Privacy notice for California residents

This privacy notice for California residents (notice) supplements the information contained in the privacy notices of The Vanguard Group, Inc. and its U.S. affiliates and subsidiaries (collectively, Vanguard or us), and applies solely to residents of the State of California (you). We provide this notice to comply with the California Consumer Privacy Act, as modified by the California Privacy Rights Act of 2020 (CCPA) and the regulations issued under it; accordingly, this notice addresses the specific requirements of the CCPA and should be read together with the other Vanguard privacy notices that apply based on your relationships with us. Any terms defined in the CCPA have the same meaning when used in this notice; that may differ from what those terms mean when we use them in other policies or disclosures.

1. Summary

The CCPA provides specific privacy rights to California residents, including the right to receive a privacy notice and certain rights you may choose to exercise relating to your personal information. Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household. Personal information does not include aggregate or deidentified information or publicly available information.

This notice does not apply to all personal information we may collect about you. For example, it does not cover information we obtain in connection with providing financial products or services to our Personal Investor clients primarily for personal, family, or household use. Rather, that information is protected under federal law through the Gramm-Leach-Bliley Act. For further information, please review our Personal Investor Privacy Notice. This notice also does not apply to personal information we collect about employees or job applicants. Please see our separate California employee and job applicant notices for more information. 

2. How we collect and disclose personal information

The tables below explain the categories of personal information we collect from California residents generally, the sources of that information, the purposes for which we use the information, and the categories of unaffiliated parties to whom we disclose the information for business or commercial purposes. In the tables, we use the term everyday business purposes to encompass the business purposes defined in the CCPA, as well as the following related purposes for which Vanguard may use personal information:

  • To provide the information, product, or service you request or as you may reasonably expect given the context in which we collect the personal information (such as providing client service, personalization, and preference management; providing updated product and service information; and dispute resolution);
  • For identity and credential management, including identity verification and authentication and system and technology administration;
  • To protect the security and integrity of our systems, networks, applications, and data, including detecting, analyzing, and resolving security threats, and collaborating with cybersecurity centers, consortia, and law enforcement about imminent threats;
  • For fraud detection and prevention;
  • For legal and regulatory compliance, including all uses and disclosures of personal information required by law or reasonably needed for compliance with our policies and procedures, such as: anti-money laundering programs, security and incident response programs, intellectual property protection programs, and corporate ethics and compliance hotlines;
  • For corporate audit, analysis, and reporting;
  • To enforce our contracts and to protect against injury, theft, legal liability, fraud, or abuse, and to protect people or property, including physical security programs;
  • To deidentify personal information or create aggregated datasets, such as for consolidating reporting, research, or analytics;
  • To make back-up copies for business continuity and disaster recovery purposes; and
  • For corporate governance, including mergers, acquisitions, and divestitures. 

Additional information about how we share personal information for cross-context behavioral advertising and your right to opt out is included in Section 8, below.

Categories, sources, and purposes

We collect this type of information from: 

  • You
  • Your employer
  • Independent financial advisors
  • Assigned by us
  • Other financial institutions involved in processing your transactions (for example, your bank)
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers
  • Automatically, such as when you use our websites or mobile applications
  • Advertising networks
  • Social networks
  • Internet service providers

 

Sample data elements

  • Full name, nicknames, or previous names (such as maiden names)
  • Honorifics and titles, preferred form of address
  • Client ID
  • Mailing address
  • IP address
  • Email address
  • Social Security or other taxpayer identification number
  • Passport number
  • Contact information for related persons, such as authorized users of your account 

Business or commercial purposes for collecting and disclosing the personal information

  • To identify and communicate with you
  • To send transactional and account information (such as statements or confirmations)
  • To send marketing communications, surveys, and invitations
  • To personalize our communications and provide client service
  • For marketing and advertising
  • To better understand our clients and prospective clients and to enhance our relationship information
  • For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as address verification, processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others

Personal Records, including the information described in Cal. Civ. Code § 1798.80(e). We collect this type of information from:

