Last Updated: July 2020

U.S. Privacy Notice for Consumers at Department Stores National Bank (“DSNB”), the Issuer of Macy’s and Bloomingdale’s Credit Cards.

Your trust and confidence in how we collect, use, and share information about you is a priority. This U.S. Privacy Notice for Consumers (Notice) applies to our U.S. websites, e-mail, phone, and other U.S. online or offline services that link to or from this Notice as well as any interactions you may have with our digital advertising campaigns (collectively, the Sites/Services).

This Notice explains how we collect, share, use, and protect information when you visit or use the Sites/Services. We advise you to read this Notice in its entirety, including the jurisdiction-specific provisions in the appendix to this Notice, which will apply to users in certain jurisdictions. By using the Sites/Services, you agree to this Notice.

This Notice does not apply to websites, mobile applications, email, or social media sites or pages that are owned or operated by Macy’s, Inc. (e.g. macys.com, bloomingdales.com), (“Macy’s Sites”). Macy’s has its own privacy notices that are different from this one for the information it may access through your use of Macy’s Sites.

As you review this Notice, here are a few important things to keep in mind:

  • If you have a financial product or service with us for personal, family or household use with us, we would also have delivered to you a U.S. Customer Privacy Notice (Customer Privacy Notice) that explains how we collect, use and share information about you and offers you certain choices with respect to the use and sharing of your personal information.
  • This Site is not intended for children under 13 years of age. We do not knowingly solicit information online from, or market online to, children under 13 years of age.
  • Wireless service providers, Internet service providers, device manufacturers and/or social media platforms may have their own privacy notices that are different from this one for the information they may access through your use of the Sites. We encourage you to read their privacy notices as the collection, uses and sharing of information by those third parties may be different than DSNB.
  • Our mobile, social media, or other online services, sites or pages may have additional terms about the privacy or use of your information. Please review the privacy notice for the specific Site/Service you are using.
    1. Information We Collect Through the Sites/Services
    2. Use of Information
    3. Sharing of Personal Information
    4. Managing Your Personal Information
    5. Aggregation Services
    6. Online Advertising
    7. Your Choices Regarding Your Personal Information
    8. Security of Personal Information
    9. Other Important Information
    10. Contact Us

Appendix

1. Information We Collect Through the Sites/Services

We collect two types of information: Personal Information and Other Information

“Personal Information” is any information:

  • that identifies or can be used to identify you or your household;
  • that relates to, describes, is capable of being associated with, or could reasonably be linked (directly or indirectly) with you or your household;
  • that can be used to authenticate you or provide access to an account;
  • that relates to you and that might be sensitive (such as personal medical or health information, account number, account value).

In addition to Personal Information you provide directly to us, we may collect other information about you, including acquiring and using services provided by third parties who collect and analyze customer data (“Other Information”). We share Other Information we collect about you with our affiliates, including Macy’s.

For at least the past 12 months, we have collected the following categories of Personal Information from the following sources:
Through the Sites/Services

What we collect: We collect from you (which, for the purposes of this section, refers to you and your household) through the Sites/Services Personal Information that identifies you as an individual or relates to identifying information about you, including identifiers such as your name, addresses, phone number, and e-mail.

Depending upon the Services you request, we may collect additional Personal Information such as: alias; mother's maiden name; gender; race; age; date of birth; information from a birth certificate or death certificate; relationship status; Social Security number; information that appears on your Driver's license, Green card, National ID, State ID, or Passport/Visa; your citizenship and military status; Tax ID, bank account and/or payment card information; information about your education, employment and employment history, and property; criminal offenses; credit history; credit score; credit report; dependent/beneficiary name(s); biometric information; and other personal identification numbers.

We, or companies we work with, collect from you: other Internet or other electronic network activity information such as browser and device information; information collected through cookies, web beacons and other technologies; demographic information; applications you submit; and aggregated information about your visits to, or use of, our Sites/Services. While that information alone may not reveal your specific individual identity, we may associate this usage and Other Information we collect online with Personal Information about you.

If you have a Macy's or Bloomingdales' credit card, we also collect and maintain account and transaction information including: your user ID; account holder name; account PIN and password; security question(s) and word(s); signature; bank SWIFT code; credit card PIN; loyalty program information (when applicable); merchant name and contact information; merchant category code; transaction data/history; your photo (when provided); image documentation; and your voice recordings (when provided). We also collect from third parties account identifiers used in transfers of funds.

