Beyond Health and Wellness Privacy Notice

 

VITALITY PRIVACY NOTICE

EFFECTIVE: 02 February 2022

The Vitality Group, LLC (“Vitality”; “We”; “Us”; “Our”) owns and operates the Beyond Health and Wellness mobile application (“Program”). The Program is made available to you through either your employer, your spouse’s employer, or another provider (“Program Provider”). 

Vitality is committed to complying with laws that protect Personal Information (as defined below). The purpose of this Privacy Statement is to provide information about the collection, use and storage of your Personal Information. 

By accessing or using the Program, you consent to the collection, receipt, use, disclosure and retention of your information as described in this Privacy Notice and accept the terms of this Privacy Notice and Our Terms of Use.  If you wish to revoke such consent, please contact your Program Provider or authorized third parties. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent. 

This Privacy Notice applies to Personal Information (defined below) collected by Vitality whether online or offline.

You can request a copy of this Privacy Notice in English or your own language by e-mailing help@vitalitygroup.com

This Privacy Notice will address the following:   

  1. FROM WHOM OR WHERE DOES VITALITY COLLECT PERSONAL INFORMATION ABOUT ME?
  2. WHAT TYPES OF PERSONAL INFORMATION DOES VITALITY COLLECT ABOUT ME?
  3. DOES VITALITY PROCESS SPECIAL CATEGORIES OF PERSONAL INFORMATION?
  4. WHAT IS VITALITY’S LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION?
  5. INTERNATIONAL TRANSFERS
  6. HOW WILL VITALITY USE YOUR PERSONAL INFORMATION?
  7. HOW IS VITALITY PROTECTING MY PERSONAL INFORMATION?
  8. WITH WHOM WILL VITALITY SHARE YOUR PERSONAL INFORMATION?
  9. DOES THE PROGRAM CONTAIN LINKS TO THIRD-PARTY WEBSITES OR APPS?
  10. HOW LONG WILL MY PERSONAL INFORMATION BE RETAINED?
  11. HOW WILL I KNOW IF THIS PRIVACY NOTICE CHANGES?
  12. WILL VITALITY COMMUNICATE WITH ME DIRECTLY?
  13. I RECEIVE THE PROGRAM IN AUSTRALIA – WHAT ARE MY RIGHTS?
  14. I RECEIVE THE PROGRAM IN BRAZIL – WHAT ARE MY RIGHTS?
  15. I RECEIVE THE PROGRAM IN CANADA – WHAT ARE MY RIGHTS?
  16. I RECEIVE THE PROGRAM IN THE EU OR THE UK – WHAT ARE MY RIGHTS?
  17. I RECEIVE THE PROGRAM IN MALAYSIA – WHAT ARE MY RIGHTS?
  18. I RECEIVE THE PROGRAM IN MEXICO – WHAT ARE MY RIGHTS?
  19. I RECEIVE THE PROGRAM IN THE PHILIPPINES – WHAT ARE MY RIGHTS?
  20. I RECEIVE THE PROGRAM IN SINGAPORE – WHAT ARE MY RIGHTS?
  21. I RECEIVE THE PROGRAM IN SOUTH AFRICA – WHAT ARE MY RIGHTS?
  22. HOW CAN I CONTACT VITALITY WITH MY PRIVACY CONCERNS OR INQUIRIES?
  23. LINKS TO OTHER POLICIES

1. FROM WHOM OR WHERE DOES VITALITY COLLECT PERSONAL INFORMATION ABOUT ME?

  • From your Program Provider:

    As part of your eligibility for the Program, your Program Provider will provide Vitality the information necessary to verify your identity on registration and thereafter for ongoing account management purposes. If you do not want Vitality to receive this information, please contact your Program Provider – this will however make you ineligible to participate in the Program.

  • Directly from You, including from your devices:

    By engaging with the Program, information linked to you and your interactions with the Program (e.g. your physical activity, reward earning events and redemption, and/or form submission) will be collected or created by Vitality. You can also choose to allow certain devices and mobile applications, such as Google Fit, to sync data to the Program – you can modify these permissions at any time through the settings menu of the Program. We will only have access to such data where you have allowed such access.

  • From authorized third parties on behalf of you or your Program Provider:

    When you or your Program Provider grant authorization, Vitality may receive information about your participation with third-party service providers.

  • Social Media Platforms:

    If you engage with Vitality on a social media platform, Vitality may respond or contact you through the applicable social media platform.

