Effective Date: March 31, 2021

INTRODUCTION

This Privacy Statement describes the practices and policies of Even Health LLC, (“Even Health”) regarding the collection, use, storage, and disclosure of personally identifiable information (“Personal Information”) we collect from our websites (www.even.health; www.mycabana.health) (the “Website”) and related services (collectively, the “Services” or “Service”).

You may have been invited to use the Service by your Employer or your health benefits provider (an “Enterprise Customer”), or a third-party healthcare provider, or you may have subscribed or used the Service for your personal use.

BY ACCESSING OR USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY AND OUR WEBSITE TERMS OF USE AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL INFORMATION AS SET OUT IN THIS PRIVACY STATEMENT.

WHAT INFORMATION DO WE COLLECT?

We may collect the following types of Personal Information in connection with our delivery of Services to you:

  • When you register to receive services from us, whether in your individual capacity or on behalf of an organization, we collect any Personal Information that you submit through our registration form, including your name, email address, mailing address, phone number, payment card information, and any other Personal Information you voluntarily submit through the online registration form (your “Account Data”).
  • When we provide services to you, we may collect additional Personal Information that you voluntarily provide to us, our coaches and clinicians, including information about your personal goals and circumstances and some of this information may be health information (your “Care Data”).
  • When you use our Services via a mobile device, we automatically collect information about your web browser, mobile device, and how and when you use our mobile application, including the manufacturer and model of the device, unique device identifiers, and IP address (“Mobile Data”).
  • We collect usage information about our Website and Services and use visitor logs to compile anonymous aggregate statistics, (e.g., information such as your web requests, browser type, browser language, domain names, referring and exit pages and URLs, platform type, pages viewed and the paths you took on our Site, and IP Addresses) (“Usage Data”).
  • When you use the Services to respond to our surveys and health questionnaires, we may collect the information you voluntarily provide in your responses as well as inferred health status for specific conditions and survey alerts (your “Survey Data”).

We may also collect Personal Information that you voluntarily provide to us when you contact us with a question or comment about our Services.

HOW DO WE USE INFORMATION WE COLLECT?

PERSONAL INFORMATION

We will use and store Personal Information for the purpose of delivering the Services to you and, where applicable, to Enterprise Customers and healthcare providers, and to analyze and enhance the operation of the Service.

We also use and store Personal Information and, where applicable, information obtained from Enterprise Customers and providers, for proprietary analysis and development of personalized behavioral profiles for you and/or, where applicable, the healthcare provider or Enterprise Customers. Any Care Data, Mobile Data, Usage Data, or Survey Data provided to Enterprise Customers will be anonymized or de-identified.

In particular we use:

  • Account Data to manage your account, communicate with you in relation to your account, process your transactions, and deliver and monitor the performance of our services;
  • Care Data to help you, your coach or group leader understand your personal objectives and circumstances, help you develop and execute strategies to overcome your challenges and achieve your goals, deliver appropriate care, evaluate the quality and progress of our program, and optimize delivery of services;
  • Mobile Data to monitor and enhance the performance of the services, analyze trends, usage and activities in connection with the services, and ensure its technological compatibility with users;
  • Usage Data to analyze trends, administer our services, improve the design of our application and Website, and otherwise enhance the services we provide;
  • Survey Data and reports to better understand your health status, receive feedback on the quality of our services, and to provide proactive alerts.

To allow for additional research, product development, and insights over time, Even Health may anonymize or de-identify your Personal Information and health information (if any health information is collected) in a manner that meets the Health Insurance Portability and Accountability Act of 1996 (HIPAA) de-identification standard, such that such data is no longer reasonably identifiable.

AGGREGATE INFORMATION

We create statistical, aggregated data relating to our users and the Service for analytical purposes. Aggregated data includes data derived from Personal Information and obtained by Even Health from other sources in aggregated, anonymous form. Aggregate Information cannot reasonably be used to identify any individual. We use Aggregate Information to understand our customer base, market our Services, and improve and enhance our site and services.

EMAIL AND OTHER COMMUNICATIONS

We may use your personal information to contact you regarding an inquiry or to provide you with more information about Even Health or other marketing information that we believe you may be interested in. We will send you email alerts or notification messages unless you unsubscribe. If you wish to opt out of these emails, you may do so by following the “unsubscribe” instructions in the email; provided however, Even Health may maintain the right to send you important emails about your account or the Services.

