WellRight Privacy Policy

Last Updated: May 30, 2018

This WellRight Privacy Policy (this "Privacy Policy") describes how WellRight, LLC and its affiliates (collectively, "WellRight", "the Company", "we", or "us") collect, use, disclose, and otherwise process Personal Information and Health Information (each defined below).

I. APPLICATION OF THIS PRIVACY POLICY TO WELLRIGHT SERVICES AND WEBSITES

This Privacy Policy describes how WellRight processes Personal Information and Health Information that it collects when you use WellRight Services, including AgeGage and WellRight programs, tools, profilers, applications and associated messaging services and programs; and WellRight websites.

Android Advertising ID

The Android Application uses a 3rd party (Google Firebase Analytics) which makes use of the Android Advertising ID to collect analytics information. The Android Advertising ID is not used in any other context within the application.

WellRight Services

WellRight services provided by the Company (the "Services") are an interactive health risk assessment and health and wellness management program that generates reports and recommended plans of action, as well as educational materials, based on information entered into the system. This information may be entered by you or by someone using the Services on your behalf (such as a friend, family member, or other person). These reports can be used by you to learn more about Health Information (defined below), and to track and monitor your particular health situation. The more you engage with the Services, the more you will learn about your particular health situation.

We provide the Services to you on behalf of an employee benefits administrator, pharmacy, retailer or other entity that provided you access to WellRight ("Third Party Provider"), in some cases through an embedded or co-branded website. We are contractually bound to process Personal Information under their instructions, and we strongly advise you to review privacy notices provided by any Third Party Provider.

WellRight Websites

In addition to information collected through the Services, we also collect information about individuals who visit WellRight-operated websites that link to this Privacy Policy (collectively, the "Site").

II. WHAT DO TERMS SUCH AS PERSONAL INFORMATION AND HEALTH INFORMATION MEAN?

"Personal Information" means information that would allow someone to identify or contact you, including, for example, your name, address, telephone number, and e-mail address. Personal Information does not include aggregated information that, by itself, does not permit the identification of individual persons, such as statistics about how many visitors WellRight received last month.

"Health Information" means information related to a medical condition or other indicia of health. Health Information does not include contact and account information entered when registering for WellRight. Health Information is also Personal Information unless it cannot be linked or associated with the individual to which it relates. By way of example, we may aggregate Health Information (without linking it to Personal Information) with that of other WellRight users to generate statistics regarding the number of WellRight users who are at risk of certain diseases based on self-reported answers to historical diagnosis information.

"UID" means a unique user identification number, which is provided to WellRight by the Third Party Provider allowing you to establish your account.

III. WHAT PERSONAL INFORMATION OR HEALTH INFORMATION DOES WELLRIGHT COLLECT?

Creating an Account. We require you to establish an account to use WellRight. The Third Party Provider for your account will provide WellRight with a UID that carries no information other than the authorization rights to create an account. If you choose to create an account, we collect, at a minimum, the following information: (a) an e-mail address, (b) a password, and (c) a reminder hint in case you forget the password. You may also be asked to provide additional information such as (a) name, (b) mailing address, and (c) phone number. Once an account has been created, we will continue to use your assigned UID for you.

Health Information for Reports. WellRight collects Health Information provided on a voluntary basis and in accordance with consent. You may provide us Health Information directly (e.g., by completing an Assessment) or through other sources that you authorize us to receive information from (e.g., a wearable device). Use and disclosure of Health Information is limited (see Section IV, Health Information and Section V), and its transmission is protected using encryption technology (see Section IX, Security Measures). To withdraw your consent for the processing of Health Information about you, you may send a request to privacy@wellright.com and we will promptly take steps in accordance with applicable law to honor your request. If you withdraw your consent, you may be ineligible for rewards offered through the Services that are based on health-related objectives and metrics.

Browsing Information. When you browse or use the WellRight Site or Services, we may collect certain browsing information, to the extent applicable, including the following: (a) IP address, (b) the date and time at which you accessed the Services, (c) the pages that you visited, (d) the link you followed to reach the Services, and (e) your browser and operating system.

Cookies and Device Identifiers. Cookies are small files that are placed on your computer's hard drive by your Internet browser. A device identifier is a unique identifier assigned to the device that you use to access the Site or Services. We use cookies or device identifiers on our Site and Services to identify visitors who have used WellRight and certain features of it before. Third Party Providers and their advertisers may also set cookies in connection with their content and advertisements, but we do not control their use of cookies. Most browsers provide you with the ability to block, delete, or disable cookies, and your device may allow you to disable transmission of device identifiers. If you choose to reject cookies or block device identifiers, some features of the Site and Services may not be available or some functionality may be limited or unavailable.

