CASTLIGHT COMPANIES’ PRIVACY STATEMENT
Last Updated May 11, 2018
Castlight Health, Inc. (“Castlight”), and its wholly owned subsidiary Jiff, Inc. (“Jiff”) (collectively “Castlight Companies”), value our relationship with you and we respect your privacy. We have prepared this Privacy Statement to help you better understand how we collect, use, store, process, and transfer your Personal Information (i.e. any data that can be used on its own or with other information to identify you), and your choices regarding collected Personal Information.
This Privacy Statement covers: (1) the Castlight website at https://us.castlighthealth.com (including its subpages) and/or when you use the Castlight Mobile app, collectively, the “Care Guidance Sites”; and (2) the Jiff – Health Benefits mobile app, and https://app.jiff.com/#/auth2/app (including its subpages), collectively, the “Wellbeing Sites” (jointly “Sites”). For ease of review, this Privacy Statement is organized in sections which are specific to: (1) the Care Guidance Sites; (2) the Wellbeing Sites; and (3) both.
If you have questions or concerns regarding this Privacy Statement, contact us at Castlight Health, Inc., 150 Spear Street, Suite 400, San Francisco, CA 94105, Attn: Chief Privacy Officer/Data Protection Officer. For questions or concerns regarding the Care Guidance Site, you can contact us by email at firstname.lastname@example.org. For questions or concerns regarding the Wellbeing Sites you can contact us by email at email@example.com.
CASTLIGHT’S CARE GUIDANCE SITES
Castlight’s Care Guidance Sites provide services only to users based in the United States.
Personal Information We Collect
Castlight collects Personal Information about you from both you and others at several points in our provision of service through the Care Guidance Sites.
- Information Requests. When you request more information about our services provided through the Care Guidance Sites prior to registering, you will be required to provide Personal Information (such as your name and email address) so we can connect with you to provide information you seek.
- Pre-Registration. You may be pre-registered for Castlight by a health plan sponsored by an Employer (i.e. the specific Castlight Companies’ customer who authorized your access to the applicable Sites), or such health plan’s third-party administrator, which may include, administrators for medical, dental, pharmacy, and behavioral health services (“TPAs”). The pre-registration process requires the collection of Personal Information about you (for example, name and email address). Your health plan may provide (or may have its TPAs provide) additional information such as a unique identifier (for example, social security numbers or employee IDs). This information is used by Castlight to securely verify your identity to set up your account for the Care Guidance Sites.
- Registration. We require the collection of Personal Information as part of the registration process (for example, name, email address, home zip code, birth date, some of which may be provided by your health plan or its TPAs to Castlight). You may provide additional information, some of which may be Personal Information (for example, health plan, health plan subscriber ID number, the name of your physician, email address, home phone number, and home address). We encourage you to provide this information to enable optimal use of the Care Guidance Service. In many cases, you will be asked to enter this information directly. In other cases, that information may be pre-filled if we have already received such information from your health plan (either directly or through its TPAs). If you arrive at the Care Guidance Sites directly, the registration process requires you to choose a unique identifier (for example, username and password) for your account for the Care Guidance Sites. If you arrive at the Care Guidance Sites through an Employer or Employer designated website, such website may provide a unique identifier that confirms to Castlight that you are an authorized member from such Employer or Employer designated website.
- Communications. The purpose of the services we provide via the Care Guidance Sites is to provide you with the ability to understand, analyze and better organize your healthcare and related financial information. Castlight records and maintains certain communications (for example, emails and other communications with Castlight). Castlight considers these communications to be personal and private and unless your explicitly agree to additional use and disclosure of such communications, will not use or disclose these communications except as provided for in this Privacy Statement.
- Health Plan Related Information. Your health plan (either directly or through its TPAs) may provide Castlight with, or Castlight may otherwise access and collect from such parties, healthcare financial information or other information about you for Castlight to provide our services via the Care Guidance Sites and only for that purpose. This may include sharing of information about you via integration between the service provided via the Care Guidance Sites and certain systems used by you and by your health plan or its TPAs containing information about you. The provision and sharing of this information is optional by your health plan or its TPAs and they may require you to provide them with certain consents.
- Payor Information. Castlight may request and collect financial information and relevant health plan or other payor information from you.
- Device and OS Version. When you download and use Castlight Mobile, we collect information on the type of device you use and operating system version.
