Consumer Privacy Notice for US state privacy laws

Consumer Privacy Notice for U.S. State Privacy Laws

Effective Date: January 01, 2020
Last Review Date: July 06, 2026

1. Purpose of this Notice

This Consumer Privacy Notice explains how Firstsource Group USA, Inc. (“Firstsource”) collects, uses, discloses, retains, and protects personal information about consumers who reside in U.S. states with applicable comprehensive consumer privacy laws, including California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Delaware, Montana, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and other jurisdictions that provide similar consumer privacy rights.

This Notice is intended to supplement our general privacy policy and provide additional disclosures required by applicable U.S. state privacy laws. Consumer rights and disclosures may vary by state and are available only where provided by applicable law. If there is a conflict between this Notice and another privacy statement, this Notice controls for consumers covered by applicable state privacy laws.

2. Scope and Legal Exemptions

Some personal information and processing activities may be exempt from certain requirements under applicable state consumer privacy laws. These exemptions may include, without limitation, information subject to sector-specific laws such as the Health Insurance Portability and Accountability Act and its implementing regulations, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and other federal, state, or local laws. Exemptions may also apply to publicly available information, deidentified or aggregated information, employment-related information, business-to-business contact information, information processed on behalf of clients in a service provider or processor capacity, and information retained to comply with legal, contractual, audit, security, fraud prevention, or record keeping obligations.

Where an exemption applies, we may be unable to fulfill all or part of a consumer request. If we deny or limit a request based on an applicable exemption, we will explain the basis for our decision to the extent required by law. Nothing in this Notice limits any rights that cannot be waived under applicable law. When Firstsource processes personal information on behalf of a client as a service provider or processor, we may refer your request to the client or instruct you to contact the client directly, as permitted or required by applicable law.

3. Personal Information We Collect

Depending on your relationship with us, we may collect the following categories of personal information:

  • Identifiers, such as name, mailing address, email address, telephone number, account number, online identifier, or similar information.
  • Customer records information, such as billing details, service history, transaction records, or information provided in forms or communications.
  • Commercial information, such as products or services purchased, obtained, considered, requested, or transaction histories.
  • Internet or electronic network activity, such as website interactions, device information, log data, cookie data, and similar usage information.
  • Geolocation information, where collected and permitted by law.
  • Audio, electronic, or visual information, such as call recordings, or chat transcripts where applicable.
  • Professional or employment-related information, where relevant to a service, inquiry, or business relationship.
  • Inferences drawn from personal information, such as preferences, service interests, or likely needs.
  • Sensitive personal information, where permitted and necessary, such as government identifiers, precise geolocation, financial account information, health-related information, or other data defined as sensitive under applicable law.
Category Examples Collected
A. Identifiers Name, postal address, email address, telephone number, account number, online identifier, Internet Protocol address, government identifier, driver's license number, passport number, or other similar identifiers. Yes
B. California customer records information Name, signature, address, telephone number, insurance policy number, employment history, bank account number, credit card number, debit card number, medical information, health insurance information, or other financial information. Some information in this category may overlap with other categories. Yes
C. Protected classification characteristics Characteristics protected under federal or state law, such as age, marital status, medical condition, disability, sex, veteran status, or other protected classifications, where collected for a lawful purpose. Limited / Where applicable
D. Commercial information Records of products or services purchased, obtained, considered, or requested, or other purchasing, service, or transaction histories. Yes
E. Biometric information Biometric identifiers or biometric information, such as fingerprints, faceprints, voiceprints, iris or retinal scans, or other biometric templates, where used for identification or authentication. No, except where included in sensitive personal information and collected as permitted by law.
F. Internet or other electronic network activity Website, application, device, cookie, log, browsing, search, or interaction information related to use of our websites, applications, or online services. Yes
G. Geolocation data General location information, such as location inferred from an IP address, and precise geolocation only where collected and permitted by law. Limited / Where applicable
H. Sensory information Audio, electronic, visual, or similar information, such as call recordings, voicemail messages, chat transcripts, or other service-related communications. Yes
I. Professional or employment-related information Current or prior work information, business contact details, role, employer, or related information where relevant to a service, inquiry, or business relationship. Limited / Where applicable
J. Non-public education information Education records directly related to a student and maintained by an educational institution or party acting on its behalf, where applicable. No
K. Inferences drawn from personal information Inferences reflecting preferences, service interests, likely needs, or similar characteristics used to support services, analytics, personalization, or operational improvement. Yes
L. Sensitive personal information Government identifiers, financial account information, health-related information, precise geolocation, biometric information, or other information defined as sensitive under applicable law, where permitted and necessary. Limited / Where applicable

4. Sources of Personal Information

We may collect personal information directly from you, from your interactions with our websites, applications, call centers, service platforms, and representatives, from clients or business partners who provide information to us to perform services, from service providers and vendors, from publicly available sources, and from other sources permitted by law.

