 Jamaica
  • Philippines:Data Protection Officer 16F, Citi Plaza, 34th Street, Bonifacio Global City Philippines Email: CitiPHDPO@citi.com
  • Saudi Arabia: The Data Protection Officer 20th Floor of Kingdom Tower P.O. Box 301700 Riyadh 11372, Central Province Kingdom of Saudi Arabia Dataprivacysa@citi.com
  • Korea (South):Chief Country Compliance Officer: Han Suk Kim 02-3455-2244
  • Thailand: Data Protection Officer Citibank N.A., Bangkok Branch Interchange 21 Building, 399, Sukhumvit Road, Klongtoey Nua Sub-district, Wattana District, Bangkok, Thailand 10110 Email dpo.officethailand@citi.com Remarks: The above email address is reserved for the contact related to the exercise of Data Subject Rights only.

Data Protection Authorities Contact Information

Under the GDPR and the FADP you also have a legal right to lodge a complaint with Data Protection Authorities. In Europe you may contact:

  • United Kingdom, the Information Commissioner’s Office (ICO) at ico.org.uk

For other jurisdictions please refer to the official government portal.

Additional Information for persons in Nigeria

Data Controller

The Data Controller for Citi Events in Nigeria is Citibank Nigeria Limited (CNL) a commercial bank licensed by the Central Bank of Nigeria, with registered offices at 27 Kofo Abayomi Street, Victoria Island, Lagos, Nigeria. CNL is responsible for the lawful collection, use, processing and disposal of personal data in Nigeria and its lawful transfer across national borders. CNL has ensured that it has appropriate contractual, technical and operational measures in place with its affiliates and parent companies, and any sub-processors of personal data gathered in Nigeria.

You can request or enforce your personal data rights by emailing or writing to the Data Protection Officer at our registered address or by Email to CNL Data Protection Officer at dponigeria@citi.com

Legal Basis for Processing personal information

CNL relies on various lawful basis as permissible by law for the collection and processing of Personal Data in Nigeria and will rely on your consent for the transfer for the transfer of personal information, where appropriate. These will be gathered, for example in the Release of Permission to Record images, sounds or videos.

We may rely on other lawful basis for processing, including for compliance with applicable law or in the public interest recognized in a statute, or if it is necessary for the establishment, exercise or defense of legal claims.

Silence

Your silence will never be assumed to be consent to the processing of your Personal Information.

Your Rights when processing is for Legitimate Interests

Citi shall discontinue the processing of your Personal Information upon your request, unless Citi demonstrates a public interest or other legitimate grounds, which overrides your fundamental rights and freedoms and interests.

Further Protections for Processing of Sensitive Personal Data

Without prejudice to the principles set out in the Nigeria Data Protection Act 2023, Citi shall not process your sensitive personal data, unless:

  1. you have given and not withdrawn consent to the processing for the specific purpose or purposes for which it will be processed;
  2. processing is necessary for the purposes of performing the obligations of Citi or exercising your rights under employment or any other similar laws;
  3. processing is necessary to protect your vital interests or of another person, where the data subject is physically or legally incapable of giving consent;
  4. processing is carried out in the course of its legitimate activities, with appropriate safeguards, by a foundation, association, or such other non-profit organisation with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes, and the -
    1. processing relates solely to the members or former members of the entity, or to persons, who have regular contact with it in connection with its purposes, and
    2. sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject;
  5. processing is necessary for the establishment, exercise, or defense of a legal claim, obtaining legal advice, or conduct of a legal proceeding;
  6. processing is necessary for reasons of substantial public interest, since a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject;
  7. processing is carried out for purposes of medical care or community welfare, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality;
  8. processing is necessary for reasons of public health and provides for suitable and specific measures to safeguard the fundamental rights, freedoms and interests of the data subject; or
    1. processing is necessary for archiving purposes in the public interest, or historical, statistical, or scientific research, in each case since a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and freedoms and the interests of the data subject.

Notification of Security Incidents and Breaches

The safety, security and integrity of your personal information are paramount to banking operations. We will promptly notify the Nigeria Data Protection Commissioner and in any case within 72 upon becoming aware of any accidental or intentional damage, alteration, destruction, unauthorized disclosure, loss, misuse, inability to access, extraction or theft of personal information that is stored or processed by Citi, where there is a risk to your rights or freedoms. If the risks are significant, we will also communicate directly with you, providing details of the data exposed to risk, with advice and measures we take to mitigate any adverse effects.

Right to File Claims in Nigeria

In the event that the protection of your Personal Information is compromised or interfered with, you may lodge a complaint with the Nigeria Data Protection Commission No.12 Clement Isong Street, Asokoro, Abuja or info@ndpc.gov.ng.