- Log Files. As with most websites, Castlight automatically collects and stores in log files the Internet Protocol (“IP”) address of the computer you are using, the name of the domain and host from which you access the Internet, the browser software you use and your operating system, the date and time you access the service, and the Internet address of the website from which you directly linked to Castlight. We may combine this automatically collected log information with other information we collect about you. Castlight uses this log file information to analyze trends, administer the service, and monitor service traffic and usage patterns for internal security purposes and to help make the Castlight service more useful.
How We Use and Share Your Personal Information
- Facilitating and Coordinating Benefits. Your Personal Information, such as certain healthcare related claims data, may be used and disclosed to facilitate and coordinate your receipt of insurance benefits.
- Surveys. Your Personal Information may be used and disclosed so that we can survey you to evaluate and improve our services provided via the Care Guidance Sites. Your participation in such surveys is completely voluntary. If you decide to participate, we may request Personal information from you such as contact information (for example, name and shipping address) and demographic information (for example, age). We use this information to improve the services we provide via the Care Guidance Sites and develop new products. We may use a third-party service provider to conduct these surveys. Such third-party service providers may not use or disclose your Personal Information other than to provide such survey related services to Castlight.
- Business Partners. Castlight may work with business partners in making services provided via the Care Guidance Sites available to our users. We require business partners to support privacy policies that are substantially similar policies as Castlight’s. When you sign up for services provided via the Care Guidance Sites, we will share Personal Information only as necessary for our business partner to provide related services. Such related services include user support, email communications management and behavioral health services. These parties are not allowed to use your Personal Information except for the purpose of providing these services.
- Health Plan. All disclosures to your health plan will be in strict compliance with the limitations imposed on disclosures of Protected Health Information (“PHI”) (as defined by HIPAA) to group health plans under the HIPAA Privacy Rule.
- Other Possible Uses and Disclosures. Your Personal Information may also be used and disclosed to:
- Operate and provide the services we make available via the Care Guidance Sites and to help us decide what services will meet our users’ needs.
- Communicate with you about customer service issues.
- Inform you about features of services we provide via the Care Guidance Sites and the benefits of such features.
- Use your health care provider and/or insurance plan information to customize your experience, or to show your health plan or its TPAs’ logos on Care Guidance Sites’ web pages.
- Comply with laws (for example, if Castlight is required to comply with a subpoena or similar legal process).
- Protect your safety or the safety of others, investigate fraud, respond to a government request, or protect our rights.
- Facilitate a merger, acquisition, or sale of all or a portion of Castlight’s assets. You will be notified via email and/or a prominent notice on our Care Guidance Sites of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
Your Choices and Access to Personal Information
In certain situations, Castlight has no direct relationship with the United States based individuals whose Personal Information it processes. An individual who seeks to access, change, correct, or remove Personal Information should direct their inquiry to the applicable Employer (the data controller). If you have any questions regarding this, we will respond to requests within thirty (30) days.
Otherwise, you can make any of the access and choice requests below by emailing firstname.lastname@example.org or contacting us at (888) 722-0483.
- Change or Correct Personal Information. You can update or correct some of your Personal Information through your account profile page on the Care Guidance Sites. To the extent you need further assistance updating or correcting your Personal Information, you may request Castlight’s assistance.
- Remove Personal Information and Account Deactivation. You may request Castlight to remove all your Personal Information, in which case your account on the Care Guidance Sites will be deactivated. Similarly, you can ask Castlight to deactivate your account on the Care Guidance Sites, which will result in the deletion of all your Personal Information.
- Invitations. If you no longer wish to receive invitations to register for services Castlight provides via the Care Guidance Sites, you may notify Castlight by contacting us at (888) 722-0483 or at email@example.com and we will cease sending such invitations to you.
- Updates and Marketing from Castlight. Castlight may provide updates, tips or education, or may promote the services we provide via the Care Guidance Sites to inform you about available benefits. You can expect to receive up to five (5) communications per month from Castlight. You can opt-out of any such communications at any time by clicking on the “unsubscribe” link in such communication or communicate back to Castlight with the subject line “Unsubscribe” to firstname.lastname@example.org.
Castlight may also send you marketing related SMS, MMS or other text or native mobile messages (“Castlight Health Alerts“). You are not required to accept Castlight Health Alerts to use the services provided on the Care Guidance Sites. To opt-out of any Castlight Health Alerts, text “STOP” to 35925 or reply “STOP” to a text message received from Castlight. For additional information, text HELP to 35925. You may also call (888) 722-0483 or email email@example.com. Message and data rates may apply from your mobile carrier. If your carrier is T-Mobile, T-Mobile is not liable for delayed or undelivered messages.
