Last Updated: April 20, 2023
This Privacy Policy for California Residents (“Privacy Policy”) applies solely to natural persons who are California residents (“consumers” or “you”). Not all of Vistra’s family of companies does business in California, so this Privacy Policy only pertains to the digital properties that do (for example, Ambit Energy). Any terms defined in the California Consumer Privacy Act of 2018 (CCPA) have the same meaning when used in this Privacy Policy. This Privacy Policy does not apply to information we collect about employees, job applicants, and independent contractors (for which we have distinct privacy policies).
We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household or device (“personal information”). The categories of personal information we collect from consumers within the last twelve (12) months are set out in Attachment A attached to this Privacy Policy.
As set out in detail in Attachment A we obtain the categories of personal information from the following categories of sources:
We may use “cookie” technology on our websites. “Cookies” are small text files used by a website to recognize repeat users, facilitate the user's access to and use of the site, and to track behavior on the website pages you visit, among other uses. Our websites may automatically collect cookies and other information, including, but not limited to, your domain name. We may compile aggregate data for statistical purposes in order to improve the content of our websites or to better administer the web pages available on our websites.
Our cookie usage includes, but is not limited to, advertising cookies. For example, we use Google Analytics to evaluate the use of our websites. Google Analytics uses cookies and other identifiers to collect information, such as how often users visit a website, what pages they visit when they do so, and what other websites they visited prior to visiting a website. We also leverage SessionCam which utilizes heat mapping technology. To the extent any information occurs in the advertising context, it does not reveal any personal identifiers of a user; however, it is often connected to an AdID or other online identifiers. Because our advertising and analytics partners may use this information to provide services to a broad category of companies, our use of their services may be considered a “sale” of personal information under the CCPA. To learn more about how you can opt out of our sharing information in ways that may be considered a “sale” under California law, please review the Sharing Sales of Personal Information and Rights Do Not Sell Rights sections below.
We may use, disclose or share the personal information we collect for one or more of the following purposes:
Vistra Corp will not collect additional categories of personal information or use the personal information we have collected for materially different, unrelated, or incompatible purposes without providing a form of notice.
Disclosures of Personal Information for a Business Purpose
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we disclosed for a business purpose only such categories of personal information as set out in Attachment A attached to this Privacy Policy.
We disclose your personal information for performing a business purpose to the following categories of third parties:
Sales of Personal Information
Vistra Corp does not sell consumer information, including personal information about your energy consumption. However, we use third party advertising and analytics partners which collects information from visitors to our websites and apps and use that information to provide services to Vistra Corp and other companies. For example, these third parties help facilitate digital advertising by placing cookies and other trackers that collect information about your browsing and interactions with other websites and use that information to deliver information to you about products and services that may interest you. This may be considered a “sale” of personal information under the CCPA and you have a right to opt out of such data processing. Once again, not all of Vistra’s family of companies does business in California. To exercise your right to opt-out of the sale of your personal information in connection with a digital property that does operate in California, you (or your authorized representative) may submit a request to us by visiting this link: Do Not Sell My Information Form.
Our products and services are not directed to minors under the age of 13. We do not sell personal information of minors under 16 years of age without affirmative authorization.
Additional Information About How We May Share Personal Information
Vistra Corp may also share your personal information as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. We may also share your personal information with third parties to help detect and protect against fraud or data security vulnerabilities. And we may transfer your personal information to a third party in the event of a sale, merger, reorganization of our entity or other restructuring.
The CCPA provides you with specific rights regarding your personal information. This section describes your CCPA rights and explains how to exercise those rights.
Do Not Sell Rights
To exercise your right to opt-out of the sale of your personal information, you (or your authorized representative) may submit a request to us by visiting this link: Do Not Sell My Information Form. For more information on your Do Not Sell right, see here Sales of Personal Information.