WellRight does not track users over time and across third party websites to provide targeted advertising. Accordingly, we do not currently respond or take any action with respect to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of Personal Information about an individual consumer's online activities over time and across third-party web sites or online services.

Website Analytics. We use Google Analytics, an analytics service to help us analyze the traffic on the Service. For more information on Google Analytics' processing of Personal Information, please see How Google uses data when you use our partners' sites or apps."

IV. HOW DOES WELLRIGHT USE PERSONAL INFORMATION OR HEALTH INFORMATION?

De-identified and Aggregated Information. We may use de-identified information such as browsing information or aggregated user information to develop reports and analyses that help us enhance or promote our services.

Personal E-mails/Messages. We may use Personal Information to contact you if you request or have consented for us to do so, if there is a problem or an update to your account that requires you to be notified, or, if you are a registered user of the Services, to send you information relating to the Services or similar services that we provide. You may withdraw your consent or opt out to receiving certain communications (e.g., marketing communications) by following the instructions provided in the messages that you receive.

Health Information. Health Information, in non-aggregated form, is used primarily for the creation of reports and interactive educational and tracking features through the Services. Reports may include treatment options, interactive features, and trackers and tools. Based on the data that is entered into WellRight, we may provide you with links to personal challenges, courses, or other features of WellRight that are likely of interest to you.

WellRight provides social and community features. These sections are voluntary to join. No Health Information that is Personal Information is directly provided to the community by WellRight. Some of the community sections, such as a "Diabetic Forum" may allow other participants to draw inferences about a particular user's health, even though no specific details regarding the user's health is provided by WellRight to the community. As a user, you must decide what information you wish to provide to the community forums.

To the extent your Health Information is also Personal Information, we process it based on your explicit consent. To withdraw your consent, you may request that we delete Health Information about you following the instructions provided in Section VI of this Privacy Policy. If you withdraw your consent for the processing of Health Information about you, you will continue to have access to your account, but certain features of the Services may be unavailable.

Additional Uses. In addition to the above uses, we may use Personal Information for any of the following purposes: (1) to provide, analyze, administer, and improve our Site and services; (2) to provide the Services and Site; (3) to respond to specific requests from you and other visitors; (4) to provide any necessary notices to you or other visitors if situations prompt such notification; (5) to protect the security or integrity of our Services if necessary; and (6) as necessary to meet legal obligations.

V. UNDER WHAT CONDITIONS DOES THE COMPANY DISCLOSE YOUR INFORMATION?

We do not disclose—including selling, leasing, renting, loaning, or transferring—Personal Information to third parties except as stated in this Privacy Policy or with your explicit consent. Our disclosure to third parties is limited to the types of recipients and the purposes described in this section:

Contractors. We use contractors to help with some of our operations. Some of these contractors will have access to our database on a temporary basis for specific tasks. The Company may also use contractors to help with certain aspects of its operations (such as ensuring we do not send email messages to those who have opted out of our messaging programs, clinical trials recruitment and enrollment, newsletters and other similar features), which may require the contractor to access Personal Information. For example, we work with Springbuk for data analytics, Google Analytics to analyze the traffic on the Site, eHealth Screenings for biometric services, and Amazon Web Services to host the Site and the Services. The Company takes steps to ensure that these contractors maintain the confidentiality of Personal Information and use Personal Information only as necessary to perform the services they are asked to perform.

Other Disclosures. We may share Personal Information with third parties under the following circumstances: (i) in connection with a court order, subpoena, government investigation, or when otherwise required by law; (ii) in the event of a corporate sale, merger, acquisition, or similar event; (iii) working with third-party companies to support any technical operation or execute a specific promotion or program (such as providing responses to conduct surveys, or maintain a database of visitor information, etc.); or (iv) to facilitate your transactions with our third-party marketing partners.

VI. HOW CAN YOU EXERCISE YOUR RIGHTS RELATING TO PERSONAL INFORMATION?

You have the right to access and update or change any information you believe is incorrect. You may change Personal Information and Health Information within WellRight online at any time. Alternatively, you may make a request to privacy@wellright.com to review Personal Information about you. If you request that certain Personal Information be changed, we will make the changes in accordance with applicable law.

At any time, you may also request that we remove Personal Information and Health Information from our database. Depending on where you live, you may have additional rights under applicable law, such as the rights to export or object to or restrict the processing of Personal Information, and the right to erasure of Personal Information. To exercise such rights, send us a request at privacy@wellright.com and we will promptly respond in accordance with applicable law.

We will take commercially reasonable steps to propagate changes made pursuant to this Section to third parties with whom we may have shared your information in accordance with this Privacy Policy.

You may also have a right to lodge a complaint with a supervisory authority or other regulatory agency if you believe that we have violated any of the rights concerning Personal Information. We encourage you to first reach out to us, so we have an opportunity to address your concerns directly before you do so.