  • You
  • Your employer
  • Other financial institutions involved in processing your transactions (for example, your bank)
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers
  • Automatically, such as when you use our websites or mobile applications
  • Advertising networks
  • Social networks
  • Internet service providers 

 

Sample data elements

  • Name
  • Signature
  • Social Security or other taxpayer identification number
  • Passport number
  • Address
  • Phone number
  • Driver’s license or state identification card number
  • Insurance policy number
  • Education
  • Employment and employment history
  • Bank account number, credit card number, debit card number, or other financial information
  • Medical information
  • Health insurance information
  • Information concerning family members, beneficiaries, or dependents

 

Business or commercial purposes for collecting and disclosing the personal information

  • To identify you
  • To maintain the integrity of our records
  • For client verification
  • For security and risk management, fraud prevention, and similar purposes
  • For marketing and advertising
  • To better understand our clients and prospective clients and to enhance our relationship information
  •  For our everyday business purposes 

 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as address verification, processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others 

 

We collect this type of information from: 

  • You
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers
  • Social networks

We may also infer information about you based on information you have given us and on your past interactions with us and other companies. See Inferences below.

Sample data elements

  • Age and date of birth, gender, marital and family status, and languages spoken
  • Household demographic data, including from real estate records and census data 

Business or commercial purposes for collecting and disclosing the personal information

  • To better understand you and to understand our clients generally
  • To design products, services, and programs that may be of interest to our clients
  • To identify prospective clients
  • For internal business purposes, such as quality control, training, and analytics
  • For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as processing transactions, communications, security and fraud prevention, analytics, research and development, call centers, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others

We collect this type of information from: 

  • You
  • Other financial institutions involved in processing your transactions (for example, your bank)
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers
  • Automatically, such as when you use our websites or mobile applications 

Sample data elements

  • Client account information, transaction history, and related records (such as records of purchases and sales of securities)
  • Client service records
  • Data from public social media profiles, such as Facebook, Twitter, LinkedIn, and similar platforms
  • Hobbies and interests
  • Other records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

Business or commercial purposes for collecting and disclosing the personal information

  • To maintain our business relationship with you, including client service
  • For marketing and advertising
  • To better understand our clients and prospective clients and to enhance our relationship information
  • For recordkeeping and compliance, including dispute resolution
  • For internal business purposes, such as finance, quality control, training, reporting, and analytics
  • For risk management, fraud prevention, and similar purposes
  • For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as processing transactions, technical support, security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others

 

We collect this type of information from: 

  • You and from your devices when you interact with our websites and mobile applications. For example, when you visit our websites, our server logs record your IP address and other information.
  • Automatically, via technologies such as operating systems, cookies, and web beacons, when you visit our websites or mobile applications
  • Service providers, including computer security services, digital advertising providers, and data analytics providers 

 

Sample data elements

  • IP address
  • Device identifiers or other persistent identifiers
  • Online user name
  • Encrypted password
  • Device characteristics (such as browser information)
  • Web server logs
  • Application logs
  • Browsing data and search history
  • First-party cookies
  • Third-party cookies
  • Web beacons, clear GIFs, and pixel tags 

 

Business or commercial purposes for collecting and disclosing the personal information

• For system administration and technology management, including optimizing our websites and applications 

• For information security and cybersecurity purposes, including detecting threats 

• For recordkeeping, including logs and records maintained as part of transaction and interaction information 

• To better understand our clients and prospective clients and to enhance our relationship information, including by associating you with different devices and browsers you may use 

• For marketing and advertising purposes 

• For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

• Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)

• Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others 

We collect this type of information from: 

  • You 
  • Automatically, such as when we record calls to our client service center, use CCTV cameras in our facilities, or communicate with you via videoconferencing software 
  • Social media 
  • Data providers that aggregate information you make publicly available, such as on social media sites 

Sample data elements

  • Video images 
  • CCTV recordings 
  • Call center recordings and call monitoring records 
  • Voicemails 
  • Videoconference information
  • Your general geographic location (for example, city, state, and zip code)

Business or commercial purposes for collecting and disclosing the personal information

  • For internal business purposes, such as call recordings used for training, coaching, or quality control 
  • For relationship purposes, such as the use of photos and videos for social media purposes (with your permission) 
  • For premises security purposes and loss prevention 
  • For information security and fraud prevention 
  • To better understand our clients and prospective clients and to enhance our relationship information
  • For our everyday business purposes

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others 

We collect this type of information from: 

  • We determine your general geographic location automatically from your IP address when you use our online services. We collect this information from device operating systems and from data analytics providers. 