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. You may change your mind and opt back in to personal information sales at any time by contacting us at one of the methods set forth below under Contact Information.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and verify a request from you or your authorized agent, we will delete (and direct our service providers to delete) your personal information from our, and their records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us using one of the following methods:
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
Members of the same California household may also jointly request access to specific pieces of personal information, or to delete all of a household’s personal information. However, to do so, you must either make the request through your household’s account or each member of the household will have to verify the request.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. If we are unable to verify your identity with the degree of certainty required, we will not be able to fulfil your request. We will notify you to explain the basis of the denial.
If we have a good-faith, reasonable belief that a request to opt-out of the sale of personal information is fraudulent, we may deny the request. Should this occur, we will inform you and explain why we believe the request is fraudulent.
Making a verifiable consumer request does not require you to create an account with us, and we will not seek any personal information from you that we did not already have associated with the account. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
For requests for access or deletion, we will first acknowledge receipt of your request within ten (10) business days of receipt of your request. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 45 days), we will inform you of the reason and extension period in writing. For requests to not sell your personal information, we will comply no later than fifteen (15) business days after receipt of your request.
Any disclosures we provide will at a minimum cover the 12-month period preceding the date of your verifiable request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will provide your personal information in a format that is readily useable and will allow you to transmit the information as you choose.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Other California Privacy Rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us using one of the methods set forth below under Contact Information.
Third Party Websites
Our Sites may contain links to other third-party websites, which may have privacy policies that differ from our own. We are not responsible for the activities and practices that take place on these websites. Accordingly, we recommend that you review the privacy policies posted on any website that you may access through our Sites.
How We Keep Your Personal Information Secure
We implement and maintain reasonable security measures appropriate to the nature of the personal information that we collect, use, retain, transfer or otherwise process. Those measures include administrative, physical and technical safeguards to protect the security, confidentiality and integrity of personal information. However, data security incidents and breaches can occur due to a variety of factors that cannot reasonably be prevented; therefore, our safeguards may not always be adequate to prevent all breaches of security.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
However, we may in the future offer you certain financial incentives permitted by CCPA section § 999.307 that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time. We do not currently provide financial incentives.
Vistra Corp reserves the right to amend this Privacy Policy at our discretion and at any time. When we make changes to this Privacy Policy, we will post the updated Privacy Policy on our websites and update the Privacy Policy’s effective date. Your continued use of our websites and services following the posting of changes to our Privacy Policy constitutes your acceptance of such changes.
If you have any questions or comments about the ways in which Vistra Corp collects and uses your personal information described in this Privacy Policy for California Residents, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Phone: 844-359-1877
Website:
Consumer Request Form
Email:
privacy@vistracorp.com
Category | Personal Information Collected | Categories of Sources | Use of Personal Information | Disclosure |
---|---|---|---|---|
1. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, and passport number, or, other similar identifiers. |
|
|
Yes, for a business purpose. |
2. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name, signature, Social Security number, telephone number, passport number, driver’s license or state identification card number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, or medical information. Some personal information included in this category may overlap with other categories. |
|
Yes, for a business purpose. | |
3. Protected classification characteristics under California or federal law. | Age (40 years or older), marital status, medical condition, physical or mental disability, or gender or gender identity. |
|
Yes, for a business purpose. | |
4. Commercial information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
|
|
Yes, for a business purpose. |
5. Internet or other electronic activity information. | Device and browser type, browsing and search history on our Sites, and information regarding user interactions with our Sites and advertisements. |
|
|
Yes, for a business purpose. |
6. Geolocation information | Information about your service or physical location. |
|
|
Yes, for a business purpose. |
10. Audio and visual information | Recordings of customer service calls or video captured on CCTV security cameras installed in our facilities or buildings. |
|
|
Yes, for a business purpose. |
11. Any inferences drawn from Categories 1-10. | Customer segmentation and profiles reflecting preferences, characteristics, predispositions, and behavior. |
|
|
Yes, for a business purpose. |