Wellthy.com Privacy Policy
Your privacy is important to us. This privacy policy (the "Privacy Policy") describes how Wellthy, Inc. ("Wellthy," "we," "our," or "us") collects, uses and shares personal information and other information (collectively, the "Information") obtained through our website at www.wellthy.com (the "Site").
This Privacy Policy provides transparency about the privacy practices of Wellthy, Inc. (“Wellthy,” “we,” “our,” or “us”), including how we collect, process, and disclose personal information, and how you can control and manage your privacy choices. Please take time to review this policy prior to providing Wellthy your information.
Who is Wellthy?
Wellthy is a care concierge service providing both human and technology support to families and individuals. With our Care Team, Wellthy helps plan and accomplish important care related tasks within a modern online experience. Scheduling appointments, refilling prescriptions, corresponding with insurance companies, sourcing and vetting the right in-home aide, organizing a move into a care facility, and contesting health care bills are just a few of the services Wellthy provides to its members.
1. Scope and Applicability
The scope of this Privacy Policy includes Wellthy and any of our affiliates with whom we may share personal information, and encompasses all of our services and includes the services made available through Wellthy.com and other Wellthy sites and applications.
This Privacy Policy applies to individuals in the United States, Canada, the European Economic Area and the United Kingdom. Our relationship with you will determine how this Privacy Policy applies to you and your information. In general, if you engage with us directly and independently of a third party, this Privacy Policy most likely applies. However, if we are processing your information as a service provider to a third party, that third party is most likely responsible for your privacy. If you have any doubt as to who is responsible for your information, please contact privacy@wellthy.com.
Where applicable, this Privacy Policy is presented to you at or before the time your information is collected to provide you with advanced notice of our practices.
2. Information We Collect and Receive
Wellthy may collect personal data directly from you; however, we sometimes receive your information from your employer, your health plan, or individuals helping to facilitate and coordinate care services on your behalf or on behalf of others. We collect and process data when you use the site, including when you sign up to create an account. Information is collected from the following categories of individuals:
Program Sponsor – If a Program Sponsor is an Employer, the Employer is responsible for administering its subscription to Wellthy’s care concierge service on behalf of its workforce. If the Program Sponsor is a Health Plan, the Health Plan is responsible for administering members' subscription to Wellthy's care concierge service. We collect the following personal information from Program Sponsors:
- Contact Information from Employers – Employee name, first and last name, title, business phone number, business email address, business address
- Contact Information from Health Plans – First and last name, email address affiliated with plan, member identification number
- Feedback About Your Experience – Sometimes your Program Sponsor might escalate feedback about your experience with Wellthy directly to us, which may contain information about you. The Program Sponsor’s right to share that information with us is governed by its separate privacy obligations to you.
Sponsored Member – A Sponsored Member is a person who is deemed eligible to use the Wellthy solution by their Program Sponsor. Sponsored Members can create Care Journeys for themself or a loved one. We may collect the following personal information from Sponsored Members:
- Contact Information – First and last name, email address, job title/position, employer name, health plan name
- Feedback – Wellthy uses a third-party platform to collect feedback from Sponsored Members
Journey Members – Journey Members are any additional individuals invited to the Wellthy solution by the Sponsored Member or other Journey Members to remain informed about and/or assist with a Care Recipient’s journey. We may collect the following information about Journey Members from the Journey Member themself, the Sponsored Member, or other Journey Members:
- Contact Information – First and last name, phone number, email address, physical address, date of birth
Care Recipient – A Care Recipient is a person receiving care as a result of the care coordination services and who may or may not also be a Sponsored Member. We may receive Care Recipient information directly from the Care Recipient or from anyone of the Care Recipient’s Care Circle. If you are part of the Care Circle and sharing a Care Recipient’s information with Wellthy on the Care Recipient’s behalf, you must be legally authorized to share such information. We may collect the following information about Care Recipients:
- Contact and Identification Information – First and last name, phone number, physical address, email address, date of birth
- Medical and Health Information – Diagnosis information, medical records, medical record number, social security number, health insurance information, health insurance claims information
Care Circle – The Care Circle is the full group of individuals that have access to a Care Journey and appear by name under the project. The information we may collect about the Care Circle is defined under Program Sponsor, Sponsored Member, Journey Members, and Care Recipient above.