5. Purposes for Collecting, Using, and Disclosing Personal Information

We may collect, use, disclose, or otherwise process personal information for the following business and operational purposes:

  • To provide, support, and improve products, services, customer support, and account administration.
  • To respond to inquiries, requests, complaints, and consumer rights submissions.
  • To verify identity, maintain security, detect fraud, prevent unauthorized activity, and protect our systems and information.
  • To process transactions, payments, claims, service requests, healthcare assistance applications, or other consumer interactions.
  • To comply with legal, regulatory, contractual, audit, reporting, and record keeping obligations.
  • To perform analytics, quality assurance, training, internal reporting, and operational improvement.
  • To manage vendors, service providers, contractors, and business partners.
  • To personalize experiences, where permitted bylaw and consistent with consumer choices.
  • To conduct risk assessments and evaluate the impact of processing activities where required by applicable law.

6. Disclosure of Personal Information

We may disclose personal information to service providers, contractors, processors, affiliates, professional advisors, business partners, regulators, state and federal Medicaid and Medicare offices, law enforcement, courts, or other parties where required or permitted by law. We require service providers and processors to use personal information only for authorized purposes and to maintain appropriate safeguards.

We do not sell personal information or share personal information for cross-context behavioral advertising. Where applicable law provides an opt-out right for the sale of personal information, sharing for cross-context behavioral advertising, targeted advertising, or certain profiling activities, we will provide a clear method for consumers to exercise that choice. Where required, we will also recognize valid opt-out preference signals, such as Global Privacy Control, in accordance with applicable law.

7. Retention of Personal Information

We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Notice, comply with legal and contractual obligations, resolve disputes, maintain security,support audit and compliance activities, and enforce our rights. Retention periods may vary based on the type of information, the purpose for collection,legal requirements, and operational needs.

8. Sensitive Personal Information

We collect, use, and disclose sensitive personal information only as reasonably necessary and proportionate to provide requested services, maintain security and integrity, prevent fraud, verify identity, comply with legal obligations, manage operational needs, or perform other purposes permitted by applicable law. We do not use or disclose sensitive personal information for the purpose of inferring characteristics about consumers unless permitted by law and supported by required notices and rights.

Where applicable law provides a right to limit the use or disclosure of sensitive personal information, including California law, consumers may submit a request using the methods described in this Notice. We will evaluate and respond to such requests in accordance with applicable legal requirements and permitted exceptions.

9. Consumer Privacy Rights

Subject to applicable law and any permitted exceptions, consumers may have the following rights:

  • Right to Know or Access: Request confirmation of whether we process personal information and access to certain personal information collected about you.
  • Right to Delete: Request deletion of personal information we collected from or about you, subject to legal exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Data Portability: Request a copy of personal information in a portable and, where technically feasible, readily usable format.
  • Right to Opt Out: Where applicable, optout of the sale of personal information, sharing for cross-context behavioral advertising, targeted advertising, or certain profiling activities that may produce legal or similarly significant effects.
  • Right to Limit Sensitive Personal Information: Limit the use or disclosure of sensitive personal information where required by applicable law.
  • Right to Appeal: Appeal a decision regarding a consumer rights request where applicable state law provides an appeal right.
  • Right to Non-Discrimination: Not be discriminated against for exercising privacy rights.

10. AI and Automated Decision-Making Statement

Firstsource may use artificial intelligence, automated decision-making technology, algorithms, machine learning tools, or other automated systems to support business operations, improve services, detect fraud, enhance security, route inquiries, summarize information, assist customer service representatives, support quality assurance, personalize user experiences, or improve operational efficiency.

Where AI or automated systems are used, we seek to use them responsibly, with appropriate human oversight, data governance, privacy safeguards, access controls, testing, and monitoring. We do not use AI or automated decision-making technology as the sole basis for decisions that produce legal or similarly significant effects about consumers unless permitted by law and supported by required notices, rights, assessments, and safeguards.

If we use AI or automated decision-making technology in a manner that materially affects your access to, eligibility for, or terms of important services, or if applicable law provides a right to opt out of profiling or automated decision-making, we will provide legally required disclosures and a method for you to exercise your rights, which may include the right to opt out, request information, obtain human review, correct underlying information, or appeal an adverse decision.

11. Declaration Authorization Privacy Request Form

You may submit a privacy request using one of the following methods:

We may need to verify your identity before processing your request. Verification may require matching information you provide with information we maintain, requesting additional information, or using another verification method permitted by law. Authorized agents may submit requests on behalf of consumers where permitted. We may require the authorized agent to provide written permission, proof of authority, or a valid power of attorney, and we may require the consumer to verify their identity directly unless an exception applies.

12. Appeals

If we deny your privacy request and applicable law provides an appeal right, you may appeal our decision by contacting us at privacy@firstsource.com.  We will review your appeal and respond within the timeframe required by applicable law. If your appeal is denied, you may have the right to contact your state attorney general or other applicable privacy regulator.

13. Children’s Personal Information

We do not knowingly collect, sell, share, or process personal information of children in violation of applicable law. Where we process children’s personal information, we do so only with appropriate consent, authorization, or another lawful basis as required by applicable privacy and children’s privacy laws.

14. Changes to this Notice

We may update this Notice from time to time to reflect changes in our practices, legal requirements, technology, or business operations. When we make material changes, we will update the “Last Updated” date and provide notice as required by law.

15. Contact Us

If you have questions about this Notice or our privacy practices, please contact us at:

Firstsource Group USA, Inc.
Attn: Privacy Officer
10400 Linn Station Rd, Suite 215
Louisville, KY 40223
privacy@firstsource.com
1-800-736-2107 ext 53107

Declaration Authorization Privacy Request Form