Our business purpose for collecting this information: reviewing and processing applications for our Services; intake of new customers; account maintenance and servicing; providing customer service; improving our Sites/Services; performing research and business analytics, and identifying usage trends; engaging in fraud monitoring and prevention; compliance with applicable laws and regulations; protecting our business and our customers against illegal activity; performing audits; verifying requests made pursuant to this Notice; tailoring our marketing communications as well as those from our affiliates and from selected third parties; managing our business effectively; and developing new products and services.

Through your browser or device

What we collect: Certain information is collected by internet browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, device identifier, language, and Internet browser type and version. We may also collect your IP address, along with the time of your visit and the page(s) visited.

We may also collect from you various attributes associated with your device (such as IP address, installed fonts, language and browser settings, and time zone) in order to create a device fingerprint or identifier so that we can recognize your device, along with the time of your visit and the page(s) visited.

If you have a Macy's or Bloomingdales' credit card, we also collect and maintain account and transaction information including: your user ID; account holder name; account PIN and password; security question(s) and word(s); signature; bank SWIFT code; credit card PIN and other information; loyalty program information (when applicable); merchant name and contact information; merchant category code; transaction data/history; your photo (when provided); image documentation; and your voice recordings (when provided). We also collect from third parties account identifiers used in transfers of funds.

Our business purpose for collecting this information: reviewing and processing applications for our Services; intake of new customers; account maintenance and servicing; providing customer service; improving our Sites/Services; performing research and business analytics, and identifying usage trends; engaging in fraud monitoring and prevention; compliance with applicable laws and regulations; protecting our business and our customers against illegal activity; performing audits; verifying requests made pursuant to this Notice; tailoring our marketing communications as well as those from our affiliates and from selected third parties; managing our business effectively; and developing new products and services.

Geolocation/Physical location when using your mobile device

What we collect: We may collect the physical location of your device by using satellite, cell phone tower, or wireless local area network signals. We may also use your device's physical location to provide you with personalized location-based services and content, as well as to understand traffic patterns. In some instances, you may be permitted to allow or deny such uses and/or sharing of your device’s location, but, if you choose to deny such uses and/or sharing, we may not be able to provide you with the applicable personalized services and content. We will collect your precise physical location only with your consent. We may also collect your precise physical location in order to provide you insights and facilitate goals regarding your spending activities. You can de-enroll in these services at any time.

Our business purpose for collecting this information: account maintenance and servicing; fraud monitoring and prevention; protecting our business and our customers against illegal activity; performing audits; compliance with applicable laws and regulations; tailoring our marketing communications as well as those from our affiliates and from selected third parties; managing our business effectively.

Using unique identifiers such as cookies, pixel tags, device profiling, and similar technologies

What we collect: We may use unique identifiers such as cookies, pixel tags, and similar technologies to collect from you: browser, device information and browsing information, such as time spent on the Site, pages visited, language preferences, and other traffic data. These cookies may contain or reflect segment or other interest-based data in a de-identified form including interests across other sites. We may also collect from you various attributes associated with your device (such as IP address, installed fonts, language and browser settings, and time zone) in order to create a device fingerprint or identifier so that we can recognize your device.

Our business purpose for collecting this information: operating, maintaining, and protecting our Sites/Services; reviewing and processing applications for our Services; intake of new customers; account maintenance and servicing; improving our products and services; improving your experience on our Sites; performing research and business analytics; understanding your interests and preferences; tailoring our marketing communications as well as those from our affiliates and from selected third parties; engaging in fraud monitoring and prevention; protecting our business and our customers against illegal activity; compliance with applicable laws and regulations.

Drawing Inferences from Personal Information

What we develop: We may create user profiles based upon inferences from the Personal Information about you that we have collected (please see the “Online Advertising” section below for more information on our online advertising practices). In some instances, we may combine Other Information with Personal Information where permissible by law and applicable industry guidelines. In addition to Personal Information you provide directly to us, we may collect Other Information about you, including acquiring and using services provided by other parties who collect and analyze customer data.

Our business purpose for drawing these inferences: using these inferences for our internal business and operational purposes, such as to: provide customer service and support; improving our products and Sites/Services; performing research and business analytics; and better tailoring our marketing communications as well as those from our affiliates and from selected third parties. For more information, please see the section entitled “Online Advertising” below.

Third Party Sources

What we collect: We may collect information about you from certain third party sources, including, for example, financial institutions and government sources. This information may include, for example, account identifiers for funds transfers, credit histories, credit scores, credit reports, and information from a death certificate.