Sales Prospect – A sales prospect is a prospective interested party or candidate for Wellthy’s care concierge service. Wellthy may collect or receive the following information about Sales Prospects:
- Business and/or Personal Contact Information – First and last name, employer, title, phone number, email address, physical address
Site Visitor – A Site Visitor is a person who accesses or interacts with our Site. Wellthy may collect or receive the following information about Site Visitors:
- Log Data – Information collected by our servers when you access our Site, including IP addresses, referral URLs, browser type and settings, date and time of usage, language preferences, and cookie data
- Device Data – Information about your device, including type of device, operating system, application IDs, unique device identifiers, and crash data
- Analytics Data – Approximate geolocation based on your IP address and other information from your browser and device
- Contact Information – Your name, phone number, email address, and mailing address, etc. if you engage with us through our webforms, live chat, or other contact methods
3. Our Uses of Personal Information
Our use of your personal information is limited to the purposes disclosed to you in this Privacy Policy, or by other means, as required by law. In general, we use your personal information to operate our care concierge services business, including care coordination, assisting with providers, and appointment scheduling. We also use your personal information to protect the security of our solution and to better understand how our services are used to improve our services. Specifically, Wellthy uses personal information in the following ways:
We use Sponsored Member Information to:
- Verify your identity in connection with Care Journey and account creation
- Provide you with requested services
- Communicate with you about the Site and solution
- Help coordinate communications and requests among Care Circle members
- Respond to your questions or requests
- Send you marketing communications and/or contact you about special events, programs, surveys, contest, sweepstakes, and other offers or promotions
- Generate and analyze usage statistics to improve and customize your experiences
- Process payments via a third-party payment processor connected to the site
We use Care Recipient Information to:
When the Care Recipient has signed up on the solution, we use Care Recipient information the same way we use Sponsored Member Information. If the Care Recipient has not signed up on the Wellthy solution, information about the Care Recipient is limited to the following uses:
- Provide services requested by Care Circle members
- Communicate with Care Circle members about the site and solution
- Respond to questions or requests made by Care Circle members
We use Sales Prospect Information to:
- Identify sales opportunities
- Communicate with you about Wellthy’s services
We use Site Visitor Information to:
- Ensure the functionality and availability of the site
- Ensure the security and authorized use of the site and Wellthy solution
- Generate and analyze usage statistics to improve and customize your experience with the site
- Identify opportunities to improve our services and solution
- Escalate feedback to appropriate internal and external channels
Our use of personal information also includes any other purpose that you may intend or direct us to perform through your use of our services.
4. How We Share Information
Wellthy shares and discloses personal information to third parties as needed to provide our services and operate our business. The categories of third parties with whom we may share information includes:
Journey Members – We may share Care Recipient information with any Care Circle member(s) Journey Member(s) who are involved in coordinating care for the Care Recipient.
IT Service Providers – We may share any category of personal information with our IT Service Providers as needed to operate our services, including with our virtual computing, web services, payment processors, and storage service providers. A list of our subprocessors is available upon request to privacy@wellthy.com.
Care Associated Organizations – At your direction and only with your express authorization, we may share your information with doctors, health insurance companies, care facilities and treatment centers, and other medical and related services providers associated with your care plan or the care plan of a loved one.
Business Services Providers – We may share any category of personal information with our business services providers as needed in the operation of our business, including (but not limited to) security vendors, third party developers, external auditors, analytics providers, and professional advisers.
Corporate Activities – We may share any category of personal information with potential investors or lenders and as part of a transaction involving a merger, acquisition, divestiture, public offering, or similar transaction involving our business, subject to non-disclosure agreements and, where applicable, additional safeguards for sensitive personal information.
Government and Legal – We may share any category of personal information with third parties as may be required by applicable law, regulation, or legal process.
Program Sponsor (Health Plan) – If you sign up through a Health Plan, we may share any category of personal or health information you share with Wellthy during the course of your Care Journey with your Health Plan, if you are an enrollee of that Health Plan. If a Care Journey is created on your behalf, we may share information about your relationship to the enrollee back to the health plan.
Program Sponsor (Employer) – Wellthy may share the fact that you are utilizing or have utilized Wellthy's services to your Program Sponsor by disclosing your name, employee ID, email, and the number and duration of Care Journeys in which you have taken part. We will not disclose any details about your Care Journeys other than their duration, unless otherwise authorized by you to do so. Additionally, some Employers utilize Wellthy to partner with relief programs that may be offered to you by your Employer. Any information you share with us on applications for Employer relief programs may be shared with your Employer.
Sale of Personal Information – Wellthy does not “sell” personal information as defined by the California Consumer Privacy Act (CCPA) of 2018, Vermont’s protection of personal information law (9 V.S.A. § 2430), or Nevada’s 2019 privacy amendment, and have not sold personal information within the previous 12-month period from the date of this policy. If we decide to sell your personal information, we will provide you with an opportunity to opt-out as the law may require.
5. Communications and Marketing
In compliance with local rules, Wellthy may periodically send you newsletters that include information about our services, partners, and enhancements. If you no longer wish to receive e-mail marketing communications, you may unsubscribe/opt out by following the steps in the email or by contacting privacy@wellthy.com.