- Location Based Services. You may opt-out of Castlight Mobile’s location based services at any time by adjusting your device setting.
- Added Services. As we add services to the Castlight Guidance Sites that require the collection, use or disclosure of Personal Information other than as set forth in this Privacy Statement, we will offer users the option to opt-in or out of those services. If you wish to opt-out of these services, you may notify us at firstname.lastname@example.org.
- Permissions. If another individual is viewing/managing your account with your permission (for example, one spouse managing the account another spouse), this person can view all your information entered in your account for the Care Guidance Sites on your behalf. You can request the activation or deactivation of the authorization of an account manager at any time by notifying Castlight at email@example.com.
- Storage and Maintenance of Information. Castlight will store and maintain Personal Information in accordance with the requirements agreed to by Castlight and your health plan or its TPA even if you terminate employment with your current employer, unless you notify Castlight by contacting us at firstname.lastname@example.org or by calling us at (888) 722-0483, that either: (i) you wish to Remove (as defined below) all or a portion of your Personal Information from Castlight’s system; or (ii) you wish to have Castlight retain all or a portion of such Personal Information. We will also retain your Personal Information for as long as your account for the Care Guidance Sites is active or as needed to provide you services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
For the purposes of this Privacy Statement, “Removed” shall mean that your data has been de-identified in accordance with the HIPAA Privacy Rule so the data is no longer associated with any identifier of you and cannot be re-identified in accordance with the HIPAA Privacy Rule. For more information on the specific requirements that Castlight and your health plan or its TPA agreed we would follow, you may contact your health plan or its TPA or contact us at (888) 722-0483 or at email@example.com.
The security of your Personal Information is important to us. All communication between you and the Castlight server is secured by using TLS v1.2. Castlight takes commercially reasonable measures to secure your Personal Information on our servers. The data center we use is both physically and electronically secured. Our internet servers are protected on the internet behind a firewall which is a hardware and software system that blocks access by unauthorized parties.
We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet or method of electronic storage is 100% secure and we cannot guarantee its absolute security. If you have any questions about security on our Sites, you can contact us at firstname.lastname@example.org.
The Tracking Technologies We Use
Technologies such as cookies, beacons, tags, scripts and other storage technologies are used by Castlight and our partners (including digital advertising partners such as Facebook and Google), affiliates, or analytics or service providers (such as video hosting providers) to collect or receive information. These technologies include Google Analytics and more specifically, Google Analytics Advertising Features known as “Remarketing” and “Audience Demographics and Interest Reporting.” Castlight uses these technologies for analyzing trends, providing measurement services administering the Care Guidance Sites, tracking users’ movements on the Care Guidance Sites and elsewhere on the internet, marketing our services (including via targeted remarketing ads), and to gather demographic information about our user base. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
We use Local Storage Objects (LSOs) such as HTML5 to store content information and preferences. Third parties with whom we partner to provide certain features on our Sites or to display advertising based upon your web browsing activity use LSOs such as HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.
We use mobile analytics software to allow us to better understand the functionality of Castlight Mobile on your phone. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage and performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any Personal Information you submit within Castlight Mobile.
Retention of Personal Information
Castlight will retain your Personal Information for as long as your account on the Care Guidance is active, as needed to provide you services via the Wellbeing Sites or based on information we receive from your Employer. We will retain and use your Personal Information only to the extent it is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We have established internal policies for the deletion of data from customer accounts following termination of a customer’s account with our Services.
JIFF’S WELLBEING SITES
The Wellbeing Sites provide services to users in the United States, and in other countries.
