Privacy Policy

Last updated July 27, 2021

Ensuring your privacy is of great importance to us at Wellthy and is fundamental to our core service.

This Privacy Policy provides transparency about the privacy practices of Wellthy, Inc. (“Wellthy,” “we,” “our,” or “us”), including how we collect, process, and disclose personal information, and how you can control and manage your privacy choices. Please take time to review this policy prior to providing Wellthy your information.

Who is Wellthy?

Wellthy is a Care Concierge Service providing both human and technology support to families and individuals. Through our Care Coordinators, Wellthy helps plan and accomplish important care related tasks within a modern online experience. Scheduling appointments, refilling prescriptions, handling prior authorizations, sourcing and vetting the right in-home aide, handling a move into a care facility, and contesting insurance bills are just a few of the services Wellthy provides to its customers.

1. Scope and Applicability

The scope of this Privacy Policy includes Wellthy and any of our affiliates with whom we may share personal information, and encompasses all of our services and includes the services made available through Wellthy.com and other Wellthy websites and applications.

This Privacy Policy applies to individuals in the United States, Canada, and the United Kingdom. Our relationship with you will determine how this Privacy Policy applies to you and your information. In general, if you engage with us directly and independently of a third party, this Privacy Policy most likely applies. However, if we are processing your information as a service provider to a third party, that third party is most likely responsible for your privacy. If you have any doubt as to who is responsible for your information, please contact privacy@wellthy.com.

Where applicable, this Privacy Policy is presented to you at or before the time your information is collected to provide you with advanced notice of our practices.

2. Information We Collect and Receive

Wellthy may collect personal data directly from you; however, we sometimes receive your information from loved ones (“Care Team Members”) helping to facilitate and coordinate care services on behalf of others. We collect and process data when you use the site, including when you sign up to create an account. Information is collected from the following categories of individuals:

Employers – Employers are persons responsible for administering their organization’s subscription to Wellthy’s Care Concierge Service on behalf of their organization. We collect the following personal information from Sponsor Administrators:

  • Business Contact Information – First and last name, employer, title, business phone number, business email address, business address

Enrollee – An Enrollee is a person enrolled in Wellthy’s Care Concierge Service. We collect the following personal information from Enrollees who are enrolled in our service:

  • Contact Information – First and last name, email address, job title/position, employer name
  • Payment Information (for private pay Enrollees only) – First and last name, email address, payment card number, billing address, payment amount

Care Recipient – A Care Recipient is a person receiving care coordination services and who may or may not also be an Enrollee. In cases where a Care Recipient is someone other than the Enrollee, we may receive Care Recipient information directly from the Care Recipient’s Enrollee. If you are an Enrollee sharing a Care Recipient’s information with Wellthy on the Care Recipient’s behalf, you must be legally authorized to share such information (e.g. Power of Attorney). We collect the following information about Care Recipients:

  • Contact and Identification Information – First and last name, phone number, physical address, email address, date of birth
  • Medical and Health Information – Diagnosis information, medical records, medical record number, social security number, health insurance information, health insurance claims information

Care Team Members – Care Team Members are additional individuals, other than those described above, who wish to remain informed about and assist with a Care Recipient’s journey. We collect the following information about Care Team Members:

  • Contact Information – First and last name, phone number, email address, physical address, date of birth
  • Medical and Health Information – Diagnosis information, medical records, medical record number, social security number, health insurance information, health insurance claims information

Sales Prospect – A sales prospect is a prospective interested party or candidate for Wellthy’s Care Concierge Service. Wellthy may collect or receive the following information about Sales Prospects:

  • Business and/or Personal Contact Information – First and last name, employer, title, phone number, email address, physical address

Website User – A Website User is a person who accesses or interacts with our website. Wellthy may collect or receive the following information about Website Users:

  • Log Data – Information collected by our servers when you access our website, including IP addresses, referral URLs, browser type and settings, date and time of usage, language preferences, and cookie data
  • Device Data – Information about your device, including type of device, operating system, application IDs, unique device identifiers, and crash data
  • Analytics Data – Approximate geolocation based on your IP address and other information from your browser and device
  • Contact Information – Your name, phone number, email address, and mailing address, etc. if you engage with us through our webforms, live chat, or other contact methods