Online Advertising – Wellthy may also use third-party retargeting technology to advertise Wellthy to organizations interested in providing our services as a benefit to employees. This means we may show ads that highlight our Program Sponsor offering to you using LinkedIn, Facebook or Google advertising services. We will not use this technology on pages that you visit when you are logged in after creating an account. Control of LinkedIn advertising is available through your account settings and you may completely opt out of LinkedIn retargeting here. You can also update your Google ad preferences and Facebook ad preferences.
6. Data Retention and Disposal
Wellthy retains and disposes of personal information in accordance with our data retention schedules. Generally, this means:
- Personal data collected on the basis of legitimate interest, including Site Visitor Information and Sales Prospect Information, is reviewed for deletion periodically to assess the necessity and proportionality of the processing.
- Certain personal data associated with the provision of our services is retained for a standard period of seven years unless extensions are necessary in order to comply with legal rights and obligations.
Once the retention period has expired, we will delete your data and/or de-identify your personal information such that it can no longer identify you. With respect to all personal data, where the purpose of the processing is satisfied or where consent to processing has been withdrawn, such data will be deleted unless we need to retain it for legal or compliance purposes.
7. General Data Protection Regulation (GDPR)
The following applies only to European Economic Area (EEA) and United Kingdom (UK) data subjects:
Controller Relationship – Except to the extent that Wellthy may be a “processor” of personal information received from a third party, Wellthy is a “controller” with respect to your personal information and you may contact us directly to exercise your data protection rights or file a privacy complaint.
Lawful Basis for Processing Personal Information – Our lawful basis for collecting and processing personal information will depend on the circumstances upon which the personal information was collected.
- In most circumstances related to the provision of our services, our processing of personal information is based on Wellthy’s legitimate interests. For example, onboarding new Sponsored Members is based on our legitimate interest in providing our services. Wellthy reviews the necessity and proportionality of such processing to assess whether the rights and freedoms of the data subjects is not outweighed by the processing.
- In special circumstances, you may provide your express consent to Wellthy’s processing of your personal information. For example, where special category data (e.g. health data) is processed under Article 9 GDPR. In such cases, Wellthy will take steps to ensure that your consent is informed and freely given.
- In other circumstances, Wellthy may process your personal information if necessary to perform a contract with you. For example, if you sign up and enroll in Wellthy directly.
Automated Decision-making – Wellthy’s processing of personal information may include automated decision-making, specifically with respect to the assignment of a Care Coordinator to a Care Recipient. This processing is intended to best align a Care Coordinator to your specific needs. Re-assignment of Care Coordinators is available.
International and Onward Transfers of Personal Information – Wellthy is a US-based company with data centers located in the United States. If you are located outside the US, your personal information will be transferred across international borders and processed in the US. The US may have different or less protective data protection laws than your own country. International transfers of personal data (including onward transfers) to third countries which have not achieved adequacy under GDPR Article 45 are made pursuant to the European Commission’s Standard Contractual Clauses (SCCs) and are subject to a transfer impact assessment. Where necessary, supplementary measures are adopted by the data importer and exporter to ensure personal data is afforded an essentially equivalent level of protection in the third country.
Privacy Rights of EEA and UK Data Subjects – If you are a located in the EEA or the UK, subject to certain limitations, you have the following data protection rights:
- Right to Withdraw Consent – If processing is based on your consent, you have the right to withdraw consent to the processing at any time.
- Right to Object to Processing – If processing is based on legitimate interest, you have the right to object to the processing at any time.
- Right to Object to Automated Processing – You have the right not to be subject to a decision based solely on automated processing, including profiling.
- Access and Rectification – You have the right to access, correct, and update your personal information without undue delay.
- Right to Deletion or Erasure – You have the “right to be forgotten” through the erasure or deletion of your personal information without undue delay.
- Right to Portability – You have the right to move, copy, or transfer personal data from our service to another service. If requested, we will provide you with a machine-readable file to transfer.
- Right to Stop Processing – You have the right to object to the processing of your personal information and to ask us to restrict the processing of your personal information, subject to certain limitations.
- Right to Submit a Complaint – You have the right to submit a complaint to your data protection authority about our collection and use of your personal information.
Exercising Your Rights Under the GDPR – You may exercise many of your rights through your account or our self-service portal or by submitting a request to our Data Protection Officer at privacy@wellthy.com or by calling +1 (877) 588-3917.
We respond to and process requests promptly and within the timeframes required by the GDPR. Please note that requests that could adversely impact the rights and interests of a data subject are subject to appropriate verification before processing.
Local Representative – Contact information of our UK and EU local representative.