Sample data elements

  • Your general geographic location (for example, city, state, and zip code)

Business or commercial purposes for collecting and disclosing the personal information

  • For information security and fraud prevention 
  • To better understand our clients and prospective clients and to enhance our relationship information
  • For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others

We collect this type of information from: 

  • You 
  • Service providers, including companies that help us conduct internal investigations or assist us with identity verification 

Sample data elements

  • Compliance program data, including client screening records, and other records maintained to demonstrate compliance with applicable laws, such as tax laws and anti-money laundering laws
  • Occupational and environmental safety records
  • Records relating to complaints and internal investigations, including compliance hotline reports
  • Records of privacy and security incidents involving personal information, including any security breach notifications

Business or commercial purposes for collecting and disclosing the personal information

  • To comply with and demonstrate compliance with applicable laws 
  • For legal matters, such as litigation and regulatory matters, including for use in connection with civil, criminal, administrative, or arbitral proceedings, or before regulatory or self-regulatory bodies, including service of process, investigations in anticipation of litigation, and execution or enforcement of judgments and orders
  • For our everyday business purposes

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Government agencies, lawyers, auditors, consultants, and other unaffiliated parties as required by law, or when needed to protect our legal rights or those of others

We collect this type of information from: 

  • You 
  • Your employer 
  • Service providers that help us understand our clients, including data brokers and public records providers 

Sample data elements

  • Job title
  • Employer name and industry
  • Date of hire

Business or commercial purposes for collecting and disclosing the personal information

  • To establish and maintain our business relationship with you, including processing purchases and sales of securities in your accounts 
  • For recordkeeping and compliance 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, public relations, social media, marketing services, promotions, call centers, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others

The personal information we collect includes the following categories of sensitive personal information. Note that the sensitive personal information we collect may vary depending on the nature of your interactions with us and may not include all the examples listed below. We do not use or disclose sensitive personal information for purposes to which the right to limit use and disclosure applies under the CCPA.

We collect this type of information from: 

  • You 
  • Your employer 

Sample data elements

  • Social Security or other taxpayer identification number 
  • Passport number 

Business or commercial purposes for collecting and disclosing the personal information

  • To identify you 
  • To maintain the integrity of our records 
  • For client verification 
  • For security and risk management, fraud prevention, and similar purposes 
  • For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  •  Service providers that we use to support our business and operations (such as processing transactions, communications, and security and fraud prevention)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others

We collect this type of information from: 

  • You, including as part of your transaction and interaction information 
  • Payment processors and other financial institutions 
  • Security and fraud prevention service providers 

We may infer financial information about you (such as interest in certain products or services) based on your existing account status and transaction activity.

Sample data elements

  • Bank account number(s) and details 
  • Your account numbers at other financial institutions
  • Payroll information

Business or commercial purposes for collecting and disclosing the personal information

  • To maintain our business relationship with you, including processing purchases and sales of securities in your accounts
  • For recordkeeping and compliance, including dispute resolution 
  • For internal business purposes, such as finance, audits, training, reporting, and analytics 
  • For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as processing transactions, communications, and security and fraud prevention)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others

We create inferred and derived information by analyzing our relationship and transactional information. 

We also obtain inferred and derived information from third-party data suppliers—companies that collect demographic and other personal information to help with firms’ marketing and customer service activities.