Personal Information We Collect
- Information Collected from You. Jiff may collect the following Personal Information from you regarding your use of the services provided via the Wellbeing Sites and PSP Services requested by your Employer:
- Email address and password during account creation
- Financial information, including credit card information
- Demographic and general health and financial information, including date of birth, gender, zip code, height, weight (for some products and services, these details are required as part of your registration process)
- Activity data that you enter or upload into your tracking device, webpage or mobile application such as steps activity data, sleep and food activity data and other data
- Medical or lab completion data or claims data submitted by your insurance company, but only if authorized by you through your Employer
- Any additional information that you add manually to the services provided via the Wellbeing Sites, including answers to surveys and questionnaires, behavioral and mood information, goals, and preferences
- Data through access to your calendar if you authorize such calendar access
- IP address, unique temporary or persistent device identifiers, and certain hardware information about your computer or mobile device
- User behavior based upon click stream history or contained in log files (e.g. IP address, browser versions, OS versions, internet service provider “ISP” information, date/time stamp, surfing and viewing habits, operating system) of how users are using the Wellbeing Sites and which pages the users have visited
- Geolocation information that is automatically transmitted based on your choice to use of certain tracking devices and applications that automatically provide this information along with other activity data
- Fitness tracker information you provide
- Information You Authorize Third-Parties to Provide. You may authorize third-parties to provide certain data, such as fitness tracker information to Jiff through third-party devices, applications, or services. By linking your tracking device, tracking application, or certain PSP program accounts through the services provided via the Wellbeing Sites, Jiff will have access to Personal Information collected through such tracking device, tracking application, or certain PSP program. At any time, you can unlink your tracking device or tracking application to the services provided via the Wellbeing Sites by revoking Jiff’s access through the applicable tracking device or tracking application, which stops the flow of Personal Data to Jiff. You can also manage the tracking devices or tracking applications linked to your user account for the services provided via the Wellbeing Sites by turning the sync setting “on” or “off” provided however, your selection does not stop Personal Data from tracking devices or tracking applications from being sent to Jiff but it rather, Jiff stops syncing such data with your account. Please note that for PSP programs, Jiff will continue to receive your data from PSPs unless you contact such PSP programs and request that they stop sharing your Personal Information with Jiff.
- Information You Share About Your Contacts. You may provide information about your contacts to Jiff, such as their name and email address to share content or to invite your contacts to register for services provided via the Wellbeing Sites. When you provide us with Personal Information about your contacts, we will only use this information for the specific purpose for which it was provided. If you believe that one of your contacts has provided us with your Personal Information and you would like to request that it be removed from our database, please contact us at email@example.com.
- Information Collected from Your Employer. To enable your use of the services provided via the Wellbeing Sites, you authorize your Employer to provide Jiff your first and last name, email address and employee ID. You also authorize your Employer to provide Jiff your date of birth, mailing address and any additional information as required to provide certain options or additional services.
- Information Collected and Shared by and Between Jiff and PSPs. The Personal Information Jiff or PSPs may collect and share with each other (as part of Jiff’s agreement with your Employer to provide PSP Services and services via the Wellbeing Sites) may also include:
- User data derived from physical activity (such as steps and active minutes), sleep, calories burned, standing time, calories consumed, heart rate, food activity data, nutrition data, satisfaction data, cognition, stress, survey comments, parenting advice, collaborative games, news feed comments and other data that you enter or upload into your tracking device, wearables, webpage or mobile application
- User enrollment, registration, and account creation data
- Healthcare claims data and pharmacy claims data from third-parties such as your insurance company as requested or provided indirectly by your Employer
- Activity completion status (i.e. “Started,” “In Progress,” or “Completed”)
- Data concerning health status such as Health Risk Assessments (HRA), Lab data, Risk scores and user responses to questions in HRA with action steps for scheduling and completion of survey(s) and Biometric screenings
- Biometric data such as BMI (body mass index), blood pressure, cholesterol, and related health screenings with action steps for scheduling and completion of tests towards incentives for achieving set thresholds or improving set thresholds, and other health status programs
- Managed health programs related data such as: (i) disease and care management for chronic conditions such as diabetes, asthma, autism, participation in program(s), action steps indicating completion of tasks towards incentives for achieving set thresholds or improving set thresholds; (ii) Employee Assistance Programs (EAP), including enrollment, participation and action steps towards incentives for completion of task(s), medication management; prescription and nonprescription medications used, dosage, frequency action steps towards incentives for completion of task(s), and; (iii) other managed health programs
- Access to care related data such as: (i) virtual care services such as second opinion and telemedicine including registration/enrollment, health profile, service utilization and action steps towards incentives for completion of task(s); (ii) in-person care such as retail clinics, medical and dental care providers including scheduled visit(s), primary diagnosis, ordered lab tests, biometric results and action steps towards incentives for completion of task(s), provider search and scheduling, user search terms, search results, scheduled appointments and action steps towards incentives for completion of task(s); (iii) medical and dental insurers including available plan options, plan membership, medical and dental claims, triggers for recommended services based on processed claims; and (iv) other access care programs