Our business purpose for collecting this information: engaging in fraud monitoring and prevention; compliance with applicable laws and regulations; reviewing and processing applications for our Services; intake of new customers; managing our business effectively; account maintenance and servicing.

2. Use of Information

We may use the personal and other information we collect from and about you to:

  • Authenticate you so that you can access the Sites and conduct account transactions on the Sites;
  • Recognize you, your device or your browser when you use the Sites/Services so that we can facilitate navigation, display information more effectively, store your preferences and otherwise personalize your experience and enhance the use of the Sites/Services;
  • Process your applications and transactions;
  • Respond to your inquiries, fulfill requests and request your feedback;
  • Service your account and market to you, including advertisements and other communications tailored to you, on our Sites/Services and third party sites, as well as offline (please see the “Online Advertising” section for more information on our online advertising practices);
  • To track responses to our e-mails and advertisements and to measure the success of our marketing campaigns;
  • Provide you with account information
  • Facilitate social sharing functionality, where appropriate;
  • For our business purpose and other lawful purposes, such as for data analysis, audits, fraud monitoring and prevention, information security, improving the Sites/Services, developing new products and services, managing our business effectively, identifying usage trends, and expanding our business activities;
  • Review statistical information about use of the Sites/Services in order to improve their design and functionality, to understand how they are used, and to assist us with resolving questions about the Sites; and
  • Ensure that the Sites function properly and otherwise administer the Sites/Services.

We may use, or share with others (in anonymous or non-readable form where appropriate) your information in order to better recognize you when visiting the Site and to provide relevant advertising (for DSNB, Macy’s or third party’s products/services), based on your interests, on the Site, on other sites and apps and other channels including television, email and direct mail.

3. Sharing of Personal Information

  • During at least the past 12 months, we have disclosed your Personal Information for the following business purposes with our affiliates, and with Macy's, to the extent permissible under applicable law;
  • with third parties, to permit them to send you marketing communications on our behalf;
  • with our service providers, who provide services such as website hosting, data analysis, information technology and related infrastructure provision, customer service, processing your transactions, e-mail delivery, auditing, and other services;
  • with individuals you associate with your social media account and to your social media account provider, in connection with your social sharing activity; and
  • with a third party in the event of any proposed reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

We also may use and disclose your personal information as we believe to be necessary or appropriate: (a) under applicable law, which may include laws outside your country of residence; (b) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence; (c) to enforce our terms and conditions; and (d) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.

Where appropriate, we will limit sharing of your personal information in accordance with the choices you have provided us in response to our Customer Privacy Notice(s) or other privacy choices that we may make available.

We may share de-identified or aggregated information with third parties to help deliver products, services, and content that are tailored to the users of our Sites and for other business purposes.

We may transfer information to affiliated companies or other parties throughout the world to process transactions and provide you with products and services. Regardless of where we process your information, we still treat it in accordance with this Notice and applicable law.

4. Managing Your Personal Information

Keeping your account information accurate and up to date is very important. If your account information is incomplete, inaccurate or not current, please use the Contact Us option on our Site, or call or write to us at the telephone numbers or appropriate address for changes listed on your account statements, records, online or other account materials.

5. Aggregation Services

If you provide your user credentials or other information about your Macy's or Bloomingdale's credit card to a third-party aggregation services provider, we will consider that you have authorized all transactions or actions initiated by such access information you provide, whether or not you were aware of a specific transaction or action. If you decide to revoke the authority you have given to an aggregation website, we strongly recommend that you change your password for Account Online to ensure that the aggregation website cannot continue to access your account information.

6. Online Advertising

We may, directly or through third parties, serve ads regarding products and services intended to be of interest to you on the Site and on third party sites or apps. We and others may use the online technologies described in the “Use of Information” section above to make inferences and predictions about your characteristics, interests and preferences based on your online interests and activities across other sites. We may also use technologies to associate and recognize your various mobile and desktop devices in order to deliver ads and other content in a consistent manner across the devices you use. Information we collect using the technologies described above may also be associated or linked with Personal Information, such as email or postal address, you provided directly to us or others. Alternatively, Personal Information may also be linked with characteristics or attributes about you, such as lifestyle interests, in support of our marketing efforts. If you opt out of interest based advertising, as described in the section entitled “Your Choices Regarding Your Personal Information” below, you will not receive such customized ads on the Site or in other places.

7. Your Choices Regarding Your Personal Information

You have certain rights with regard to your Personal Information.