Sample data elements

  • Inferences drawn about you from your personal information, such as your preferences, financial products and services that may interest you, and your investing patterns and behaviors 
  • Propensities, attributes, and/or scores generated by internal analytics programs and used for information security and fraud prevention purposes, product and service development and improvement, and marketing 

Business or commercial purposes for collecting and disclosing the personal information

  • To better understand you and to understand our clients generally 
  • To design products, services, and programs that may be of interest to our clients 
  • To identify prospective clients
  • For marketing and advertising 
  • For internal business purposes, such as quality control, training, and analytics 
  • For our everyday business purposes 

Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose

  • Service providers that we use to support our business and operations (such as security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, and web hosting, monitoring, and related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others 
Category and sources of personal information Sample data elements Business or commercial purposes for collecting and disclosing the personal information Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose


Identifiers

We collect this type of information from:

  • You
  • Your employer
  • Independent financial advisors
  • Assigned by us
  • Other financial institutions involved in processing your transactions (for example, your bank)
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers
  • Automatically, such as when you use our websites or mobile applications
  • Advertising networks
  • Social networks
  • Internet service providers 
  • Age and date of birth, gender, marital and family status, and languages spoken
  • Household demographic data, including from real estate records and census data 
  • To better understand you and to understand our clients generally
  • To design products, services, and programs that may be of interest to our clients
  • To identify prospective clients
  • For internal business purposes, such as quality control, training, and analytics
  • For our everyday business purposes 
  • Service providers that we use to support our business and operations (such as processing transactions, communications, security and fraud prevention, analytics, research and development, call centers, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others


Personal Records, including the information described in Cal. Civ. Code § 1798.80(e)

We collect this type of information from:

  • You
  • Your employer
  • Other financial institutions involved in processing your transactions (for example, your bank)
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers
  • Automatically, such as when you use our websites or mobile applications
  • Advertising networks
  • Social networks
  • Internet service providers 
  • Name
  • Signature
  • Social Security or other taxpayer identification number
  • Passport number
  • Address
  • Phone number
  • Driver’s license or state identification card number
  • Insurance policy number
  • Education
  • Employment and employment history
  • Bank account number, credit card number, debit card number, or other financial information
  • Medical information
  • Health insurance information
  • Information concerning family members, beneficiaries, or dependents
  • To identify you
  • To maintain the integrity of our records
  • For client verification
  • For security and risk management, fraud prevention, and similar purposes
  • For marketing and advertising
  • To better understand our clients and prospective clients and to enhance our relationship information
  • For our everyday business purposes 
  • Service providers that we use to support our business and operations (such as address verification, processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others 


Characteristics of protected classifications under California or federal law

We collect this type of information from:

  • You
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers.
  • Social Networks

 

We may also infer information about you based on information you have given us and on your past interactions with us and other companies. See Inferred and derived information below.
  • Age and date of birth, gender, marital and family status, and languages spoken

Household demographic data, including from real estate records and census data 
  • To better understand you and to understand our clients generally
  • To design products, services, and programs that may be of interest to our clients
  • To identify prospective clients
  • For internal business purposes, such as quality control, training, and analytics
  • For our everyday business purposes 
  • Service providers that we use to support our business and operations (such as processing transactions, communications, security and fraud prevention, analytics, research and development, call centers, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others (approx. 3,000-4,000 stocks)


Commercial infomation

We collect this type of information from:

  • You
  • Other financial institutions involved in processing your transactions (for example, your bank)
  • Service providers that help us understand our clients, including data analytics providers, data brokers, data aggregators, and public records providers
  • Automatically, such as when you use our websites or mobile applications
  • Client account information, transaction history, and related records (such as records of purchases and sales of securities)
  • Client service records
  • Data from public social media profiles, such as Facebook, Twitter, LinkedIn, and similar platforms
  • Hobbies and interests
  • Videoconference information
  • Other records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • To maintain our business relationship with you, including client service
  • For marketing and advertising
  • To better understand our clients and prospective clients and to enhance our relationship information
  • For recordkeeping and compliance, including dispute resolution
  • For internal business purposes, such as finance, quality control, training, reporting, and analytics
  • For risk management, fraud prevention, and similar purposes
  • For our everyday business purposes
  • Service providers that we use to support our business and operations (such as processing transactions, technical support, security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others