European Data Protection Office (EDPO)
United Kingdom: 8 Northumberland Avenue London, England WC2N 5BY or this contact form
European Union: Ground Floor, 71 Lower Baggot Street, Dublin, D02 P593, Ireland or this contact form
8. Exercising Control Over Your Privacy
We provide several ways for you to exercise control over your privacy. For Sponsored Members, you may access and correct much of the personal information we have collected about you simply by logging into your account.
For other individuals, you may make a privacy request by contacting us at privacy@wellthy.com. In our discretion and without obligation, we may fulfill privacy requests as a courtesy to other individuals subject to appropriate prior verification.
9. Cookie Policy and “Do Not Track” Requests
Our Use of Cookies – Wellthy uses cookies in a range of ways to improve your experience on our Site. We may automatically collect certain information when you visit our Site, including through cookies, web beacons and other technologies. Such cookies include strictly necessary cookies, performance cookies, functional cookies, and targeting cookies. For example, we may use analytics cookies to generate and analyze statistics about your use of the Site and functional cookies to improve and customize your experience with the Site. We may also use marketing cookies to collect aggregate information about Site Visitors. The information collected for these purposes (including your IP address and other information collected by automated means) may be disclosed to or collected directly by our third-party web analytics service providers, such as Google Analytics. To learn more about how Google uses your information, please, click here.
To adjust your cookie settings, you may do so when you initially access our Site. Site Visitors in the EEA or the UK will be presented with an opportunity to consent to non-essential cookies by opting in to cookies when they first visit our Site.
Do Not Track Signals – In accordance with the California Online Privacy Protection Act (CalOPPA), we want to inform you about our “Do Not Track” (“DNT”) request policy. DNT is a feature that some web browsers offer to allow Site Visitors to send signals to other websites so that no information about their browser session will be shared. You may enable your web browser to send our Site a DNT request, but your browsing and Site Visitor experience may be degraded. Sometimes, DNT does not work even when enabled. You can learn more about DNT here: https://www.eff.org/issues/do-not-track
10. Children’s Data
Children’s Data in the United States and Canada – In accordance with the Children's Online Privacy Protection Act ("COPPA"), Personal Information Protection and Electronic Documents Act (“PIPEDA”), and other US state and Canadian provincial laws, this Site and Wellthy’s solution are not marketed to children under thirteen (13) years of age and you may not sign up for Wellthy if you are under 13 years of age. If you learn that a United States or Canadian-based child under the age of 13 has created an account with Wellthy, please contact privacy@wellthy.com.
Children’s Data in the EEA and the UK – Wellthy recognizes that children’s information is more sensitive than that of adults and that children’s information often requires greater protection. While different EEA and UK jurisdictions set different ages of majority, Wellthy takes steps to prevent children under the age of majority from signing up for its services in each jurisdiction.
Children as Care Recipients or Journey Members – Notwithstanding the foregoing, a parent or legal guardian of a child may share the child’s information with Wellthy to provide them with care coordination services. We ask that information about children under the age of majority not be provided to Wellthy without the prior consent of the child’s parent or legal guardian. By providing the information of a child under the age of 13 in the US and Canada, 16 in the EEA, or 12 in the UK, you are affirming that you are legally authorized to provide such information.
11. Information Security
Through our information security program, Wellthy has implemented technical and organizational measures to ensure the protection of personal information. Our efforts include:
- Risk assessments
- Access controls
- Encryption of personal data
- Vulnerability and penetration testing
- Monitoring
- Incident response
- Backup and recovery
- Vendor management
- Security awareness and training
When interacting with Wellthy, we recommend that you create a unique and difficult password, that you not share your account credentials with others or allow your credentials to be easily accessed by others, that you connect to our Site over secure networks, that you log out after using our service, and that you stay alert to unusual or suspicious activities.
12. Breach Notification
US Breach Notification – If any personal information we possess is the subject of a data breach and your personal information is implicated according to any US state or federal law that may apply, Wellthy will take appropriate action, including providing you with notice, as such law or laws may require.
Canadian Breach Notification – If a breach occurs that impacts Canadian data subjects, Wellthy will notify the Commissioner pursuant to PIPEDA and, when relevant, the correct authority under provincial laws.
EEA Breach Notification – In the event of a data breach impacting EEA data subjects, Wellthy will first notify the relevant data protection authority of the breach within 72 hours of becoming aware of the breach and notify affected data subjects as soon as is feasible and without undue delay if the breach is likely to result in a high risk to the rights and freedoms of such data subjects.
UK Breach Notification – In the event of a data breach impacting UK data subjects, Wellthy will first notify the ICO of the breach within 72 hours of becoming aware of the breach and notify affected data subjects as soon as is feasible and without undue delay if the breach is likely to result in a high risk to the rights and freedoms of such data subjects.