Your California Privacy Rights. If you are a California resident, you have the right to request and receive certain information about disclosure of your Personal Information to third parties for their direct marketing purposes. Because it is our policy not to share your Personal Information with third parties for third-party direct marketing purposes without your consent, we are exempt from the requirement to respond to such requests. If you have any questions related to our policy, please contact us using the information provided in the “Contact Us” section below.

For information regarding how to exercise your rights as a consumer under the California Consumer Privacy Act. Please see “Supplemental provisions for California residents” in the Appendix to this Notice.

Cookies and Interest-Based Advertising.

Both the Network Advertising Initiative and the Digital Advertising Alliance (to whose principles we adhere) provide information about and technologies to opt-out of receiving some or all interest based advertising. You can also opt-out of interest based advertising by clicking on the appropriate icon within an interest based ad which will take you to tools to help you manage these choices. These technologies are browser and device specific, they must be adopted on each device you use. If you block or clear cookies, these technologies may not work. You will continue to see ads on the Site which reflect how you use the Site and our Services.

If you would prefer not to receive interest-based advertising, you can opt-out of this activity at the DAA website by visiting https://www.aboutads.info/choices/ (for U.S. residents).

You can choose whether to accept cookies through your browser settings (check the “Help” file). For example, most browsers allow you to automatically decline cookies or decline or accept a particular cookie (or cookies) from a particular site when browsing. If you decide not to accept cookies, some features of the Site may not work properly because we may not be able to recognize your device and associate you with your Macy’s or Bloomingdale’s credit card account(s). In addition, the offers or content we provide when you visit the Site or on third party sites may not be as relevant to you or tailored to your interests.

Local Shared Objects, sometimes referred to as flash cookies may be stored on your hard drive using a media player or other software installed on your device. Local Shared Objects are similar to cookies in terms of their operation, but may not be managed in your browser in the same way. Restricting acceptance of Local Shared objects may impede the functionality of some Flash applications, including those used in connection with the Site including animation and video presentations. For more information on managing Local Shared Objects, click here.

Do Not Track. Some browsers have a do not track feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser do not track signals.

8. Security of Personal Information

The security of personal information about you is a priority. We seek to protect this information by implementing and maintaining reasonable physical, electronic, and procedural security measures and safeguards designed to protect Personal Information within our organization. We provide employee training in the proper handling of Personal Information. Unfortunately, no data transmission over the Internet or wireless network or data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately contact us in accordance with the “Contact Us” section below.

9. Other Important Information

Notice of Changes. We may change this Notice from time to time. Please take a look at the “Last Updated” legend at the beginning of this Notice to see when this Privacy Notice was last revised. When we do, we will post the revised Notice on this page with a new effective date. Any changes will become effective when we post the revised Notice on the Site. Your use of the Sites following these changes means that you accept the revised Notice.

Third-Party Sites and Services. This Notice does not address, and we are not responsible for, the privacy, security, or other practices of any third parties, including any third party operating any site or service to which the Site links. The inclusion of a link on the Site does not imply endorsement of the linked site or service by us or by our affiliates.

In addition, we are not responsible for the information collection, usage, disclosure, or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, or any other third-party app provider, social media platform provider, operating system provider, device manufacturer, or wireless service provider, including with respect to any Personal Information you disclose to other organizations through or in connection with the Site/Services.

Jurisdictional Issues. The Site is controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country, or territory other than those of the United States. Information about you may be stored and processed in any country where we have facilities or in which we engage service providers, and, by using the Site, you consent to the transfer of information to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your personal information.

10. Contact Us

If you have any questions about this Notice, please contact us. For more information call us toll-free at 1-866-470-8613.

If you would like to submit a request pursuant to the California Consumer Privacy Act (“CCPA”), please visit our Privacy Hub at online.citi.com/dataprivacyhub or call (833) 971-1191. If you wish to submit a request to have your Personal Information deleted (see section I.A.3 in the Appendix below) or wish to opt-out of the selling of your Personal Information, call at (833) 981-0270.

