Privacy Policy

Last updated on June 28, 2024

Privacy Policy for Goldman Sachs Bank USA’s Consumer & Small Business Platforms 

1. Introduction; What This Privacy Policy Covers; and Notice at Collection

Your privacy is important to us. The purpose of this Privacy Policy (as updated from time-to-time, this “Privacy Policy”) is to explain how we collect, use, disclose and protect personal information. This Privacy Policy applies to (i) the Marcus by Goldman Sachs website, currently located at https://www.marcus.com, the Marcus by Goldman Sachs mobile app, and any other website, mobile app, or email associated with the above that is owned or operated by us, and on which this Privacy Policy appears or is linked, (ii) the Products, and (iii) any other Goldman Sachs consumer, small business, and digital advisory solutions businesses that link to this Privacy Policy, collectively, the “Services.” This Privacy Policy also covers the personal information we collect from social media sites or pages associated with our Services and your interactions with our digital advertising campaigns. 

These links will take you to sections of this Privacy Policy explaining the following topics and, together with the information contained in the below sections, constitute our Notice of Collection: 

 

This Privacy Policy includes the following information:

  1. Introduction; What This Privacy Policy Covers; and Notice at Collection
  2. What Personal Information We Collect and Generate
  3. How We Use Personal Information
  4. To Whom We Disclose Personal Information
  5. Cookies and Other Tracking Technologies
  6. Additional Technology
  7. How We Protect Information
  8. Reporting Security Vulnerabilities
  9. Retention of Personal Information
  10. California Residents
  11. Additional Choices
  12. Links and Third-Party Products and Services
  13. Contact Us
  14. Other Important Information
  15. Updates to this Privacy Policy

Other Privacy Disclosures

If you have signed up for, applied for, have or previously had one of our consumer Products with a Marcus brand, the Marcus Consumer Privacy Notice will apply to you. This provides more information about how we collect and share your personal information and outlines certain choices you may have. If there is a conflict between this Privacy Policy and any privacy notice, disclosure, policies or terms relating to any Product, the privacy notice, disclosure, policies or terms relating to the Product will govern.

Other Goldman Sachs Relationships

If you have other relationships with Goldman Sachs that are not covered by this Privacy Policy, please visit the Goldman Sachs Privacy and Cookies Website for more information about how your personal information is processed and to understand your rights and choices for those services. 

Important Terms

We want you to understand the following defined terms that we use throughout this Privacy Policy, when we use:

  • Goldman Sachs,” “we,” “us” or “our”, we mean Goldman Sachs Bank USA. 
  • including” or “includes,” we mean “including but not limited to” or “includes but is not limited to.”
  • Marcus”, means the businesses of Goldman Sachs Bank USA that have Marcus by Goldman Sachs branding.
  • "Products,” we mean the Online Savings Accounts, Certificate of Deposit accounts and any other deposit products, Marcus loans, credit cards and any other credit products, any associated user account, financial aggregation education information, and materials that link to this Privacy Policy.

2. What Personal Information We Collect and Generate

We may collect or generate personal information about you, or a third party acting upon your instruction, in a number of ways and from a number of sources depending on the Services and the relationship we have with you. For example:

  • Before you begin an application, sign up, or open an account, we collect data sets from affiliates and third parties such as data analytics providers and credit reporting agencies to perform marketing analyses, identify marketing prospects and deliver marketing communications;
  • While applying, signing up, or opening an account for a Product with us, and over the course of your relationship with us, you provide information directly to us and we may collect information about you from third parties such as data analytics providers, the public domain, credit reporting agencies, identity verification and fraud prevention services and government entities, and we also may generate new information about you;
  • When you communicate, and interact with us over the phone and online, including via social media or other platforms, we may monitor and record the content of the communications, and collect information about your use and interactions with the Service (such as via the mechanisms described in the “Cookies and Other Tracking Technologies” section below);
  • In connection with our marketing and communications, we may collect digital information using Cookies, Web Beacons, or similar tools that we and our Vendors and other third parties have set; and
  • When you interact with us via a social media platform, we may collect a copy of the posts and other information, such as account ID or username.

The following is a list of the categories of personal information, along with some descriptions and examples, that we may collect or generate through each of the processes described above. Some data elements will fit into multiple categories.   