- Health maintenance and wellness related data such as: (i) weight management including weight tracked, participation in programs and action steps indicating completion of tasks towards incentives for achieving set thresholds or improving set thresholds; (ii) pregnancy/fertility including weight, kicks, exercise, as well as personal health information such as due date, stress/resilience, cognitive and emotional assessments through games and videos with action steps for scheduling and completion of tasks; (iv) nutrition management including completion data towards incentives for achieving set thresholds or improving set threshold; (v) smoking cessation including tobacco use, nicotine replacement therapy, action steps towards incentives for completion of the task(s); (vi) physical fitness including fitness center check-ins, workout participation, and action steps towards incentives for completion of the task(s); (vii) sleep management including sleep duration, sleep quality and action steps towards incentives for completion of task(s); and (viii) other health maintenance and wellness programs
- Finance and wealth management related data such as: (i) retirement services such as 401(k) – available retirement plan options, enrollment, participation and action steps towards incentives for completion of task(s); (ii) tax-advantaged savings services such as Health Savings Accounts (HSA), Flexible Spending Accounts (FSA) – available services, enrollment, participation, and action steps towards incentives for completion of task(s); (iii) financial wellness including available educational programs, content, participation action steps towards incentives for completion of the task(s), and (iv) other finance and wealth programs
How Your Personal Information Is Used
Jiff and PSPs use your Personal Information:
- To administer, monitor and moderate the services provided via the Wellbeing Sites and PSP Services
- To direct you to programs, actions, content and events that may be pertinent and helpful to you based on relevant data, such as information you choose to share with Jiff or benefit programs your Employer wishes to promote
- To support incentives that encourage you to use programs that can help you achieve your goals
- To implement and provide you with services provided via the Wellbeing Sites and PSP Services customized to your needs
- To help a PSP support its programs for you on the services provided via the Wellbeing Sites
- To improve and promote the services provided via the Wellbeing Sites and PSP Services
- To ensure that that you have registered or completed setting up an account for the Wellbeing Sites, that you are using the Wellbeing Sites, or that you have started or completed some set of activities or achieved a desired goal using the PSP Services or the services provided by the Wellbeing Sites
- To send notices or other communications to you from time to time
- To administer any sweepstakes or promotions, purchases, donations or other activities that you are involved in using the services provided via the Wellbeing Sites and the PSP Services
- To update terms, conditions, and policies
- For internal purposes such as auditing, data analysis and research, to improve our content, to develop, deliver, understand performance, to perform internal market research, project planning, diagnosing or troubleshooting problems, administer the Wellbeing Sites, to improve analytics and to detect and protect against error, fraud or other criminal activity
Disclosure of Your Personal Information
- Disclosures to Third Party Administrators (TPAs). If required by your Employer and you consent, we may provide your Personal Information to TPAs (that have signed a confidentiality agreement with Jiff or your Employer agreeing to protect your Personal Information) who will access your Personal Information, de-identify it and create aggregated anonymous analytical data for your Employer’s health and wellness programs. We may also disclose your Personal Information to any other third-party with your prior affirmative consent.
- Sharing Options with Spouses, Domestic Partners, Family or Friends. Some programs allow you to share your Personal Information with a spouse, domestic partner, other family member or other third person that you designate, while using the PSP Services and services provided via the Wellbeing Sites. Additionally, you may tag your friends to follow them or allow others to follow you, add comments and notes, have conversations and otherwise share your Personal Information. Jiff is not able to remove comments, postings, or content posted by an individual following or mentioning you.
- Third Party Orders. If you order a device, application, or service through the services provided via the Wellbeing Sites that is marketed or sold by a third-party, Jiff may provide your name and contact information to such third-party to facilitate the order. Your payment information will not be shared with these third-parties. If You do not want us to share Your Personal Information with these third-parties, contact us at firstname.lastname@example.org.
- Business Partners.
- Jiff may share the information it collects from you, including Personal Information, with companies who provide services such as: information processing; fulfilling customer orders; delivering products, rewards, incentives to you; managing Employer data; providing customer service; conducting customer research or satisfaction surveys; and other subcontracted services for Jiff or your Employer through Jiff. These companies are authorized to use your Personal Information only as necessary to provide these products and services to you and are obligated to protect your information. For example, if you use a credit card to make a purchase using the services provided via the Wellbeing Sites, your credit card information will be shared with Jiff’s credit card processing company. If you do not wish to have your credit card information passed to our credit card processing company, please refrain from providing us such information.
- We may use also a third-party vendor to help us manage some of our email communications with you. Although we may supply this vendor with email addresses of those we wish for them to contact, your email address is never used for any purpose other than to communicate with you on our behalf. When you click on a link in an email, you may temporarily be redirected through one of the vendor’s servers (although this process will be invisible to you) which will register that you have clicked on that link and have visited the Wellbeing Sites. We never share any information, other than your email address, with our third-party email vendor, which does not share these email addresses with anyone else. You may opt-out at any time by clicking on the “Unsubscribe” link at the bottom of these emails, accessing the email preferences in your account settings page, or by contacting us at email@example.com.