Email and text messaging allows healthcare providers to exchange information efficiently for the benefit of users. We recognize that email and text messaging may not be a completely secure means of communication. Your use of the Service means that you agree and consent to the use of email and/or text messaging as an acceptable form of communication.

LEGAL EXCEPTIONS

Under certain circumstances, Personal Information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders. As such, notwithstanding the above, we may in any event use Personal Information to the extent required or permitted by applicable law to resolve disputes, to enforce our agreements (including the Terms of Service) with you, or as reasonably necessary to protect our legal rights, to protect you against self-harm, or to protect third parties.

USER TESTIMONIALS

We value your feedback on, and appreciate any testimonials about, our Services. If you send us any such feedback or testimonials, they shall be deemed, and shall remain, the property of Even Health and shall be subject to any obligation of confidence on our part. However, Even Health shall obtain prior written approval of any usage of your identity or contact information, if Even Health wishes to reference you in connection with that feedback or testimonial.

WHAT INFORMATION DO WE DISCLOSE TO THIRD PARTIES?

We will not sell or rent your personal information to any other company or organization. We will not disclose your Personal Information to any third party except as follows:

  • To a provider on whose behalf the information was collected for the purpose of providing services to you.
  • To emergency services and other agencies to protect you, the clinician, the coach, or others from harm.
  • To third parties engaged to provide services on our behalf such as managing our accounts, processing transactions, operating the Service, or providing customer service. We enter into agreements which require such providers to protect such information and use the Personal Information they receive only to perform services for us.
  • To obtain and process payment for our services
  • To law enforcement, judicial authority, or governmental or regulatory authority, to the extent required by law or if in our reasonable discretion disclosure is necessary to enforce or protect our legal rights, to protect you, or to protect third parties.
  • In the event of a reorganization, merger, acquisition, asset sale or similar transaction, we may transfer any and all Personal Information we collect to the relevant third party involved in the transaction, with your consent if and as required under applicable privacy laws.
  • We may otherwise disclose your Personal Information only when we have your prior consent to share the information. In such cases, we will have written contracts in place with the third parties requiring them to comply with terms of confidentiality similar to the applicable terms of this Privacy Statement as well as all applicable statutes, regulations and laws pertaining to the protection of such Personal Information.
  • We may share Aggregate Information with third parties where permitted by applicable law.

ACCESSING AND UPDATING YOUR INFORMATION

You have the right to review, amend, or correct your Account Data or other Personal Information held in our database.

Subject to certain exceptions, you have the following rights under our Privacy Statement:

  • to request that we disclose the categories and specific pieces of your Personal Information that we have collected;
  • to have us correct or amend any inaccurate Personal Information;
  • to request that we delete Personal Information that we process about you;
  • to request that we restrict our processing of your Personal Information;
  • to object to the processing of your Personal Information;
  • to send us a complaint regarding our handling of your Personal information

To exercise any of these rights please contact us by sending an email to privacy@even.health or by writing us at our office address below, with a clear description of your request. Once we verify your identity as the person whose Personal Information we have collected, we will respond to try to comply with your request as soon as reasonably practicable and always under the timeframes set forth by applicable laws.

RETENTION OF YOUR DATA

We store your Account Data and Personal Information for as long as we need it to provide you our services, to serve the purpose(s) for which your personal information was processed, or as necessary to comply with our contractual and legal obligations, resolve disputes, or enforce our agreements to the extent permitted by law.

If you would like your Account Data or other Personal Information permanently removed from our database, please contact us at privacy@even.health. We will then terminate your account, you will no longer be able to use our services, and you will no longer receive emails from Even Health. Subject to applicable law and necessary record retention requirements, your identifying Personal Information shall be deleted from our records. Please note that we may need to retain certain information for recordkeeping purposes, to complete any transactions that you began prior to your request, or for other purposes as required or authorized by law.

INFORMATION SECURITY

Our Services are hosted on [Microsoft Azure] and use reasonable security measures, including adhering to the Center for Internet Security’s Critical Security Controls to protect the security and integrity of your Personal Information in accordance with this Privacy Statement and applicable law. Such measures include restricting access to Personal Data on a “need-to-know” basis. We secure information using industry standard administrative, physical, and technical safeguards including encryption of information that is stored and transmitted.  While we attempt to always protect our systems, sites, operations and information against unauthorized access, use, modification and disclosure, it is important for you to know that, despite using these current industry-recommended practices, we cannot guarantee against breaches in security.