13. General Inquiries and Updates
For inquiries about this Privacy Policy or to make a request or file a privacy complaint, please contact privacy@wellthy.com or call +1 (877) 588-3917.
This Privacy Policy may be updated from time to time, so please check back regularly for updates.
Wellthy Community Privacy Policy
Last Revised May 19, 2022
Your privacy is important to us. This privacy policy (the "Privacy Policy") describes how Wellthy, Inc. ("Wellthy," "we," "our," or "us") collects, uses and shares personal information and other information (collectively, the "Information") obtained through our website at community.wellthy.com (the "Site").
This Privacy Policy provides transparency about the privacy practices of Wellthy, Inc. (“Wellthy,” “we,” “our,” or “us”), including how we collect, process, and disclose personal information, and how you can control and manage your privacy choices. Please take time to review this policy prior to providing Wellthy your information.
What is Wellthy Community?
The Wellthy Community is a private community solution for caregivers to collaborate and connect with each other on various caregiving topics. Wellthy employees will participate in the Community to help moderate and support the Community participants and also to learn more about our customers’ needs. Services provided in the Wellthy Community include Groups, Discussion Boards, Events Calendar, and Member Directory. Wellthy Community can be accessed via community.wellthy.com.
1. Scope and Applicability
The scope of this Privacy Policy includes Wellthy and any of our affiliates with whom we may share personal information, and encompasses all of our services made available through community.wellthy.com, and other Wellthy Sites and applications.
This Privacy Policy applies to individuals in the United States, Canada, the European Economic Area, and the United Kingdom. Our relationship with you will determine how this Privacy Policy applies to you and your information. In general, if you engage with us directly and independently of a third party, this Privacy Policy most likely applies. However, if we are processing your information as a service provider to a third party, that third party is most likely responsible for your privacy. If you have any doubt as to who is responsible for your information, please contact privacy@wellthy.com.
Where applicable, this Privacy Policy is presented to you at or before the time your information is collected to provide you with advanced notice of our practices. Your agreement to aspects of this privacy policy as it applies to Wellthy or Wellthy Community depends on the service(s) you sign up for. For example, if you sign up for Wellthy Community and not Wellthy, your agreement to this privacy policy only applies to your use of Wellthy Community (and vice versa). If you sign up for Wellthy and Wellthy Community, this Privacy Policy in its entirety will apply to you.
2. Information We Collect and Receive
Our use of your personal information for the Wellthy Community is limited to the purposes disclosed to you in this Privacy Policy, or by other means, as required by law. In general, we use your personal information to operate our Community services, which includes connecting you to a supportive group of members within the Community to provide you with informational and emotional support during you or your loved ones care journey. We also use your personal information to protect the security of our Community and to better understand how our services are used to improve our services.
Sponsored Member – A Sponsored Member is who is deemed eligible to use the Wellthy solution by their Program Sponsor. Sponsored Members can create Care Journeys for themself or a loved one. We may collect the following personal information from Sponsored Members:
- Contact Information – First and last name, email address, job title/position, employer name, health plan name
- Feedback – Wellthy uses a third-party platform to collect feedback from Sponsored Members
Community Member – A Community Member must be a Sponsored Member. A Community Member is an individual who has signed up specifically to utilize the Wellthy Community. We collect the following personal information from Community Members in our service:
- Contact Information – First and last name, email address, employer name
- Feedback – Wellthy uses a third-party platform to collect feedback from Community Members
We also collect and process other data when you use the Site, including when you sign up to create an account. Information is collected from the following categories of individuals:
Program Sponsors – If a Program Sponsor is an Employer, the Employer are persons responsible for administering their organization’s subscription to Wellthy’s care concierge service on behalf of their organization. If the Program Sponsor is a Health Plan, the health or medical insurance organization is responsible for administering members' subscription to Wellthy's care concierge service. We collect the following personal information from Program Sponsors:
- Contact Information from Employers – First and last name, employer, title, business phone number, business email address, business address
- Contact Information from Health Plans – First and last name, email address affiliated with plan, member identification number
- Feedback About Your Experience – Sometimes your employer might escalate feedback about your experience using Community directly to us.