2. WHAT PERSONAL INFORMATION DOES VITALITY COLLECT ABOUT ME?

For the purposes of this Privacy Notice, Personal Information means any information relating to an identified or identifiable natural person. 

The types of Personal Information, set out below, processed about you, will depend on the particular Program elected by your Program Provider and the activities in which you participate:

  • Your basic personal details which may include name, gender, address, date of birth, contact details and/or unique identifier.
  • Details of your social relationships which may include dependents/ spouse/ partner details.
  • Your behavioral data such as activities, hobbies and interests.
  • Your financial information such as transactions and payment details.
  • Your employment information such as employee identification number, education, reporting classifications including details of the branch at which you are employed.
  • Locational and technical information such as log data, IP address, the type of device, operating system, data that you have synched to the Program, which may include location data, if you have consented to this data synching.
  • Program engagement information which identifies or can be used to identify you.
  • Survey responses, including commentary, or feedback you give in the Program; or otherwise provided to Vitality;
  • Rewards details regarding rewards you have earned and your reward redemptions;
  • Device information such as the type of device, operating system, data that you have synched, which may include health and fitness related information and location data if you have consented to this data synching for example where you have consented to data synching from Google Fit; 
  • Additional information provided by you through online form submission or by otherwise contacting Vitality.

3. DOES VITALITY PROCESS SPECIAL CATEGORIES OF PERSONAL INFORMATION?   

Vitality may receive the below Special Categories of Personal Information from your Program Provider or authorized third parties, or directly from you, depending on the particular Program you are using and the activities in which you participate:  

  • Health Data including but not limited to: information which includes your answers to questions about your health and well-being; annual biometric screening results; preventative screening proof; vaccination proof; proof of participation in a qualifying event; activity information collected from a personal device; smoking status.
  • Genetic Data.
  • Trade Union membership

Vitality receives the above, based on the consent you provided to your Program Provider or authorized third party/ies. If you wish to revoke such consent, please contact your Program Provider or authorized third parties. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent.

In relation to Special Categories of Personal Information which you submit to Vitality on your own, Vitality will request your consent to process such information during the Program enrolment process. If you wish to revoke such consent, please refer to your rights in terms of section 13 to 21 below, as applicable. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent.

4. WHAT IS VITALITY’S LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION?  

Vitality acts as a Processor/ Operator/ equivalent under applicable law and signs a data protection addendum (“DPA”) with the Controller/ Responsible Party/ equivalent under applicable law, that is most often a Program Provider. This DPA, provides the legal basis for which Vitality may process Personal Information.  

Where the jurisdiction in which you utilize the Program, has data protection laws which do not differentiate between processing roles, Vitality will process your Personal Information in accordance with the DPA as a service provider. 

In addition to the above, in instances where Vitality will collect Personal Information from you directly We may rely on the legal basis of consent or the agreement you have entered into with your Program Provider. 

In such instances:  

  1. Vitality will be acting in accordance with the Program Provider’s instructions which are set out in the DPA and will remain a Processor/ service provider; and where applicable; and 
  2. Where Vitality collects your consent, you will be entitled to revoke the provided consent in terms of sections 13 to 21 below, as applicable. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent. 

5. INTERNATIONAL TRANSFERS 

Vitality will process the Personal Information and Special Categories of Personal Information set out in this Privacy Notice, in the United States of America, Canada, South Africa, Philippines and other countries where Vitality has entered into to the required agreements. Such Personal Information will be subject to foreign laws and may be disclosed to foreign authorities under such law. Where the GDPR applies, Vitality and the Program Provider have entered into the Standard Contractual Clauses, issued by the European Commission, to make provision for the applicable transfer. In terms of other jurisdictions which laws require consent or a DPA to be in place for the cross border transfer of Personal Information, Vitality relies on the consent you provide to your Program Provider and/or the DPA for the transfer. 

6. HOW WILL VITALITY USE YOUR PERSONAL INFORMATION? 

Vitality will use the personal information that it collects about you to facilitate the Vitality Program. Vitality will only use your Personal Information in accordance with this Privacy Notice. For example Personal Information collected from a mobile application or device such as Google Fit, will only be used to facilitate the Vitality Program. Additional instances of use cases may include:  

6.1 To administer and manage your account 

      • Creating and maintaining your profile 
      • Generating goals, activities, and/or targets 
      • Recommending activities and engagements 
      • Awarding credits (these may be generated from device information)
      • Applying rewards earned 
      • Making Program features available to you 
      • Fulfilling purchase orders you make through the Program 
      • Tracking your progress through the Program 