APPENDIX — Jurisdiction Specific Provisions

I.   Supplemental provisions for California residents.

  1. Requests. California residents have certain rights with respect to Personal Information under the California Consumer Privacy Act (“CCPA”). For purposes of this subsection, the terms “consumer,” “categories of personal information,” “business purpose,” “third party,” and “sell” have the meanings ascribed to them respectively in the CCPA. Terms defined under the CCPA may differ in meaning from the common usage of the same terms used elsewhere in this Notice. DSNB is an affiliate of Citi, and Citi will be responding to requests submitted pursuant to the CCPA.
    1. You have the right to request, up to two times every 12 months, that we disclose to you the following: (i) the categories of Personal Information that we have collected about you; (ii) the categories of sources from which we have collected Personal Information about you; (iii) the business or commercial purpose for collecting or selling your Personal Information; (iv) the categories of Personal Information that we have sold about you in the last 12 months and the categories of Third Parties to whom the Personal Information was sold, by category or categories of Personal Information for each Third Party to whom the Personal Information was sold; (v) the categories of Personal Information that we have disclosed about you for our business purposes in the last 12 months and the categories of Third Parties to whom the Personal Information was disclosed, by category or categories of Personal Information for each Third Party to whom the Personal Information was disclosed; and (vi) the specific pieces of Personal Information that we have collected about you. Please note that Personal Information we have collected in connection with your Macy’s or Bloomingdale’s credit card account with us is not subject to the requirements of CCPA because it is already protected under existing federal and California state privacy laws, including the Graham Leach Bliley Act.
    2. You have the right to request a portable copy of your Personal Information.

      In response to verified requests pursuant to #1 or #2 above, we will confirm receipt of the request within 10 business days of receipt of the request, and disclose and deliver the required information to you free of charge within 45 days of receiving a verifiable consumer request. We may extend this time period to provide once by an additional 45 days when reasonably necessary. We will provide notice of the extension within the first 45-day period.

    3. You have the right to request that we delete Personal Information collected from you, subject to certain exceptions allowed under applicable law.

      In response to verified requests pursuant to #3 above, we will confirm receipt of the request within 10 business days of receipt of the request. Following verification of your request, we may require you to separately confirm that you want your Personal Information to be deleted.

    4. You have the right to opt out of the sale of your Personal Information to Third Parties by clicking here online.citi.com/dataprivacyhub to visit our Privacy Hub. CCPA defines sale very broadly, covering both monetary and other consideration. Citi does not sell personal information for money. However, we share some types of personal information. See our Privacy Hub.
    5. We will not discriminate against you because you elect to exercise these rights, including by:
      • Denying goods or services to you.
      • Charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
      • Providing a different level or quality of goods or services to you.
      • Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

      None of the foregoing, however, prohibits us from charging you a different price or rate, or from providing a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to us by your data.

  2. Submission of Requests. You may exercise these rights by managing this information through Citi's Privacy Hub at online.citi.com/dataprivacyhub or by calling us at (833) 971-1191. If you wish to submit a request to have your Personal Information deleted (see section I.A.3 in this Appendix) or wish to opt-out of the selling of your Personal Information, call us at (833) 981-0270. If you wish to submit any type of CCPA request through an authorized agent, please follow the process in Section I.D. below.
  3. Requests From Households. Citi cannot take action in response to a request to know or request to delete as it pertains to household specific pieces of personal information unless all of the following conditions are satisfied:

    1. All consumers of the household must jointly request access or deletion through the processes outlined in this Privacy Policy;

    2. We are able to individually verify (i) all members of the household (see Section I.E below); and (ii) that all individuals making the request are still members of the household.

  4. CCPA Authorized Agent. CCPA permits consumers to designate authorized agents to submit requests on their behalf. Under CCPA, an “authorized agent” is a natural person or a business entity registered with the Secretary of State to conduct business in California that a consumer has authorized to act on their behalf subject to the requirements. If you would like to designate an authorized agent to submit a request to know or a request to delete Personal Information on your behalf, please call us at (833) 981-0270. Please be advised of the following additional information that will be required:

    1. We require a written power of attorney, executed by you, confirming the authority of the authorized agent with respect to your CCPA request(s). After you initiate a request with us by phone at the number above, we will provide you with a form of power of attorney.

    2. Prior to responding to any request made on your behalf by an authorized agent, we may require you to provide written confirmation directly to us that you have provided the authorized agent permission to submit such request(s) on your behalf.

    3. Once verified (see Section I.E below), your authorized agent may create a unique account for you through Citi’s Privacy Hub at online.citi.com/dataprivacyhub and manage your requests through that account.

  5. Verification. Whether you submit a request directly on your own behalf, or through an authorized agent, we will take reasonable steps to verify your identity prior to responding to your requests under CCPA. Upon receiving a request pursuant to #I.A.1 or #I.A.2 above, we will confirm receipt within 10 days and provide you with information about how we will verify and process the request. In order to verify your request, we will require you to provide your social security number, tax ID number or passport number and issuing country, in addition to your first and last name, email address and mailing address.