3. Our Uses of Personal Information

Our use of your personal information is limited to the purposes disclosed to you in this Privacy Policy, or by other means, as required by law. In general, we use your personal information to operate our care concierge services business, including care coordination, assisting with providers, and appointment scheduling. We also use your personal information to protect the security of our platform and to better understand how our services are used to improve our services. Specifically, Wellthy uses personal information in the following ways:

We use Enrollee Information to:

  • Verify your identity in connection with account creation
  • Provide you with requested services
  • Communicate with you about the website and respond to your questions or requests
  • Send you marketing communications and/or contact you about special events, programs, surveys, contest, sweepstakes, and other offers or promotions
  • Generate and analyze usage statistics to improve and customize your experiences
  • Process payments via a third-party payment processor connected to the website

We use Care Recipient Information to:

  • Provide requested services
  • Respond to your questions and inquiries

We use Care Team Member Information to:

  • Provide requested services
  • Help coordinate communications and requests among Care Team Members

We use Sales Prospect Information to:

  • Identify sales opportunities
  • Communicate with you about Wellthy’s services

We use Website User Information to:

  • Ensure the functionality and availability of the website
  • Ensure the security and authorized use of the website and Wellthy’s platform
  • Generate and analyze usage statistics to improve and customize your experience with the website
  • Identify opportunities to improve our services and platform

Our use of personal information also includes any other purpose that you may intend or direct us to perform through your use of our services. If your personal information is de-identified or anonymized through aggregation or by other means to the extent that it can no longer identify you, then this information will no longer be considered “personal information” under this Privacy Policy.

4. How We Share Information

Wellthy shares and discloses personal information to third parties as needed to provide our services and operate our business. The categories of third parties with whom we may share information includes:

Care Team Members

We may share Care Recipient information with Care Team Members (typically, a family member or loved one) who are involved in coordinating care for the Care Recipient.

IT Service Providers

We may share any category of personal information with our IT Service Providers as needed to operate our services, including with our virtual computing, web services, payment processors, and storage service providers. A list of our subprocessors is available upon request to privacy@wellthy.com.

Care Associated Organizations

At your direction and only upon signing an authorization form, we may share your information with doctors, health insurance companies, care facilities and treatment centers, and other medical and related services providers associated with your care plan or the care plan of a loved one.

Business Services Providers

We may share any category of personal information with our business services providers as needed in the operation of our business, including security vendors, third party developers, external auditors, analytics providers, and professional advisers.

Corporate Activities

We may share any category of personal information with potential investors or lenders and as part of a transaction involving a merger, acquisition, divestiture, public offering, or similar transaction involving our business.

Government and Legal

We may share any category of personal information with third parties as may be required by applicable law, regulation, or legal process.

Sale of Personal Information. Wellthy does not “sell” personal information as defined by the California Consumer Privacy Act (CCPA) of 2018, Vermont’s protection of personal information law (9 V.S.A. § 2430), or Nevada’s 2019 privacy amendment, and have not sold personal information within the previous 12-month period from the date of this policy. If we decide to sell your personal information, we will provide you with an opportunity to opt-out as the law may require.

Wellthy may share de-identified or anonymized data with third parties, such as Sponsoring Organizations (e.g. employers who offer Wellthy as an employee benefit) for statistical and reporting purposes. This may include aggregated data and not individual-specific information. Some employers may ask us to share their employees' personal information with them for tax reasons. If this applies to your employer, this will be communicated to you in relevant materials.

5. Communications and Marketing

In compliance with local rules, Wellthy may periodically send you newsletters that include information about our services, partners, and enhancements. If you no longer wish to receive e-mail marketing communications, you may unsubscribe/opt out by contacting privacy@wellthy.com.

Online Advertising. Wellthy may also use third-party retargeting technology, to advertise Wellthy to organizations interested in providing our services as a benefit to employees. This means we may show ads to you on LinkedIn.com, Facebook, and Google if you visit certain pages on the site that highlight our Employer offering. We will not use this technology on pages that you visit when you are logged in as a user of the site after creating an account. Control of LinkedIn advertising is available through your account settings and you may completely opt out of LinkedIn retargeting here. You can also update your Google ad preferences and Facebook ad preferences.