Sales Prospect – A sales prospect is a prospective interested party or candidate for Wellthy’s care concierge service. Sales Prospects can only utilize Wellthy Community so long as they are using the care concierge service. Wellthy may collect or receive the following information about Sales Prospects:
- Business and/or Personal Contact Information – First and last name, employer, title, phone number, email address, physical address
Site Visitor – A Site Visitor is a person who accesses or interacts with our Site. Wellthy may collect or receive the following information about Site Visitor:
- Log Data – Information collected by our servers when you access our Site, including IP addresses, referral URLs, browser type and settings, date and time of usage, language preferences, and cookie data
- Device Data – Information about your device, including type of device, operating system, application IDs, unique device identifiers, and crash data
- Analytics Data – Approximate geolocation based on your IP address and other information from your browser and device
- Contact Information – Your name, phone number, email address, and mailing address, etc. if you engage with us through our webforms, live chat, or other contact methods
3. Our Uses of Personal Information
Our use of your personal information is limited to the purposes disclosed to you in this Privacy Policy, or by other means, as required by law. In general, we use your personal information to operate our care concierge services business, including care coordination, assisting with providers, and appointment scheduling. We also use your personal information to protect the security of our Community and to better understand how our services are used to improve our services. Specifically, Wellthy uses personal information in the following ways:
We use Sponsored Member Information to:
- Verify your identity in connection with account creation
We use Community Member Information to:
- Provide you with requested services
- Communicate with you about the Site and respond to your questions or requests
- Send you marketing communications and/or contact you about special events, programs, surveys, contest, sweepstakes, and other offers or promotions
- Link you to Groups and Events that support you or your loved ones needs
- Suggest or subscribe you to Groups and Events that support the participation in Group Discussions
- Update the Member directory so that you may connect with others like you, which you can easily opt out of
- Generate and analyze usage statistics to improve and customize your experiences
We use Sales Prospect Information to:
- Identify sales opportunities
- Communicate with you about Wellthy’s services
We use Site Visitor Information to:
- Ensure the functionality and availability of the site
- Ensure the security and authorized use of the site and Community
- Generate and analyze usage statistics to improve and customize your experience with the site
- Identify opportunities to improve the site and Community
- Escalate feedback to appropriate internal and external channels
For Wellthy and Wellthy Community, our use of personal information also includes any other purpose that you may intend or direct us to perform through your use of our services. If your personal information is de-identified or anonymized through aggregation or by other means to the extent that it can no longer identify you, then this information will no longer be considered “personal information” under this Privacy Policy.
4. How We Share Information
Wellthy shares and discloses personal information to third parties as needed to provide our services and operate our business. Wellthy shares and discloses personal information to our subcontractor Higher Logic, LLC (together with its affiliates, “Higher Logic”), whereby upon sign-up, your username and password are shared with Higher Logic to authenticate you into the Wellthy Community. The categories of third parties with whom we may share information includes:
IT Service Providers – We may share any category of personal information with our IT Service Providers as needed to operate our services, including with our virtual computing, web services, payment processors, and storage service providers. A list of our subprocessors is available upon request to privacy@wellthy.com.
Business Services Providers – We may share any category of personal information with our business services providers as needed in the operation of our business, including security vendors, third party developers, external auditors, analytics providers, and professional advisers.
Corporate Activities – We may share any category of personal information with potential investors or lenders and as part of a transaction involving a merger, acquisition, divestiture, public offering, or similar transaction involving our business.
Government and Legal – We may share any category of personal information with third parties as may be required by applicable law, regulation, or legal process.
Program Sponsor (Employer or Health Plan) – Wellthy may share de-identified or anonymized data with third parties, such as Sponsoring Organizations (e.g. employers who offer Wellthy as an employee benefit) for statistical and reporting purposes. This may include aggregated data and not individual-specific information. Wellthy may also share the fact that you are utilizing or have utilized the Community services but will not disclose any details other than the period of time for which you used the services, unless otherwise authorized by you to do so.
Sale of Personal Information – Wellthy does not “sell” personal information as defined by the California Consumer Privacy Act (CCPA) of 2018, Vermont’s protection of personal information law (9 V.S.A. § 2430), or Nevada’s 2019 privacy amendment, and have not sold personal information within the previous 12-month period from the date of this policy. If we decide to sell your personal information, we will provide you with an opportunity to opt-out as the law may require.
5. Communications and Marketing
In compliance with local rules, Wellthy may periodically send you newsletters that include information about our services, partners, and enhancements. If you no longer wish to receive e-mail marketing communications, you may unsubscribe/opt out by contacting privacy@wellthy.com.
Online Advertising – Wellthy may also use third-party retargeting technology, to advertise Wellthy to organizations interested in providing our services as a benefit to employees. This means we may show ads to you on LinkedIn.com, Facebook, and Google if you visit certain pages on the Site that highlight our Program Sponsor offering. We will not use this technology on pages that you visit when you are logged in to Site after creating an account. Control of LinkedIn advertising is available through your account settings and you may completely opt out of LinkedIn retargeting here. You can also update your Google ad preferences and Facebook ad preferences.
6. Data Retention and Disposal
Wellthy retains and disposes of personal information in accordance with our data retention schedules. Generally, this means:
- Personal data collected on the basis of legitimate interest, including Site Visitor Information and Sales Prospect Information, is reviewed for deletion periodically to assess the necessity and proportionality of its continued processing.