  • Personal Identifiers:  This includes first and last name, previous name, address, email address, account user name, social media profile, telephone number, unique personal identifier and related information, publicly available photographic images, and signature;
  • Device and Online Identifiers and Related Information:  This includes online identifiers, Internet Protocol (IP) address, mobile/wireless carrier, device identifier (such as the Google Advertising ID or Apple ID for Advertising), and other device information;
  • Background Information:  This includes date of birth, family information, information about your personal and professional associates and associations, and any other information we are required to collect by law and regulation;
  • Financial Information:  This includes credit report information, credit scores, bank account number, transaction and financial account information, account login credentials, household income data, tax documents, your authority over financial accounts, including trusted contact/beneficial interest in and other information about entities you are associated with, public company affiliations, available account balance information, income and other similar financial information;
  • Government Identifiers:  This includes Social Security number, Tax Identification Number, national identification number, other government-issued identification number, driver’s or operator’s license number, passport number, Alien Registration Number and copies of government IDs;
  • Protected Classification Characteristics:  This includes age, race, national origin, citizenship, nationality, marital status, sex, and veteran or military status. Please note that we do not collect information regarding gender identity, gender expression, or sexual orientation unless you provide it to us in connection with servicing your account. Please also note that under certain circumstances, when applying for a small business loan we may ask whether the business is minority- or women- owned, and for the principal owners' ethnicity and race.
  • Purchase History: This includes customer purchase history or tendencies;
  • Biometric Information: This refers to a voiceprint, which is a numerical representation of your voice when you call us (we use this to identify fraudulent activity and to enhance security). We also collect behavioral biometric data regarding how you interact with the Services;
  • Internet, Application, and Network Activity: This includes data related to user activity (e.g., when and how you use the Services and interact with our communications including emails) including emails, browsing history, search and clickstream history, online website tracking information, other data related to user activity, and URL referral header information; we may collect this type of information automatically via Cookies, browser web storage, Web Beacons and similar technologies;
  • Location Data: We may collect and receive information about your geolocation and your mobile device including a unique identifier for your device; in addition, in some instances, location information can be estimated from your IP address or through your Wi-Fi connection. We may also collect and receive precise geolocation information in certain circumstances (such as to help you find a nearby ATM);
  • Sensory Data: This includes audio data, such as a recording of your voice when you call us;
  • Professional or Employment-Related Information: This includes occupation, title, employer, employment history, income, industry affiliations, and education;
  • Inferences About You: This includes a profile reflecting your preferences, characteristics, predispositions, behavior, attitudes and creditworthiness profile; and
  • Sensitive Personal Information: Some of the personal information that we collect and generate and which is described above is considered sensitive personal information. This includes Social Security, driver’s license, state identification card, and passport numbers; account log-in, financial account, debit card, and credit card numbers in combination with credentials allowing access to an account; precise geolocation; information relating to your health; and biometric information.

 

Although you don’t have to supply any of the personal information we request, we may not be able to provide Services to you if you do not.

Personal information does not include information that has been anonymized or aggregated so that it does not identify an individual. 

3. How We Use Personal Information

We collect and use personal information for the following business purposes:

  • Administering, operating and managing your relationship with us;
  • Understanding your needs and offering services to you;
  • Complying with contractual obligations, relevant industry standards, and our policies; 
  • Authenticating identity;
  • Mitigating fraud and enhancing the security of our services
  • Contacting and communicating with you, including through push notifications and text messages;
  • Conducting marketing activity, such as developing marketing and acquisitions models, identifying marketing recipients, developing marketing collateral and delivering advertisements and marketing communications;
  • Responding to and reviewing social media messages or postings about us or our services;
  • Presenting third-party products and services we think may be of interest;
  • Performing analytics concerning the use of the Services, including responses to our emails and the pages and advertisements that are viewed; and
  • Operating, evaluating, and improving our business and our services (including assessing and managing risk, fulfilling our legal and regulatory requirements, developing new services, improving and personalizing existing services, and performing accounting, auditing and other internal functions).
     

We may also use your personal information for any other purpose that we disclose at the time you provide, or when we collect, your information, and other purposes permitted by applicable law. 