6. Data Retention and Disposal

Wellthy retains and disposes of personal information in accordance with our data retention schedules. Generally, this means:

  • Personal data collected on the basis of legitimate interest, including Website User Information and Sales Prospect Information, is reviewed for deletion periodically to assess the necessity and proportionality of the processing.
  • Certain personal data associated with the provision of our services is retained for a standard period of seven years unless extensions are necessary in order to comply with legal rights and obligations.

Once the retention period has expired, we will delete your data and/or de-identify your personal information such that it can no longer identify you. With respect to all personal data, where the purpose of the processing is satisfied or where consent to processing has been withdrawn, such data will be deleted unless we need to retain it for legal or compliance purposes.

7. UK General Data Protection Regulation (UK GDPR)

The following applies only to United Kingdom (UK) data subjects:

Controller Relationship. Except to the extent that Wellthy may be a “processor” of personal information received from a third party, Wellthy is a “controller” with respect to your personal information and you may contact us directly to exercise your data protection rights or file a privacy complaint.

Lawful Basis for Processing Personal Information. Our lawful basis for collecting and processing personal information will depend on the circumstances upon which the personal information was collected.

  • In most circumstances related to the provision of our services, our processing of personal information is based on Wellthy’s legitimate interests. For example, onboarding new Enrollees is based on our legitimate interest in providing our services. Wellthy reviews the necessity and proportionality of such processing to assess whether the rights and freedoms of the data subjects is not outweighed by the processing.
  • In special circumstances, you may provide your express consent to Wellthy’s processing of your personal information. For example, where special category data (e.g. health data) is processed under Article 9 UK GDPR. In such cases, Wellthy will take steps to ensure that your consent is informed and freely given.
  • In other circumstances, Wellthy may process your personal information if necessary to perform a contract with you. For example, if you sign up and enroll in Wellthy directly.

Automated Decision-making. Wellthy’s processing of personal information may include automated decision-making, specifically with respect to the assignment of a Care Coordinator to a Care Recipient. This processing is intended to best align a Care Coordinator to your specific needs.

International and Onward Transfers of Personal Information. Wellthy is a US-based company with data centers located in the United States. Your personal information will be transferred across international borders and processed in the US. The US may have different or less protective data protection laws than your own country. International transfers of personal data (including onward transfers) to third countries which have not achieved adequacy under GDPR Article 45 are made pursuant to the EU Commission’s Standard Contractual Clauses (SCCs) (available here: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847) and are subject to a transfer impact assessment. Where necessary, supplementary measures are adopted by the data importer and exporter to ensure personal data is afforded an essentially equivalent level of protection in the third country.

Privacy Rights of UK Data Subjects. If you are a located in the UK, subject to certain limitations, you have the following data protection rights:

  • Withdrawal of Consent. If processing is based on your consent, you have the right to withdraw consent to the processing at any time.
  • Right to Object to Processing. If processing is based on legitimate interest, you have the right to object to the processing at any time.
  • Right to Object to Automated Processing. You have the right not to be subject to a decision based solely on automated processing, including profiling.
  • Access and Rectification. You have the right to access, correct, and update your personal information without undue delay.
  • Deletion or Erasure. You have the “right to be forgotten” through the erasure or deletion of your personal information without undue delay.
  • Portability. You have the right to move, copy, or transfer personal data from our service to another service. If requested, we will provide you with a machine-readable file to transfer.
  • Stop Processing. You have the right to object to the processing of your personal information and to ask us to restrict the processing of your personal information, subject to certain limitations.
  • Submit a Complaint. You have the right to submit a complaint to the Information Commissioner’s Office (ICO) about our collection and use of your personal information. Contact details for the ICO is available here: https://www.gov.uk/data-protection/make-a-complaint

Exercising Your Rights Under the UK GDPR. You may exercise many of your rights through your account or our self-service portal or by submitting a request to our Data Protection Officer at privacy@wellthy.com or by calling (877) 588-3917.

We respond to and process requests promptly and within the timeframes required by the UK GDPR. Please note that requests that could adversely impact the rights and interests of a data subject are subject to appropriate verification before processing.

Local Representative. Contact information of our UK local representative:

European Data Protection Office UK (EDPO)
Address: 8 Northumberland Avenue London, England WC2N 5BY
Email: info@edpo.com

8. Exercising Control Over Your Privacy

Wellthy provides several ways for you to exercise control over your privacy. For Enrollees, you may access and correct much of the personal information we have collected about you simply by logging into your account.