VII. CHILDREN'S PRIVACY

The Services are not intended for use by children. Accordingly, we do not intend to collect Personal Information from anyone we know to be under 18 years of age.

VIII. HOW DOES THIS PRIVACY POLICY RELATE TO THIRD-PARTY WEB SITES?

We cannot control, nor are we responsible for, the privacy practices or content of third-party websites and applications linked to the Services. Our Privacy Policy applies solely to Personal Information collected through the WellRight Services and Site.

IX. HOW DOES THE COMPANY PROTECT PERSONAL INFORMATION AND HEALTH INFORMATION?

Security Measures. In areas of WellRight where Personal Information is entered and viewed, WellRight has industry-standard security measures in place to protect the loss, misuse, or alteration of the information under our control. Except as provided elsewhere in this Privacy Policy, we limit access to Personal Information to those persons in our organization who have a business need (including servicing your account, informing you of news and offers, or aggregating information) for such access. You should know, however, that no company, including us, can fully eliminate security risks associated with Personal Information. As such, we cannot guarantee that our standard measures will prevent a third party from circumventing our security measures and unlawfully intercepting or accessing transmissions or private communications, or where an error may occur in the administration of the Services. As such, we recommend that you use caution whenever submitting Personal Information online or through a mobile application.

Compliance Statement. The Company is neither a "Covered Entity" nor "Business Associate" to Covered Entities as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 and its regulations ("HIPAA"), except in specific cases. In those cases, we will enter into "Business Associate Agreements" when required, and abide by all legal requirements of such agreements. When we participate with a third party which operates and maintains a personal health record ("PHR") which is subject to the Health Information Technology for Economic and Health Act ("HITECH") of the American Recovery and Reinvestment Act ("ARRA"), they shall abide by any federal regulations applicable to PHR related entities. Nevertheless, recognizing the importance to our users of protecting and securing their Personal Information as well as their Health Information, we have adopted a corporate compliance plan which includes adoption of the administrative, physical and security safeguards set forth in the current HIPAA Privacy and Security Compliance Program for the Company.

X. PERSONAL DATA TRANSFERRED FROM THE EU OR SWITZERLAND TO THE UNITED STATES.

WellRight complies with the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework (collectively, "Privacy Shield") as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data from European Union (the "EU") member countries and Switzerland. WellRight has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. A violation of our commitment to Privacy Shield may be investigated by the Federal Trade Commission and/or the United States Department of Commerce. If there is any conflict between the policies in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, to the extent available, please visit https://www.privacyshield.gov.

In compliance with the Privacy Shield Principles, WellRight commits to resolve complaints about your privacy and our collection or use of Personal Data about you. Persons from the EU or Switzerland who have inquiries or complaints regarding this Statement should first contact us via email at: privacy@wellright.com

WellRight has committed to refer unresolved privacy complaints under the Privacy Shield Principles to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint.

These recourse mechanisms are available at no cost to you. Damages may be awarded in accordance with applicable law. Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel. In cases of onward transfer to third parties of data of EU or Swiss individuals received pursuant to the Privacy Shield, WellRight is potentially liable.

XI. RETENTION OF PERSONAL INFORMATION

We will retain Personal Information about you for the period necessary to fulfill the purposes for which Personal Information about you has been collected as outlined in this Privacy Policy. Typically, we delete all Personal Information relating to an agreement with a client upon the expiration of that agreement, unless a longer retention period is required by law. We retain backup copies of Personal Information for 90 days thereafter.

XII. GENERAL

Amendments to this Privacy Policy. WellRight may modify or update this Privacy Policy from time to time, so please review it periodically. Where required by applicable law, we will provide you with notice of material changes to the Privacy Policy and, if further required by law, provide you with an opportunity to consent to such changes. Unless otherwise indicated, any changes to this Privacy Policy will apply immediately upon posting to the WellRight Services.

Additional California Privacy Rights. California Civil Code Section 1798.83 permits users that are residents of California to request certain information regarding a company's disclosure of personal information (as defined by California law) to third parties for such third parties' direct marketing purposes. If user is a California resident and would like to make such a request, please contact us as set forth below.

Contact WellRight's Privacy Officer. Our intention is to be diligent in protecting your privacy by strictly following our Privacy Policy. If you would like to make suggestions or find out more about our privacy practices, please contact our Privacy Officer at privacy@wellright.com or call 1-312-724-6909. Our mailing address is WellRight, LLC, 600 W Van Buren, Suite 800, Chicago, IL 60607.

Miscellaneous. The term "including" in this Privacy Policy means "including without limitation." If you need this Privacy Policy in another language please contact privacy@wellright.com for assistance.