- Other personal data associated with the provision of our services is retained for seven years unless extensions are necessary in order to comply with legal rights and obligations.
Once the retention period has expired, we will delete your personal information and/or process it such that you can no longer be identified in the resulting data. All personal data for which the purpose of the processing is satisfied or where consent to processing has been withdrawn will be deleted unless we need to retain it for legal or compliance purposes.
7. General Data Protection Regulation (GDPR)
The following applies only to data subjects in the European Economic Area (EEA) and United Kingdom (UK):
Controller Relationship – Except to the extent that Wellthy may be a “processor” of personal information received from a third party such as a Program Sponsor, Wellthy is a “controller” with respect to your personal information and you may contact us directly to exercise your data protection rights or file a privacy complaint.
Lawful Basis for Processing Personal Information – Our lawful basis for collecting and processing personal information will depend on the circumstances upon which the personal information was collected.
- In most circumstances related to the provision of our services, our processing of personal information is based on Wellthy’s legitimate interests. For example, onboarding new Sponsored Members is based on our legitimate interest in providing our services. Wellthy regularly reviews the necessity and proportionality of such processing with respect to the rights and freedoms of the data subjects concerned.
- In special circumstances, you may provide your express consent to Wellthy’s processing of your personal information. For example, where special category data (e.g. health data) is processed under Article 9 GDPR. In such cases, Wellthy will take steps to ensure that your consent is informed and freely given.
- In other circumstances, Wellthy may process your personal information if necessary to perform a contract with you. For example, if you sign up and enroll in Wellthy directly.
International and Onward Transfers of Personal Information – Wellthy is a US-based company with data centers located in the United States. Your personal information will be transferred across international borders and processed in the US. The US may have different or less protective data protection laws than your own country. International transfers of personal data (including onward transfers) to third countries which have not achieved adequacy under GDPR Article 45 are made pursuant to the European Commission’s Standard Contractual Clauses (SCCs) and are subject to a transfer impact assessment. Where necessary, supplementary measures are adopted by the data importer and exporter to ensure personal data is afforded an essentially equivalent level of protection in the third country.
Privacy Rights of EEA and UK Data Subjects – If you are a person located in the EEA or the UK, subject to certain limitations, you have the following data protection rights:
- Right to Withdraw Consent – If processing is based on your consent, you have the right to withdraw consent to the processing at any time.
- Right to Object to Processing – If processing is based on legitimate interest, you have the right to object to the processing at any time.
- Right to Object to Automated Processing – You have the right not to be subject to a decision based solely on automated processing, including profiling.
- Access and Rectification – You have the right to access, correct, and update your personal information without undue delay.
- Right to Deletion or Erasure – You have the “right to be forgotten” through the erasure or deletion of your personal information without undue delay.
- Right to Portability – You have the right to move, copy, or transfer personal data from our service to another service. If requested, we will provide you with a machine-readable file to transfer.
- Right to Stop Processing – You have the right to object to the processing of your personal information and to ask us to restrict the processing of your personal information, subject to certain limitations.
- Right to Submit a Complaint – You have the right to submit a complaint to your data protection authority about our collection and use of your personal information.
Exercising Your Rights Under the GDPR – You may exercise many of your rights through your account or our self-service portal or by submitting a request to our Data Protection Officer at privacy@wellthy.com or by calling +1 (877) 588-3917.
We respond to and process requests promptly and within the timeframes required by the GDPR. Please note that requests that could adversely impact the rights and interests of a data subject are subject to appropriate verification before processing.
Local Representative – Contact information of our UK and EU local representative.
European Data Protection Office (EDPO)
United Kingdom: 8 Northumberland Avenue London, England WC2N 5BY or this contact form
European Union: Ground Floor, 71 Lower Baggot Street, Dublin, D02 P593, Ireland or this contact form
8. Exercising Control Over Your Privacy
Wellthy provides several ways for you to exercise control over your privacy. For Enrollees, you may access and correct much of the personal information we have collected about you simply by logging into your account.
For other individuals you may make a privacy request by contacting privacy@wellthy.com. In its discretion and without obligation, Wellthy may fulfill privacy requests as a courtesy to other individuals subject to appropriate prior verification.
Higher Logic has no direct relationship with the individuals whose personal data it processes on behalf of Subscribers. An individual who seeks to access, correct, amend, or delete inaccurate data held by Higher Logic should direct their query to Wellthy. In that event, Wellthy will instruct Higher Logic to perform the relevant processing.