You have an important role in protecting Personal Information. You are responsible for maintaining the security of your login ID and password. If you believe that your login ID or password may have been compromised, you should immediately change your password and contact our support services. We are not responsible if someone else accesses your account through registration information they have obtained from you or through a violation by you of the Terms of Service.

LINKS

The Even Health Services may contain links to other websites. Even Health is not responsible for the privacy practices or the content of those websites. Users should be aware of this when they leave our Service and are encouraged to review the privacy statements of each third-party website. This Privacy Policy applies solely to information collected by Even Health.

USE OF COOKIES / WEB BEACONS

We may use cookies, both session and persistent cookies, or web beacons on certain webpages and/or html email correspondence to anonymously track visitors, save website preferences or allow us to recognize visits from the same computer and browser. You have the option to disable cookies in your browser and still use our services, although it may limit your access to the services.

CHILDREN

Even Health does not knowingly collect or maintain personally identifiable information from persons under 18 years of age, and no part of the Service is directed at persons under 18.

PROTECTING THE PRIVACY OF FELLOW EVEN HEALTH USERS

In using Even Health’s services, you may communicate with other users, and as such, you are expected to respect other users’ privacy as outlined below and in Even Health’s End User License Agreement that you agree to when you register for the Services.  To keep user’s privacy safe, Even Health prohibits the following actions from its users:

  • Collecting or recording other Even Health user information, communications, or data
  • Disclosing anything from a session to those outside of it
  • Using automated means (such as harvesting bots, robots, spiders, or scrapers) to access Even Health services
  • Soliciting login information or accessing an account belonging to someone else

Please refer to Even Health’s End User License Agreement for detailed and complete information regarding acceptable use of its Services.

California Consumer Privacy Act (CCPA) Use AND DISCLOSURE OF PERSONAL DATA

California Users should understand that Even Health does not sell User data to third parties. State Law requires Even Health to retain such records for at least seven years. The CCPA does not generally apply to medical information governed by the California Confidentiality of Medical Information Act (CMIA) or protected health information collected by a covered entity or business associate governed by the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request, once a year, if Even Health has shared their personal information (non-medical record data only) with other companies for direct marketing purposes during the preceding calendar year. This is California’s “Shine-the-Light Law.”  To request a copy of the information disclosure provided by Even Health, please contact us at privacy@even.health. Please allow reasonable time for a response.

If you are a California resident under the age of 18, and a registered user of any site where this policy is posted, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted on our site. Even Health does not have User below the age of 18 and does not typically allow Users to publicly post information. However, if you feel you publicly posted information on the Site and you are between the ages of 13 and 17, please contact us at privacy@even.health. Please allow reasonable time for a response. Please be aware that such a request does not ensure complete or comprehensive removal of the data/content you have posted and that there may be circumstances in which the law does not require or even allow removal of data, specifically medical data, even if requested.

California Right to Know: You may request access to the specific pieces of personal data we have collected about you in the last 12 months. You may also request additional details about our information practices, including the categories of personal data we have collected about you, the sources of such collection, the categories of personal data we share for a business or commercial purpose, and the categories of third parties with whom we share your personal data. You may make these requests by contacting us at privacy@even.health.

California Designated Agent. You may designate an agent to make a request on your behalf. That agent must have access to your account in order for us to verify the request.

California Non-Discrimination. Even Health will never discriminate against you, including by denying or providing a different level of service should you choose to exercise your rights under the CCPA.

VISITORS FROM OUTSIDE THE UNITED STATES

Even Health and its servers are located in the United States and are subject to the applicable state and federal laws of the United States. If you choose to access or use the Service, you consent to the use and disclosure of information in accordance with this Privacy Policy and subject to such laws.

CHANGES

We may modify or amend this Privacy Statement from time to time. If we make any material changes in the way in which Personal Information is collected, used or transferred, this Privacy Statement will be revised to reflect such changes. We will post the updated Privacy Statement and ask for your consent if legally required. The effective date appears at the top of this Privacy Statement.

QUESTIONS

To submit a question or concern, please contact us at privacy@even.health or by writing us at:

Privacy Office

Even Health