6.2 To resolve any complaints or inquiries you may have 

      • Registering complaints and inquiries 
      • Managing and resolving complaints and inquiries 

6.3 For management of any debts owed to Vitality, if applicable 

      • Tracking and administration of payment installments (if any) 
      • Recovery of unpaid debts or reimbursement of damages under a contract 

6.4 To prevent, detect, and investigate fraud or security incidents 

      • Investigating suspicions of fraud 
      • Prosecuting fraud 
      • Investigating security incidents 

6.5 For company and management information purposes and internal analysis of products and services 

      • Accounting and financial records  
      • Analysis and reporting 
      • Audit requirements 
      • System security and effective operation 
      • Program quality assessments, improvements, and developments 

6.6 To report to your Program Provider for your incentive administration 

      •  Vitality may share with your Program Provider the minimum necessary information for them to administer your incentives.  

6.7 For training purposes – to improve your customer experience 

      • Assessing customer experiences 
      • Developing and improving your customer experience

6.8 To fulfill legal obligations 

      • Reporting necessary information to your Program Provider for benefit administration 
      • Complying with any applicable law, regulation, subpoena, or legal process, or responding to any governmental requests and cooperating with law enforcement, if we believe such action is required or permitted by law 
      • Enforcing our Terms and Conditions 

6.9 Creating Anonymized or Aggregated Data Sets 

      • Anonymized and aggregated data sets are not Personal Information as they cannot be linked back to an individual. Subject to any applicable laws or other restrictions, Vitality may use and disclose anonymized and/or aggregated data sets for any purpose. 

Vitality may also seek to use your Personal Information in a way not described above, such as in using a testimonial you have written on our website. Before using your Personal Information in this way, Vitality will first seek your voluntary and explicit consent. 

7. HOW IS VITALITY PROTECTING MY PERSONAL INFORMATION? 

Personal Information that you share through the Program is kept strictly confidential and fully secure. Your encrypted (encoded) Personal Information is protected using “Secure Socket Layers (SSL)”. We follow generally accepted industry standards to protect the Personal Information we receive, both during transmission and upon receipt. Personal Information collected by the Program, for example Personal Information received from Google Fit, will be stored securely in accordance with accepted industry standards.

No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use reasonable and commercially acceptable means to protect your Personal Information, we cannot guarantee absolute security.

8. WITH WHOM WILL VITALITY SHARE MY PERSONAL INFORMATION? 

Your Program Provider: Vitality may share with your Program Provider the minimum necessary information for them to administer your incentives, such as for the calculation of health plan premium discounts, health club dues subsidies, applicable taxation, reward redemption, or other arrangements for which such information is relevant. 

Your Program Provider’s authorized Third-Party Wellness Service Providers: Your Program Provider may make additional incentives available to you that are provided by Third-Party Wellness Service Providers. In order to administer this benefit, your Program Provider may authorize Vitality to share your information to the extent necessary for the above third-party service provider to make its offering available to you. 

Service Providers to Vitality: There are instances when Vitality may disclose your Personal Information, such as Personal Information collected from Google Fit, to our agents, third-party partners, affiliates and subsidiaries to enable them to perform functions on our behalf. These service providers are only permitted to share, store and/or use Personal Information for contracted business purposes and have been approved by your Program Provider. Additionally, We may share your Personal Information when We believe that such action is necessary to:

  • Fulfill an enforceable government request; 
  • Conform with the requirements of the law or legal process; 
  • Protect or defend Our legal rights or property, our Program, or other users; or 
  • Protect your health and safety or the health and safety of this Program’s users or the general public. 

With your express authorization and consent, We may share your Personal Information for a specific purpose not provided above. Agreeing to the terms and conditions and this Privacy Notice is not your express authorization for such additional uses. When appropriate, while you are logged into the Program, you will be presented with a specific electronic authorization form on which you may or may not provide your consent. You may revoke such authorization at any time in terms of section 13 to 21 below, as applicable. 

9. DOES THE PROGRAM CONTAIN LINKS TO THIRD-PARTY WEBSITES OR APPS? 

The Program, may contain links to other websites that are not owned or controlled by Us. If you choose to submit Personal Information while visiting these websites or using these mobile applications, please be aware your rights will be governed by the third parties’ privacy policies. We strongly encourage you to carefully read the privacy policies of any website or mobile application you visit or use. Vitality will indicate that you are leaving the Program with a pop-up or using the below external link icon:

  

10. HOW LONG WILL MY PERSONAL INFORMATION BE RETAINED?  

Unless otherwise specified herein, Personal Information will only be retained for as long as is required for Us to administer the Program, subject to: legislative or regulatory retention periods; requirements by the Program Provider; or as required for Our legitimate business reasons – after which any Personal Information will be anonymized, archived or destroyed.