9. Cookie Policy and “Do Not Track” Requests
Our Use of Cookies – Wellthy uses cookies in a range of ways to improve your experience on our Site. We may automatically collect certain information when you visit our Site, including through cookies, web beacons and other technologies. Such cookies include strictly necessary cookies, performance cookies, functional cookies, and targeting cookies. For example, we may use analytics cookies to generate and analyze statistics about your use of the Site and functional cookies to improve and customize your experience with the Site. We may also use marketing cookies to collect aggregate information about Site Visitors. The information collected for these purposes (including your IP address and other information collected by automated means) may be disclosed to or collected directly by our third-party web analytics service providers, such as Google Analytics. To learn more about how Google uses your information, please, click here.
You will be asked to adjust your cookie settings when you initially access our Site and Wellthy Community. Community Members and Site Visitors in the EEA or the UK will be presented with an opportunity to consent to non-essential cookies by opting in to cookies when they first visit our Site.
Do Not Track Signals – In accordance with the California Online Privacy Protection Act (CalOPPA), we have adopted a “Do Not Track” (“DNT”) request policy. DNT is a feature that some web browsers offer to allow Site Visitors to send signals to other websites so that no information about their browser session will be shared. You may enable your web browser to send our Site a DNT request, but your browsing and experience may be degraded. Sometimes, DNT does not work even when enabled. You can learn more about DNT here.
10. Children’s Data
Children’s Data in the United States and Canada – In accordance with the Children's Online Privacy Protection Act ("COPPA"), Personal Information Protection and Electronic Documents Act (“PIPEDA”), and other US state and Canadian provincial laws, this Site and Wellthy’s services are not marketed to children under thirteen (13) years of age and you may not sign up for Wellthy or Wellthy Community if you are under 13 years of age. If you learn that a United States or Canadian-based child under the age of 13 has created an account with Wellthy, please contact privacy@wellthy.com.
Children’s Data in the EEA and the UK – Wellthy recognizes that children’s information is more sensitive than that of adults and that children’s information often requires greater protection. While different EEA and UK jurisdictions set different ages of majority, Wellthy takes steps to prevent children under the age of majority from signing up for its services (including Wellthy Community) in each jurisdiction.
Children as Care Recipients or Journey Members – Notwithstanding the foregoing, a parent or legal guardian of a child may share the child’s information with Wellthy to provide them with care coordination services. We ask that information about children under the age of majority not be provided to Wellthy without the prior consent of the child’s parent or legal guardian. By providing the information of a child under the age of 13 in the US and Canada, 16 in the EEA or 12 in the UK, you are affirming that you are legally authorized to provide such information.
11. Information Security
Through our information security program, Wellthy has implemented technical and organizational measures to ensure the protection of personal information. Our efforts include:
- Risk assessments
- Access controls
- Encryption of personal data
- Vulnerability and penetration testing
- Monitoring
- Incident response
- Backup and recovery
- Vendor management
- Security awareness and training
When interacting with Wellthy Community, we recommend that you create a unique and difficult password, that you not share your account credentials with others or allow your credentials to be easily accessed by others, that you connect to our Site over secure networks, that you log out after using our service, and that you stay alert to unusual or suspicious activities.
Wellthy has taken the necessary steps to review the information security practices at Higher Logic and to verify that Higher Logic adequately supports their software and is aligned with Wellthy's security measures. Please reach out to privacy@wellthy.com for additional information.
12. Breach Notification
Wellthy has taken the necessary steps to ensure auditing and monitoring capabilities exist within Higher Logic’s software, and that appropriate breach notification procedures are in place for Higher Logic to meet the breach notification requirements set forth by Wellthy. Please reach out to privacy@wellthy.com for additional information.
US Breach Notification – If any personal information we possess is the subject of a data breach and your personal information is implicated according to any US state or federal law that may apply, Wellthy will take appropriate action, including providing you with notice, as such law or laws may require.
Canadian Breach Notification – If a breach occurs that impacts Canadian data subjects, Wellthy will notify the Commissioner pursuant to PIPEDA and, when relevant, the correct authority under provincial laws.
EEA Breach Notification – In the event of a data breach impacting EEA data subjects, Wellthy will first notify the relevant data protection authority of the breach within 72 hours of becoming aware of the breach and notify affected data subjects as soon as is feasible and without undue delay if the breach is likely to result in a high risk to the rights and freedoms of such data subjects.
UK Breach Notification – In the event of a data breach impacting UK data subjects, Wellthy will first notify the ICO of the breach within 72 hours of becoming aware of the breach and notify affected data subjects as soon as is feasible and without undue delay if the breach is likely to result in a high risk to the rights and freedoms of such data subjects.
13. General Inquiries and Updates
For inquiries about this Privacy Policy or to make a request or file a privacy complaint, please contact privacy@wellthy.com or call +1 (877) 588-3917.
This Privacy Policy may be updated from time to time, so please check back regularly for updates.