We may also use data that we collect on an aggregate or anonymous basis for various business purposes, where permissible under applicable laws and regulations.

If your relationship with us ends, we will continue to treat your personal information as described in this Privacy Policy or as set forth in the privacy notice for the applicable Product.

4. To Whom We Disclose Personal Information

We disclose personal information as set forth below:

  • Goldman Sachs Affiliates: We may disclose personal information to members of the Goldman Sachs family of companies in order to service accounts, improve services or for other purposes permissible under applicable laws and regulations.
  • Vendors: We may disclose personal information to non-affiliated companies and partners that perform support services for us, such as data analytics, fraud analysis, identity verification, risk management, security services, advertising and marketing, customer support, mail services, email delivery, information technology, and payment processing.
  • Cobrand Partners: We may disclose personal information to our cobrand partners in order to service accounts, improve services or for other purposes permissible under applicable laws and regulations.
  • Legal Process and Emergency Situations: We may disclose to third parties as permitted by, or to comply with, applicable laws and regulations. Examples include responding to a subpoena or similar legal process, protecting against fraud, and cooperating with law enforcement or regulatory authorities. We may also disclose information if we believe it is necessary or appropriate to protect our rights, property or safety, or the rights, property, or safety of our employees, customers or others, or to enforce our contractual rights.
  • Corporate Transactions: In the event of a corporate transaction, such as a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of any or all of our assets or liabilities, some of the personal information that we hold may be among the assets or liabilities transferred to a buyer or other successor. We may also transfer personal information to another entity or its affiliates or service providers in connection with, or during negotiations of, any merger, acquisition, sale of assets or liabilities or any line of business, change in ownership control or financing transaction.


The Marcus Consumer Privacy Notice provides additional information about how we share personal information and choices that you may have.

We also may disclose personal information to others where permissible under applicable laws and regulations or when you provide your consent or direction.

5. Cookies and Other Tracking Technologies

"Cookies” are small text files that may be placed on your browser when you visit websites. When you quit your browser, some Cookies are stored in your computer’s memory, while some expire or disappear.

“Web Beacons,” also known as Internet tags, pixel tags or clear GIFs, are a type of technology placed on a webpage or in an email.

We and our Vendors use Cookies, Web Beacons, session replay, device advertising IDs and similar technologies on the Services for a number of business purposes, such as to monitor our advertising, remember your preferences, personalize your experience, understand how you use and interact with the Services, suggest products tailored to you, for security purposes, to improve the Services and for marketing campaign performance. These technologies collect information about your browser/device and your use of the Services, such as the time/date of access and time spent on the Services, pages visited, language preferences, whether you open our emails, and other traffic data.

You may be able to configure your web browser to decline Cookies and/or configure your email client to not load Web Beacons in emails. Please note that, if you choose to decline Cookies, certain features of the Services may not function properly or may not be accessible to you.

Please see the “Interest-Based Advertising” and “Do Not Track” sections below for information on the choices we provide you regarding Cookies, Web Beacons, and other tracking technologies.

Interest-Based Advertising

Interest-based advertising refers to collecting information about your online activities over time and across different websites, devices, and other online services to deliver advertisements based on online activity. We use interest-based advertising to deliver advertisements and other targeted content to you, including through third-party advertising partners which we may permit to track your visits to the Services using the technologies described above. These third parties may collect information about your online activities over time and across different websites and other online services.

We, and many of the third-party advertising partners that place tracking tools on the Services, are members of the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising. You can learn more about the options available to limit these third parties’ collection and use of your information on our websites by visiting our opt-out page and the websites for the Network Advertising Initiative and the Digital Advertising Alliance. Users of our mobile applications may install the Digital Advertising Alliance’s AppChoices mobile app, available here, and choose to opt out of participating advertising networks’ use of mobile app activity for interest-based advertising purposes.

If you choose to opt out via the web-based tools, a Cookie will be placed on your browser indicating your decision. This Cookie is specific to a particular device and browser, so if you use different browsers or devices, you will need to opt out on each. In addition, because the opt-out is facilitated via Cookies, if you clear your Cookies you will need to opt out again. Likewise, mobile app opt-outs via AppChoices are based on your mobile device’s advertising identifier, so if you reset it, you will need to opt out again via AppChoices.