Internet or other electronic network activity information

We collect this type of information from:

  • You and from your devices when you interact with our websites and mobile applications. For example, when you visit our websites, our server logs record your IP address and other information.
  • Automatically, via technologies such as operating systems, cookies, and web beacons, when you visit our websites or mobile applications
  • Service providers, including computer security services, digital advertising providers, and data analytics providers
  • IP address
  • Device identifiers or other persistent identifiers
  • Online user name
  • Encrypted password
  • Device characteristics (such as browser information)
  • Web server logs
  • Application logs
  • Browsing data and search history
  • First-party cookies
  • Third-party cookies
  • Web beacons, clear GIFs, and pixel tags
  • For system administration and technology management, including optimizing our websites and applications
  • For information security and cybersecurity purposes, including detecting threats
  • For recordkeeping, including logs and records maintained as part of transaction and interaction information
  • To better understand our clients and prospective clients and to enhance our relationship information, including by associating you with different devices and browsers you may use
  • For marketing and advertising purposes
  • For our everyday business purposes
  • Service providers that we use to support our business and operations (such as processing transactions, communications, security and fraud prevention, analytics, research and development, call centers, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others


Audio, electronic, visual, thermal, olfactory, or similar information information

We collect this type of information from:

  • You
  • Automatically, such as when we record calls to our client service center, use CCTV cameras in our facilities, or communicate with you via videoconferencing software
  • Social media
  • Data providers that aggregate information you make publicly available, such as on social media sites 
  • Video images
  • CCTV recordings
  • Call center recordings and call monitoring records
  • Voicemails
  • Videoconference information
  • Your general geographic location (for example, city, state, and zip code)
  • For internal business purposes, such as call recordings used for training, coaching, or quality control
  • For relationship purposes, such as the use of photos and videos for social media purposes (with your permission)
  • For premises security purposes and loss prevention
  • For our everyday business purposes
  • For information security and fraud prevention
  • To better understand our clients and prospective clients and to enhance our relationship information
  • Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, research and development, public relations, social media, marketing services, promotions, call centers, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others
  • ·Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)


Geolocation data

  • We determine your general geographic location automatically from your IP address when you use our online services. We collect this information from device operating systems and from data analytics providers.
  • Your general geographic location (for example, city, state, and zip code)
  • For information security and fraud prevention
  • To better understand our clients and prospective clients and to enhance our relationship information
  • For our everyday business purposes 
  • Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, call centers, web hosting, monitoring and related services, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others


Compliance data

We collect this type of information from:

  • You
  • Service providers, including companies that help us conduct internal investigations or assist us with identity verification 
  • Compliance program data, including client screening records, and other records maintained to demonstrate compliance with applicable laws, such as tax laws and anti-money laundering laws
  • Occupational and environmental safety records
  • Records relating to complaints and internal investigations, including compliance hotline reports
  • Records of privacy and security incidents involving personal information, including any security breach notifications
  • To comply with and demonstrate compliance with applicable laws
  • For legal matters, such as litigation and regulatory matters, including for use in connection with civil, criminal, administrative, or arbitral proceedings, or before regulatory or self-regulatory bodies, including service of process, investigations in anticipation of litigation, and execution or enforcement of judgments and orders
  • For our everyday business purposes
  • Government agencies, lawyers, auditors, consultants, and other unaffiliated parties as required by law, or when needed to protect our legal rights or those of others


Professional or employment-related information

We collect this type of information from:

  • You
  • Your employer
  • Service providers that help us understand our clients, including data brokers and public records providers
  • Job title
  • Employer name and industry
  • Date of hire
  • To establish and maintain our business relationship with you, including processing purchases and sales of securities in your accounts
  • For recordkeeping and compliance 
  • Service providers that we use to support our business and operations (such as processing transactions, communications, technical support, security and fraud prevention, non-behavioral advertising, analytics, public relations, social media, marketing services, promotions, call centers, and event-related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others
  

The personal information we collect includes the following categories of sensitive personal information. Note that the sensitive personal information we collect may vary depending on the nature of your interactions with us and may not include all of the examples listed below. We do not use or disclose sensitive personal information for purposes to which the right to limit use and disclosure applies under the CCPA.