You may communicate with CNL

Through Citi's Data Protection Officer at Citibank Nigeria Limited, 27, Kofo Abayomi Street, Victoria Island, Lagos, Nigeria or dponigeria@citi.com or,

Through your relationship manager or customer services at https://www.citigroup.com/global/privacy/contact-us

Supplemental provision applicable to California residents

Last Updated and Effective Date: March 26, 2026

This California Supplemental Provision (the “Supplement”) supplements the information contained in the Citigroup.com Privacy Notice (the “Privacy Notice”) and applies solely to residents of California who have rights under the California Privacy Rights Act (“CPRA”) (“consumers” or “you”). Unless otherwise defined in the Privacy Notice, any terms defined in this Supplement have the meaning used in the CPRA.

We do not collect other forms of Personal Information called “sensitive” Personal Information, which are subject to additional protections under applicable data privacy laws. Because we do not collect “sensitive” Personal Information, we do not need to provide a Limit Use and Disclosure of Sensitive Personal Information right under the CPRA.

Summary of Personal Information Handling Practices

We provide in the chart below a summary of our prior 12-month Personal Information handling practices. We do not sell your Personal Information to third parties for monetary consideration. However, we may share your Personal Information with third parties for advertising purposes. We do not have actual knowledge of any collection, use, sale, or sharing of Personal Information of consumers under 16 years of age.

Categories of Personal Information

  • Identifiers such as your SOEID and SSO password
    • Sources: From your use of the app
    • Purposes of Processing such Personal Information: Processed securely for authentication purposes to grant you access to the App and integrated services via Single Sign-On. Your actual password is not stored by the App but is securely handled through Citi's SSO infrastructure.
    • Recipients of Personal Information: (Sold/Shared) We have not sold or shared this information to third parties for monetary or marketing purposes.
  • Approximate Geolocation Data derived from your IP address
    • Sources: From your use of the app
    • Purposes of Processing such Personal Information: To, ensure that the apps/services function properly and otherwise administering and improving them, , identifying usage trends, and expanding our business activities;
    • Recipients of Personal Information: (Sold/Shared) We have not sold or shared this information to third parties for monetary or marketing purpose
  • Internet or other electronic network activity information - such as information collected through cookies
    • Sources: From your use of the app
    • Purposes of Processing such Personal Information: To monitor user interaction with the app
    • Recipients of Personal Information: (Sold/Shared) We have not sold or shared this information to third parties for monetary or marketing purpose
  • Device specs – such as phone model, operation system, screen size
    • Sources: From your use of the app
    • Purposes of Processing such Personal Information: To improve user experience
    • Recipients of Personal Information: (Sold/Shared) We have not sold or shared this information to third parties for monetary or marketing purpose

Retention of Personal Information

We store Personal Information for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.

Your Rights and Choices

The CPRA affords consumers residing in California certain rights with respect to their Personal Information, subject to certain exceptions. Subject to certain limitations, you have the following rights in California:

  1. Right to Delete. You have the right to request us to delete the Personal Information we have collected about you.
  2. Right to Correct. You have the right to request us to correct inaccurate Personal Information we maintain about you.
  3. Right to Know and Access. You have the right to know and access the Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific pieces of Personal Information we have collected about you.
  4. Data Portability. You have the right to receive the information under right (3) in a format, to the extent technically feasible, that is portable, usable, and allows you to transmit the Personal Information to a person without impediment, where the processing is carried out by automated means.
  5. Right to Opt-Out. You have the right to opt out of certain processing, such as opting out of profiling or our sale or sharing of your Personal Information.
  6. Right to No Discrimination. You have the right not to be discriminated against for exercising any of your privacy rights. This includes us not: (a) denying you goods or services; (b) charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (c) providing you a different level or quality of goods or services; and (d) suggesting to you that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Exercising Your Rights

To exercise your rights described above, please submit a verifiable consumer request to us by either:

Except for the right to opt-out related to selling or sharing your Personal Information, we will need to verify your identity before honoring your privacy right request. Subject to certain limitations, we will honor your privacy rights request within 45 calendar days of receipt of your request, unless we request an extension as permitted by data privacy laws. However, we will honor opt-out of sale and sharing requests within 15 business days.

Authorized Agents

You may exercise your privacy rights through an authorized agent. If we receive your request from an authorized agent, we may ask for evidence that you have provided such agent with a power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please contact us by either:

Additional Disclosure for California Residents

California law permits residents of California to request certain details about how their information is shared with third parties for direct marketing purposes. If you are a California resident and would like to make such a request, please contact us by either:

Contact Information

If you have any questions about this Supplement, the ways in which we collect and process your Personal Information described in this Supplement, your choices and rights regarding such use, or wish to exercise your rights under the CPRA, please visit Citi Privacy Hub or call us at (833) 971-1191 (TTY: 711).