Do Not Track

We do not respond to the “Do Not Track” browser-based signal. However, our websites are designed to support the Global Privacy Control, described at https://globalprivacycontrol.org/, which you can enable by downloading a participating browser or browser extension.

6. Additional Technology

We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”), on the Services. Google Analytics uses Cookies or other tracking technologies to help us analyze how users interact with and use the Services, compile reports on the Services’ activity and provide other services related to Services’ activity and usage. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a return visitor and any referring website. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google’s privacy policies. To learn more about Google’s partner services and to learn how to opt out of tracking of analytics by Google, click https://www.google.com/policies/privacy/partners/.

7. How We Protect Information

We take the security of personal information, including U.S. Social Security numbers, seriously and work to limit access to personal information to authorized employees, agents, contractors, or vendors. We also maintain physical, electronic and procedural safeguards designed to protect the information against loss, misuse, damage or modification and unauthorized access or disclosure while in our possession.

8. Reporting Security Vulnerabilities

We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered with our Services. We will investigate all legitimate reports and follow up if more details are required. Goldman Sachs has engaged with HackerOne to manage all submissions. You can submit vulnerability reports at https://hackerone.com/goldmansachs.

9. Retention of Personal Information

We retain personal information for varying time periods depending on our relationship with you and the status of that relationship. When determining how long to keep personal information, we take into account our legal and regulatory obligations and our legitimate business interests (such as, managing the Services, preventing fraud, responding to regulatory or supervisory inquiries, and establishing, exercising, or defending legal claims, disputes or complaints).

10. California Residents

California residents should be aware that this section does not apply to:

  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and its implementing regulations, the California Financial Information Privacy Act, and the Driver’s Privacy Protection Act of 1994; or
  • Other information subject to a CCPA exception

In the past 12 months, we may have disclosed each category of personal information listed in the “What Personal Information We Collect and Generate” section to one or more of the categories of recipients listed in the “To Whom We Disclose Personal Information” section for the business purposes listed in the “How We Use Personal Information” section.

We may create, maintain and use deidentified information of California residents, and if we do, we will not attempt to reidentify that information unless permitted by California law.

Your Rights

California residents have certain rights in relation to their personal information pursuant to the CCPA. These include the right to:

  • Information about the personal information that we collect about you and the manner in which we use, process and disclose that information;

  • Obtain the specific pieces of personal information that we have collected about you;

  • Correct inaccurate personal information that we maintain about you;

  • Delete certain personal information that we have collected from you;

  • Opt out of the sale and sharing of your personal information to third parties under certain circumstances; and

  • Not be discriminated against as a result of exercising any of the aforementioned rights

Although we collect certain categories of sensitive personal information as described in the “What Personal Information We Collect and Generate” section, we do not use sensitive personal information in ways that the CCPA permits you to limit.

Selling and Sharing

The CCPA requires that we describe disclosures of personal information where:

  • We receive monetary or other valuable consideration (i.e., selling, as defined under the CCPA); or
  • We disclose personal information about you through our website to a third party for cross-context behavioral advertising (i.e., sharing, as defined under the CCPA).

We do not sell, and have not sold in the preceding 12 months, personal information to third parties.

Marcus may share, and may have shared in the preceding 12 months, personal information from the “Personal Identifiers,”  “Device and Online Identifiers and Related Information,” and “Internet, Application, and Network Activity” categories of personal information with advertising and marketing partners to facilitate the delivery and measurement of cross-context behavioral advertising.  To opt-out of sharing, please click the “Your Privacy Choices” link on the footer of the website you are visiting. Please see the “Do Not Track” section above to learn how you can use opt-out preference signals and how they are processed.

If you choose to opt out via the web-based tools, a cookie will be placed on your browser indicating your decision. This cookie is specific to a particular device and browser, so if you use different browsers or devices, you will need to opt out on each. In addition, because the opt-out is facilitated via cookies, if you clear your cookies you will need to opt out again.

We do not knowingly sell or share the personal information of minors under 16 years of age.