- Jiff may also share email addresses with PSPs for the programs that you have registered for so they can send information concerning the program pertaining to you.
- Disclosures to Your Employer. To the extent permitted under applicable laws including HIPAA, Jiff may provide your Employer on an ongoing basis with data necessary to enable your Employer to manage incentive, reward, and wellness programs, including providing points earned to administrate subsidies and other benefits related accounting processes. This may include aggregated data related to program performance and population health to employers for the ongoing administration and evaluation of the programs. Unless permitted under HIPAA, Jiff will not disclose Protected Health Information (“PHI”) (as defined in HIPAA) to your Employer.
- Disclosure of User Profiles and Submissions. Profile information, including your name, location, and any video or image content that you upload to the Wellbeing Sites may be displayed to other users to facilitate user interaction within the Wellbeing Sites. You can limit the profile information that can be seen by others by: (a) only uploading certain information; or (b) adjusting your account privacy settings. Any content you upload to your public user profile, along with any Personal Information or content that you voluntarily disclose online in a manner other users can view (on discussion boards, in messages and chat areas, etc.) becomes publicly available, and can be collected and used by others. At Jiff’s sole discretion, Jiff reserves the right to remove any comments it deems inappropriate. Your user name may also be displayed to other users when you send messages or comments or upload images or videos through the Wellbeing Sites, and other users can contact you through messages and comments. Jiff does not control the policies and practices of any other third-party site or service, including any PSP site or service.
- Compliance. In certain situations, Jiff may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your Personal Information as required by law, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process when that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
- Corporate Events. Your Personal Information could be transferred to or acquired by a third-party in the event of a merger or acquisition. You will be notified via email and/or a prominent notice on the Wellbeing Sites, of any change in our current ownership, uses of your Personal Information, and choices you may have regarding your Personal Information.
Your Choices in Relation to and Access to Personal Information
- Push Notification and Other Communications. From time to time, Jiff may provide push notifications to update you about any events or promotions. You may turn off push notifications at the device level.
- User Access and Choice. In certain situations, Jiff has no direct relationship with individuals whose Personal Information it processes. An individual who seeks access, or who wishes to change, correct or remove Personal Information should first direct such inquiry to his/her Employer. We will respond to requests to us within thirty (30) days or within a reasonable time frame.
You may also make any of the access and choice requests below to Jiff by emailing firstname.lastname@example.org and we will respond within a reasonable time frame.
- You can ask Jiff whether we hold Personal Information about you.
- You can update or correct some of your Personal Information through your account profile page on the Wellbeing Sites. To the extent you need additional assistance, you can request Jiff or correct your Personal Information if it is inaccurate.
- You may request Jiff to remove all your Personal Information, in which case your account on the Wellbeing Sites will be deactivated.
Retention of Personal Information
Jiff will retain your Personal Information for as long as your account on the Wellbeing Sites is active, as needed to provide you services via the Wellbeing Sites or based on information we receive from your Employer. We will retain and use your Personal Information only to the extent it is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We have established internal policies for the deletion of data from customer accounts following termination of a customer’s account with our Services.
Personal Information from the EU
Legal Bases for Processing Personal Information from the EU
As described in this Privacy Statement, we use your Personal Information if it is necessary to carry out our obligations arising from any contracts entered into between you and us or to take steps at your request prior to entering into a contract with you. We may process your Personal Information for specific purposes based on your prior consent. We may collect and process your Personal Information for our legitimate interests to protect our property, rights or safety of our customers or others or to offer information on our services we feel may interest you. In addition, it may be our legal obligation to use or share your Personal Information with third parties, such as public authorities or law enforcement bodies. We may also use with that standard contractual clauses for international transfers of EU Personal Information.
If you are located in the European Economic Area (EEA), we will only contact you by electronic means (email or SMS) with information about products or services that are similar to those you previously or currently use. You can object to any direct marketing at any time and your Personal Information will no longer be processed for such purposes. Direct marketing includes any communications to you that are only based on advertising or promoting products and services. If you do not want us to use your Personal Information in this way, or to pass your Personal Information on to third parties for marketing purposes, please contact us at email@example.com. You may not unsubscribe from non-promotional, service-related communications.
Where EU data protection laws apply, you will have the rights described below. In certain situations, Jiff, as a processor, has no direct relationship with individuals whose Personal Information it processes. An individual who seeks access, or who wishes to change, correct or remove Personal Information may want to first direct such inquiries to his/her Employer.