11. HOW WILL I KNOW IF THIS PRIVACY NOTICE CHANGES? 

Vitality reserves the right to update this Privacy Notice from time to time. If We decide to change this Program’s Privacy Notice, We will post those changes to this Privacy Notice in the Program, which you should check periodically, and other places that We deem appropriate.

12. WILL VITALITY COMMUNICATE WITH ME DIRECTLY? 

We will deliver rewards updates, status updates, or other informational emails to you via the email address you provide to your Program Provider. Push notifications and triggered communication may be sent to you through the Program. You may opt out of receiving these emails and/or push notifications at any time by adjusting the settings of your account in the Program.

Certain communications are necessary and cannot be turned off, these include: transactional emails; communications from our Customer Care team in response to queries initiated by you; or other important updates like security and fraud notices or change in services.

If you send a query to an email address listed within the Program or via a contact form provided within the Program, We will share your correspondence with a Vitality associate most capable of addressing your query. We will retain your communications in order to deal with your query. Ultimately, We will either discard your communication or, in some cases, archive it. 

Email has become a standard communication tool. Unfortunately, by design standard Internet email is not secure. For that reason, please do not use unsecured email to communicate information to us that you may consider to be confidential.

13. I RECEIVE THE PROGRAM IN AUSTRALIA – WHAT ARE MY RIGHTS?

Under the Australian Privacy Act No, 119 1988 you have certain rights to be informed, access and/or rectify Personal Information we have collected from you or received from your Program Provider or authorized third party, in order to provide the Program to you. If you wish to exercise the above right/s you can contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice.

14. I RECEIVE THE PROGRAM IN BRAZIL – WHAT ARE MY RIGHTS?

Under the General Personal Data Protection Law, (as amended by Law No. 13.853 of 8 July 2019) (LGPD) you have the following rights regarding your Personal Information collected by Vitality:

•       The right to be informed

•       The right of access

•       The right to rectification

•       The right to erasure

•       The right to data portability

•       The right to object or blocking

•       The right not to be subject to automated decision making

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice.

In the first instance We ask that you notify your Program Provider and/or Us of any concerns you have about how we handle your Personal Information but if you are still unhappy you can contact the Brazilian Data Protection Authority, the details of which can be found using this link https: https://www.gov.br/anpd/pt-br

Please note that the following terms used in this Privacy Notice will have the corresponding meaning as set out in the LGPD:

•               Personal Information shall mean Personal Data

15. I RECEIVE THE PROGRAM IN CANADA – WHAT ARE MY RIGHTS?  

Under Personal Information Protection and Electronic Documents Act (PIPEDA), You have certain rights to access, update, correct and withdraw Personal Information we have collected from you or received from your Program Provider or authorized third party, in order to provide the Program to you. If you wish to exercise the above right/s you can contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice. 

Please note that the following terms used in this Privacy Notice will have the corresponding meaning as set out in PIPEDA: 

  • Special Categories of Personal Information shall mean Sensitive Personal Information. 

16. I RECEIVE THE PROGRAM IN THE EU OR THE UK – WHAT ARE MY RIGHTS?

Under the General Data Protection Regulation or the UK’s Data Protection Act (collectively referred to as “GDPR”), you have the following rights regarding your Personal Information collected by Vitality:

•       The right to be informed

•       The right of access

•       The right to rectification

•       The right to erasure

•       The right to restrict processing

•       The right to data portability

•       The right to object

•       Rights in relation to automated decision making and profiling

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice.

Where you submit a request directly to Vitality, We will first contact your Program Provider to inform them of the request and then work with them to complete the request.

In the first instance We ask that you notify your Program Provider and/or Us of any concerns you have about how we handle your Personal Information but if you are still unhappy you can contact your applicable Supervisory Authority, the details of which can be found using this link https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Please note that the following terms used in this Privacy Notice will have the corresponding meaning as set out in the GDPR:

•       Personal Information shall mean Personal Data.

17. I RECEIVE THE PROGRAM IN MALAYSIA – WHAT ARE MY RIGHTS?

Under the Personal Data Protection Act, 2010 (PDPA), you have the following rights regarding your Personal Information collected by Vitality:

•       The right of access

•       The right to require a Controller to correct Personal Information

•       The right to withdraw consent to the processing of Personal Information

•       The right to prevent processing likely to cause damage or distress

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice.