Category and sources of personal information Sample data elements Business or commercial purposes for collecting and disclosing the personal information Categories of unaffiliated parties to whom we disclose this category of personal information for a business or commercial purpose
 


Personal Information that reveals an account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account

We collect this type of information from:

  • You, including as part of your transaction and interaction information
  • Payment processors and other financial institutions
  • Security and fraud prevention service providers

We may infer financial information about you (such as interest in certain products or services) based on your existing account status and transaction activity
  • Bank account number(s) and details
  • Your account numbers at other financial institutions
  • Payroll information
  • To maintain our business relationship with you, including processing purchases and sales of securities in your accounts
  • For recordkeeping and compliance, including dispute resolution
  • For internal business purposes, such as finance, audits, training, reporting, and analytics
  • For our everyday business purposes 
  • Service providers that we use to support our business and operations (such as processing transactions, communications, and security and fraud prevention)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others


Inferences

We create inferred and derived information by analyzing our relationship and transactional information.

We also obtain inferred and derived information from third-party data suppliers—companies that collect demographic and other personal information to help with firms’ marketing and customer service activities.
  • Inferences drawn about you from your personal information, such as your preferences, financial products and services that may interest you, and your investing patterns and behaviors
  • Propensities, attributes, and/or scores generated by internal analytics programs and used for information security and fraud prevention purposes, product and service development and improvement, and marketing 
  • To better understand you and to understand our clients generally
  • To design products, services, and programs that may be of interest to our clients
  • To identify prospective clients
  • For marketing and advertising
  • For internal business purposes, such as quality control, training, and analytics
  • For our everyday business purposes 
  • Service providers that we use to support our business and operations (such as security and fraud prevention, non-behavioral advertising, analytics, research and development, public relations, social media, marketing services, promotions, and web hosting, monitoring, and related services)
  • Other unaffiliated parties (including government agencies, lawyers, auditors, and consultants) as required by law, or when needed to protect our legal rights or those of others 

3. How long we keep your personal information

We keep the categories of Personal Information described above for as long as necessary or permitted for the purposes described in this Notice or otherwise authorized by law. This generally means holding the information for as long as one of the following apply:

  • Your personal information is reasonably necessary to manage our operations, to manage your relationship with us, or to satisfy another purpose for which we collected the information;  
  • Your personal information is reasonably necessary to carry out a disclosed purpose that is reasonably compatible with the context in which the personal information was collected; 
  • The personal information is reasonably necessary to protect or defend our rights or property (which will generally relate to applicable laws that limit actions in a particular case); or 
  •  We are otherwise required or permitted to keep your personal information by applicable laws or regulations. 

Where personal information is used for more than one purpose, we will retain it until the purpose with the latest period expires. For more information about our retention policies, please contact us using the contact details below.

4. Your rights

If you are a resident of California, you have the right to submit certain requests relating to your personal information as described below. In some circumstances—for example, with respect to employer-sponsored retirement plans—Vanguard is a service provider to other businesses and is not the proper party to respond directly to your privacy rights requests. If you are a retirement plan participant who would like to make a CCPA request, please submit your request directly to the Plan Sponsor using one of the methods it has designated for submitting such requests. Regardless of your relationship with us, Vanguard’s website and/or mobile app offer additional options for viewing, accessing, and updating your personal information.

5. The right to know

You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and confirm your verifiable request, we will disclose the following to you (unless an exception applies):

  •  The categories of personal information we collected about you, including:
    • The categories of sources for the personal information we collected about you.
    • Our business or commercial purpose for collecting, selling, or sharing personal information.
    • The categories of recipients to which we disclosed that personal information
    • The categories of personal information that we sold, and for each category identified, the categories of third parties to which we sold that particular category of personal information.
    • The categories of personal information that we disclosed for a business purpose, and for each category identified, the categories of recipients to which we disclosed that particular category of personal information.
  • The specific pieces of personal information we collected about you. 