You can ask Jiff whether we hold Personal Information about you. You can exercise your privacy rights by contacting us at firstname.lastname@example.org and we will handle your request under applicable law. When you make a request, we will verify your identity to protect your privacy and security.
- Right to withdraw consent. To the extent we requested your consent to process your Personal Information, you have the right to withdraw your consent to the processing of your Personal Information at any time. Your withdrawal will not affect the lawfulness of our processing based on consent before your withdrawal.
- Right of access to and rectification of your Personal Information. You can update or correct some of your Personal Information through your account profile page on the Wellbeing Sites. You may also request Jiff to provide you with a copy of your Personal Information held by us. If you request to access or rectify any other information, we will do our best to provide it to you without undue delay, subject to some fee associated with gathering of the information, as permitted by law. We may reject part or all your request if responding to your request could adversely affect the rights and freedoms of others. Please contact us and we will respond to all reasonable inquiries.
- Right to erasure (or, “Right to be Forgotten”). We allow you to delete their account at any time. You have the right to request erasure of Personal Information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing that you previously consented, but later withdraw such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. Our assistance with your request for erasure is subject to limitations by relevant data protection laws.
- Right to data portability. If Jiff processes your Personal Information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your Personal Information in a structured, commonly used and machine-readable format, unless exercise of this right adversely affects the rights and freedoms of others.
- Right to restriction of or processing. You have the right to restrict or object to our processing of your Personal Information where one of the following applies: (a) you dispute the accuracy of Personal Information processed by Jiff (for a period enabling us to verify its accuracy); (b) the processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use instead; (c) Jiff no longer needs the Personal Information for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims; and (d) you have objected to certain processing relying on legitimate interest, pending the verification whether Jiff’s legitimate grounds override your rights. In some cases, your ability to use all or portions of the services via the Wellbeing Sites may be limited by Jiff’s inability to use your Personal Information. Restricted Personal Information shall only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will notify you if the restriction is lifted.
- Notification of erasure, rectification and restriction. We will provide notice to each recipient that we disclosed your Personal Information to regarding any rectification or erasure of Personal Information or restriction of processing, unless you initiated the disclosure, or providing notice proves impossible or involves disproportionate effort.
- Right to object to processing. Where the processing of your Personal Information is based on consent, contract or legitimate interests described under Legal Bases for Processing heading above, you may restrict or object, at any time, to the processing of your Personal Information as permitted by applicable law. We may continue to process your Personal Information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.
- Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except as allowed under applicable data protection laws. The services provided by the Wellbeing Sites do not engage in such automated processing.
- Right to lodge a complaint. If you believe that we violated your rights under EU data protection law, we encourage you to contact us first at email@example.com so that we can try to resolve your concern. You have also a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement.
- Retention of your Personal Information. Unless you make a request for us to close your account or delete certain Personal Information (i.e. User Content, etc.), we will store your Personal Information as long as your account is open. If you request to close your account, we will take the steps to delete all your Personal Information, unless a longer retention period is required or permitted by law. We have established internal policies for the deletion of data from customer accounts following termination of a customer’s account with our Services.
Please note, your privacy rights are not absolute. Access may be denied when:
- Denial of access is required or authorized by law;
- Granting access would have a negative impact on other’s privacy;
- To protect our or others’ rights and properties; and
- Where the request is frivolous or burdensome.
International Transfers of Personal Information from the EU to the United States
The Castlight Companies participate in and have certified our compliance with the EU-U.S. and Swiss-EU Privacy Shield Framework. We are committed to subjecting all Personal Information received from European Union member countries or Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, you can visit the U.S. Department of Commerce’s Privacy Shield List.
The Castlight Companies are responsible for the processing of Personal Information received under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on our behalf. The Castlight Companies comply with the Privacy Shield Principles for all onward transfers of personal data from the European Union and Switzerland, including the onward transfer liability provisions.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Framework, the Castlight Companies are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, the Castlight Companies may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) here. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Your Wellbeing Sites account is protected by a password for your privacy and security. To protect your privacy, never share your sign-in name or password and always log out of Sites as soon as you are finished using the service. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account for the Wellbeing Sites.
Jiff endeavors to protect the privacy of your account and your Personal Information we hold in our records. Jiff employs SSL to encrypt communications between our servers and client applications. Jiff also endeavors to protect against unauthorized access to your private information. However, we cannot guarantee complete security.