In the first instance We ask that you notify your Program Provider and/or Us of any concerns you have about how we handle your Personal Information but if you are still unhappy you can contact your Department of Personal Data Protection, the details of which can be found using this link https://www.pdp.gov.my/jpdpv2/pusat-media/penerbitan/buletin-jpdp/

Please note that the following terms used in this Privacy Notice will have the corresponding meaning as set out in the PDPA:

•               Personal Information shall mean Personal Data

•               Controller shall mean Data User

18. I RECEIVE THE PROGRAM IN MEXICO – WHAT ARE MY RIGHTS? 

Under Federal Law on the Protection of Personal Data held by Private Parties (and the Regulations Relating thereto), you have certain rights to access, rectification, cancellation or objection in relation to the Personal Information we have collected from you or received from your Program Provider or authorized third party, in order to provide the Program to you.  

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Responsible Party, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice. 

Where you submit a request directly to Vitality, We will first contact your Program Provider to inform them of the request and then work with them to complete the request. 

Please note that the following terms used in this Privacy Notice will have the corresponding meaning as set out in the above-mentioned Federal Law: 

  • Personal Information shall mean Personal Data; 
  • Special Categories of Personal Information shall mean Sensitive Personal Data. 

19. I RECEIVE THE PROGRAM IN PHILIPPINES – WHAT ARE MY RIGHTS?

Under the Data Privacy Act of 2012 and the rules relating thereto, you have the following rights regarding your Personal Information collected by Vitality:

•       The right to be informed

•       The right of access

•       The right to rectification

•       The right to erasure

•       The right to data portability

•       The right to object

•       Right not be subject to auto-mated decision making

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller/ Personal Information Controller, and they will make this request to Vitality as their Processor/ Personal Information Processor. If you would like Vitality to support you in making this request, please contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice.

Where you submit a request directly to Vitality, We will first contact your Program Provider to inform them of the request and then work with them to complete the request.

In the first instance We ask that you notify your Program Provider and/or Us of any concerns you have about how we handle your Personal Information but if you are still unhappy you can contact your National Privacy Commission, the details of which can be found using this link https://www.privacy.gov.ph/

20. I RECEIVE THE PROGRAM IN SINGAPORE – WHAT ARE MY RIGHTS?

Under the Personal Data Protection Act 2012 and the amendments and regulations relating thereto you have the following rights regarding your Personal Information collected by Vitality:

•       The right to be informed

•       The right of access

•       The right to rectification

•       The right to withdraw consent

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller/ Organization, and they will make this request to Vitality as their Processor/ Data Intermediary. If you would like Vitality to support you in making this request, please contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice.

Where you submit a request directly to Vitality, We will first contact your Program Provider to inform them of the request and then work with them to complete the request.

Please note that the following terms used in this Privacy Notice will have the corresponding meaning as set out in the Personal Data Protection Act:

•               Personal Information shall mean Personal Data

21. I RECEIVE THE PROGRAM IN SOUTH AFRICA- WHAT ARE MY RIGHTS?

Under the Protection of Personal Information Act, 2013 (“POPIA”) you have the following rights regarding your Personal Information collected by Vitality:

  • The right to be informed
  • The right of access
  • The right to request correction
  • The right, in certain circumstance, to request the destruction and deletion
  • The right to restrict processing
  • The right to object

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller/ Responsible Party, and they will make this request to Vitality as their Processor/ Operator. If you would like Vitality to support you in making this request, please contact Vitality directly by using the link help@vitalitygroup.com or the details set out at the end of this Privacy Notice.

Where you submit a request directly to Vitality, We will first contact your Program Provider to inform them of the request and then work with them to complete the request.

In the first instance We ask that you notify your Program Provider and/or Us of any concerns you have about how we handle your Personal Information but if you are still unhappy you can contact the Information Regulator (South Africa) complaints.IR@justice.gov.za or inforeg@justice.gov.za

22. HOW CAN I CONTACT VITALITY WITH MY PRIVACY CONCERNS OR INQUIRIES?  

Individuals with inquiries or complaints regarding the privacy of their Personal Information at Vitality or this Privacy Notice should first contact The Vitality Group at: 

The Vitality Group, LLC 
Attn: Data Privacy Officer
200 W. Monroe St., Suite 1900
Chicago, IL 60606
US_Privacy@vitalitygroup.com 

23. LINKS TO OTHER POLICIES