Exercising Your Rights

If you would like to discuss or exercise your rights to access, delete or correct your personal information, please contact us through our CCPA Intake Form or at 1-833-971-0826. As part of submitting a request, we will ask for your name, email address, phone number, date of birth, and mailing address.

The CCPA requires that we verify the requests we receive from you when you exercise certain of the rights listed above. To verify your request, we will check the information you provide us in your request against third-party identity verification tools, as well as verify that any personal information relates to you. As part of this process, we may call you after you submit your request to verify information. You may also designate an authorized representative to exercise the rights listed above on your behalf by providing the authorized representative with power of attorney pursuant to the California Probate Code or by executing other documentation we may require, and the representative may make the request by following the instructions above. If an authorized representative submits a request on your behalf, we will contact you to verify that they represent you.

For more information about our CCPA consumer rights request metrics please click here.

11. Additional Choices

You may receive a privacy notice in connection with our Products that describes privacy choices. You may contact us to exercise your choices by following any instructions contained in our privacy notice or marketing materials.

If you decide at any time that you no longer wish to receive marketing emails from one of our lines of business, please follow the “unsubscribe” instructions provided in such emails. Please note that even if you unsubscribe, we may continue to send transactional or administrative emails, such as legally required, regulatory, billing, or service notifications. Your mobile device settings may provide functionality to control push notifications that we may send.

Do-Not-Call Policy

We do not place telemarketing calls to numbers appearing on a state or federal do-not-call list or to a number a person has requested not receive telemarketing calls made by or on behalf of us (unless permitted by applicable law, such as when you request a call). If you ask not to receive telemarketing calls from us, you will be placed on our internal do-not-call list. Any request to be placed on our internal do-not-call list will be processed within a reasonable amount of time, not to exceed 30 days. Our employees involved in our telemarketing campaigns receive training on how to use our internal do-not-call list, and how to document, process and honor requests to be placed on our internal do-not-call list. It is our policy to honor a do-not-call request for five (5) years from the time the request is made unless applicable law requires we honor it for a longer period of time. Subject to applicable law, if you communicate with us by telephone, we may monitor and may record the call. 

12. Links and Third-Party Products and Services

The Services may contain links, QR Codes, and other functionality that connect with certain websites and applications not provided by us, including social media websites (“Third-Party Websites”). We are providing these links and functionality solely as a convenience to you. We are not responsible for and have no liability for the content, features, products, services, privacy policies or terms of service of any Third-Party Websites. The fact that we have provided a link to a Third-Party Website is not an endorsement of that Third-Party Website (including any information or content made available throughout such website) or its owners, sponsors, or operators. We have not tested any information, software or products found on any Third-Party Website and therefore do not make any representations about those websites or any associated products or services.

13. Contact Us

In most cases, you can communicate with us through the Product. If you need to contact us for more information about this Privacy Policy or a privacy notice for a particular Product, or because you have other questions or concerns, you may do so using the information listed below:

  • For Marcus deposits and related products, call us toll-free at 1-855-730-7283 or write us at Goldman Sachs Bank USA, PO Box 70379, Philadelphia, PA 19176-0379.
  • For GM Rewards Cards, call toll-free at 1-833-773-0988, or write us at Goldman Sachs Bank USA, PO Box 70321, Philadelphia, PA 19176-0321.

14. Other Important Information

Any natural person using the Services must be at least 18 years of age. The Services may only be used in the United States, including its territories, or on a United States military base. If you do use the Services outside of the United States, your personal information may be transferred to the United States or other locations outside of your state, province, or country, where privacy laws may not be as protective as those in your state, province, or country. Except as provided in the next sentence, this Privacy Policy shall be governed by and construed in accordance with federal law and any applicable laws of the State of Utah without regard to rules concerning conflicts of law or choice of law. If you are a New York resident, this Privacy Policy shall be governed by and construed in accordance with federal law and the laws of the State of New York, without regard to rules concerning conflicts of law or choice of law.

15. Updates to this Privacy Policy

We may change this Privacy Policy from time-to-time. If we make changes to this Privacy Policy, we will update the “Last updated on” date at the top of this page. Any changes to this Privacy Policy will become effective when posted unless indicated otherwise. Your continued use of the Services following the posting of any changes will mean that you accept those changes.