Jiff uses persistent cookies to save your registration ID and login password for future logins to the Wellbeing Sites. Jiff uses session cookies to better understand how you interact with the Wellbeing Sites, and to monitor aggregate usage by customers of the Wellbeing Sites and web traffic routing on the Wellbeing Sites. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use all portions or all functionality of the Wellbeing Sites.
We may also occasionally use web beacons (also known as “clear gifs,” “web bugs,” “1-pixel gifs,” etc.) that allow us to collect non-personally identifiable information about your response to our email communications, and for other purposes. Web beacons are tiny images, placed on a web page or e-mail that can tell us if you have visited a particular area of the Wellbeing Sites. For example, if you have given us permission to send you emails, we may send you an email urging you to use a certain feature of the Wellbeing Sites. If you do respond to that email and use that feature, the web beacon will tell us that our email communication with you has been successful. Because web beacons are used in conjunction with persistent cookies (described above), if you set your browser to decline or deactivate cookies, web beacons cannot function.
Our third-party vendors may use technologies such as cookies to gather information about your activities on the Wellbeing Site and other websites to provide you advertising based upon your browsing activities and interests. If you do not wish to this information used for the purpose of serving you interest-based ads, you may opt-out by clicking http://preferences-mgr.truste.com/ (or if located in the European Union click on http://www.youronlinechoices.eu/). Please note this does not opt you out of being served ads. You will continue to receive generic ads.
We use mobile analytics software to allow us to better understand the functionality of the Jiff- Health Benefits mobile app on your phone. This software may record information such as how often you use the Jiff – Health Benefits mobile app, the events that occur within the application, aggregated usage, performance data, and where the Jiff- Health Benefits mobile app was downloaded from. We do not link the information we store within the analytics software to any Personal Information you submit within the Jiff – Health Benefits mobile app.
Some Internet browsers – like Internet Explorer, Firefox, and Safari – include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, our Sites do not currently process or respond to “DNT” signals.
DATA HANDLING ACTIVITIES RELATED TO THE SITES
De-identified and Aggregated Information
- The Castlight Companies may make arrangements with your Employer, customers, PSPs or business partners to share certain de-identified aggregate information in order to evaluate patterns, utilization, usage and trends. The Castlight Companies’ may also share such information with you or other users of the services we provide via the Sites. This type of information may be based in part on information related to you but does not allow for the personal identification of any individual (in other words, it is “de-identified”).
- The Castlight Companies removes your identity from your Personal Information (contact, health and/or financial) and may work with it as anonymous (“de-identified”) information. De-identified information is presented in a form where information about an anonymous user would be indistinguishable from information relating to other anonymous users. De-identified individual information is not in a form that allows anyone studying the information to personally identify any user.
- Aggregate information is information that describes the habits, usage patterns and/or demographics of users as a group but does not reveal the identity of particular users. Your anonymous data is combined with the anonymous data of other Castlight Companies’ users and becomes statistics. We may use aggregate information within services we provide through the Sites to understand the needs of our user community and determine what kinds of programs and services we can offer you. The Castlight Companies may use this anonymous information to give potential customers, users, or business partners a picture of the services provided via the Sites. Aggregate information may be provided or sold to third parties. Absolutely no personal identifying information is included in the aggregate reports; each individual remains anonymous.
Children’s Personal Information
You must be at least eighteen (18) years of age to use the services provided via the Sites. We do not knowingly request of collect personal information from any person under the age of 18. If a user submitting personal information is suspected of being younger than 18 years of age, we will require the user to close his or her account, and we will also take steps to delete the information as soon as possible. Please notify us if you know of any individuals under the age of 18 using our Sites so we can take action to prevent access to our Sites.
Third Party Websites
Changes to the Privacy Statement
The Castlight Companies reserve the right to modify this Privacy Statement to reflect changes to our practices and when required by law. I f we make any material adverse changes, we will notify you on the Sites, by email or at the time the user logs in prior to the change becoming effective. You will be notified and be given the opportunity to opt-out for any additional uses or disclosures of your Personal Information that you made available to us prior to any such change in our Privacy Statement. The Castlight Companies may also provide “just-in-time” disclosures or additional information about the data collection, use and share practice of the Sites. These may supplement or clarify our privacy practices or may provide you with additional choices about how we process your Personal Information.
Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of Personal Information, which we share with our third-parties for marketing purposes, and providing contact information for third-parties. If You are a California resident and would like a copy of this notice, please submit a written request to: firstname.lastname@example.org for the services provided via the Wellbeing Sites or email@example.com for the services provided via the Care Guidance Sites.