For other individuals you may make a privacy request by contacting Maria Silverberg at privacy@wellthy.com. In its discretion and without obligation, Wellthy may fulfill privacy requests as a courtesy to other individuals subject to appropriate prior verification.

9. Cookie Policy and “Do Not Track” Requests

Our use of cookies. Wellthy uses cookies in a range of ways to improve your experience on our website. We may automatically collect certain information when you visit our Site, including through cookies, web beacons and other technologies. Such cookies include strictly necessary cookies, performance cookies, functional cookies, and targeting cookies. For example, we may use analytics cookies to generate and analyze statistics about your use of the Site and functional cookies to improve and customize your experience with the Site. We may also use marketing cookies to collect aggregate information about Site users. The information collected for these purposes (including your IP address and other information collected by automated means) may be disclosed to or collected directly by our third-party web analytics service providers, such as Google Analytics. To learn more about how Google uses your information, please, click here.

To adjust your cookie settings, you may do so when you initially access our website. Users in the UK will be presented with an opportunity to consent to non-essential cookies by opting in to cookies when they first visit our Site.

Do Not Track signals. In accordance with the California Online Privacy Protection Act (CalOPPA), we want to inform you about our “Do Not Track” (“DNT”) request policy. DNT is a feature that some web browsers offer to allow users to send signals to websites so that no information about their browser session will be shared. You may enable your web browser to send our website a DNT request, but your browsing and user experience may be degraded. Sometimes, DNT does not work even when enabled. You can learn more about DNT here: https://www.eff.org/issues/do-not-track

10. Children’s Data

Children’s Data in the United States and Canada. In accordance with the Children's Online Privacy Protection Act ("COPPA"), Personal Information Protection and Electronic Documents Act (“PIPEDA”), and other US state and Canadian provincial laws, this website and Wellthy’s services are not marketed to children under thirteen (13) years of age and you may not sign up for Wellthy if you are under 13 years of age. If you learn that a United States or Canadian-based child under the age of 13 has created an account with Wellthy, please contact us at privacy@wellthy.com.

Children’s Data in the UK. Wellthy recognizes that children’s information is more sensitive than that of adults and that children’s information often requires greater protection. While different UK jurisdictions set different ages of majority, Wellthy takes steps to prevent children under the age of majority from signing up for its services in each jurisdiction.

Children as Care Recipients or Care Team Members. Notwithstanding the foregoing, a parent or legal guardian of a child may share the child’s information with Wellthy to provide them with care coordination services. We ask that information about children under the age of majority not be provided to Wellthy without the prior consent of the child’s parent or legal guardian. By providing the information of a child under the age of 13 in the US and Canada, or 12 in the UK, you are affirming that you are legally authorized to provide such information.

11. Information Security

Through our information security program, Wellthy has implemented technical and organizational measures to ensure the protection of personal information. Our efforts include:

  • Risk assessments
  • Access controls
  • Encryption of personal data
  • Vulnerability and penetration testing
  • Monitoring
  • Incident response
  • Backup and recovery
  • Vendor management
  • Security awareness and training

When interacting with Wellthy, we recommend that you create a unique and difficult password, that you not share your account credentials with others or allow your credentials to be easily accessed by others, that you connect to our website over secure networks, that you log out after using our service, and that you stay alert to unusual or suspicious activities.

12. Breach Notification

US Breach Notification. If any personal information we possess is the subject of a data breach and your personal information is implicated according to any US state or federal law that may apply, Wellthy will take appropriate action, including providing you with notice, as such law or laws may require.

Canadian Breach Notification. If a breach occurs that impacts Canadian data subjects, Wellthy will notify the Commissioner pursuant to PIPEDA and, when relevant, the correct authority under provincial laws.

UK Breach Notification. In the event of a data breach impacting UK data subjects, Wellthy will first notify the ICO of the breach within 72 hours of becoming aware of the breach and notify affected data subjects as soon as is feasible and without undue delay if the breach is likely to result in a high risk to the rights and freedoms of such data subjects.

13. General Inquiries and Updates

For inquiries about this Privacy Policy or to make a request or file a privacy complaint, please contact Maria Silverberg at privacy@wellthy.com or call (877) 588-3917.

This Privacy Policy may be updated from time-to-time, so please check back regularly for updates.

Sorry, but your browser is not supported. Please email support@wellthy.com if you have questions about how you can access Wellthy.