6. The right to delete

You have the right to request that we delete personal information we collected from you, subject to certain exceptions.

7. The right to correct

If you believe that personal information we maintain about you is inaccurate, you have the right to request that we correct that information.

8. When we sell or share personal information and your right to opt out

Although we do not sell personal information in exchange for money, some of the ways in which we share personal information for advertising may be considered “sales” or “sharing” under the CCPA. We and our digital advertising providers collect certain information from your devices when you visit our websites, through cookies and other technologies, and when you use our mobile applications. This includes the following categories of personal information: Identifiers, Personal Records, Commercial Information, Internet or Other Electronic Network Activity Information, Geolocation Data, and Inferences. We share these categories of personal information with our digital advertising providers to deliver Vanguard ads that may be of interest to you. We do not have actual knowledge that we sell or share the personal information of California residents under 16 years of age.

The manner in which you may opt out of interest-based advertising may vary depending on your relationship with Vanguard. For further information visit our Privacy Center. When you access Vanguard’s U.S. Financial Advisors website (https://advisors.vanguard.com/), we will provide you with the ability to limit certain third-party data sharing related to Interest-Based Advertising with certain service providers. To limit this sharing, click here. When you complete this process, you will provide us with your email address. We will send you a validation code to the email address you specify, and once you confirm that validation code electronically, we will remove the email address you specified from third party sharing. If you have more than one email address on file with us, you will need to complete this process for each email address on file to fully limit our sharing. By clicking on the “Manage Cookies” link at the bottom of Vanguard’s Financial Advisors website, you may also further limit the collection of information by certain cookies, as well as the sharing of cookie information related to Interest-Based Advertising. Note that blocking some types of cookies may impact your experience of the site and the services we are able to offer. To learn more, visit our Privacy Center. For other Vanguard websites aside from Vanguard’s Personal Investor website, if you wish to opt out of sharing your personal information in connection with our interest-based advertising described above, please visit http://optout.aboutads.info/ and follow the opt out instructions for each of your browsers and devices. If you opt out of sharing this information, we will not deliver ads based on your interests and activity, but you will still receive ads. Note that any choice you make here will only affect this browser and device. Because your opt-out preferences are stored in cookies, if you reset your advertising ID or clear your cookies, we will no longer recognize your device or your choices, so you must opt out again. To opt back into interest-based advertising, visit https://optout.aboutads.info/ again and select your preferences.

9. Non-discrimination

If you choose to exercise any of your privacy rights under the CCPA, you also have the right not to receive discriminatory treatment by us.

10. How to submit a CCPA rights request 

If you are a California resident, you may exercise the rights described above by submitting a verifiable request to us by either:

  • Visiting our Privacy Center; or
  • Calling us:
    • Retirement plan participants 877-637-5832
    • Institutional investors 888-568-0464
    • Financial professionals 855-638-8057
    • Vanguard worker (e.g., current, former employee, job applicant, or contractor) 888-364-1453

If you have an account with us, please have your account information available when you call or log in to our secure website to facilitate verification for requests to know, requests to correct, and requests to delete.

If you do not have an account or are unable to log in, you will be asked to provide 2-3 pieces of personal information that we will match against our records to verify your identity.

11. Authorized Agents

You may designate an authorized agent to make a request on your behalf; however, you will still need to verify your identity directly with us before your request can be processed. An authorized agent may submit a request on your behalf using the webform or toll-free number listed in Section 10 above.

12. Changes to this notice

We reserve the right to amend this notice at our discretion and at any time.

13. Contact Information

If you have any questions relating to this notice or how we handle your personal information, please email us at privacy@vanguard.com. You may also call us at the phone numbers listed in Section 10 above.

Revised November 2023