PRIVACY POLICY

 

VITALITY PRIVACY NOTICE

Effective May 04, 2022

The Vitality Group, LLC (“Vitality”; “We”; “Us”; “Our”) owns and operates the websites VitalityGroup.com; and PowerofVitality.com (“POV”) (“Websites”); and the mobile applications Vitality Today and Vitality One (“Applications”), which may be referred to collectively as the “Program(s).” Vitality’s Programs are made available to individuals through and on behalf of either your employer; your spouse’s employer; or another provider (“Program Provider”). This Privacy Notice applies to Personal Information (defined below) collected by or received Vitality whether online or offline.

By accessing or using Vitality’s Programs, you consent to the collection, receipt, use, disclosure and retention of your information as described in this Privacy Notice and accept the terms of this Privacy Notice and Our Terms of Use.

 

This Privacy Notice will address the following:

  1. What types of information does Vitality collect about me?
  2. How does Vitality use Personal Information it collects about me?
  3. How is Vitality protecting my Personal Information?
  4. Who can access my Personal Information at Vitality?
  5. Outside of Vitality, with whom would Vitality share my Personal Information?
  6. Do Vitality’s Websites or Applications contain links to third-party websites or apps?
  7. Does Vitality sell my Personal Information?
  8. What are Cookies and how does Vitality use them?
  9. How long will my Personal Information be retained?
  10. How will I know if this Privacy Notice changes?
  11. Will Vitality communicate with me directly?
  12. I am a California resident; how can I exercise my rights under California law?
  13. I reside in and receive the Vitality Program in the European Union or the United Kingdom; how can I exercise my rights under GDPR or the UK Data Protection Act?
  14. Does Vitality process Special Category Personal Data as defined by GDPR?
  15. What is Vitality’s legal basis for processing personal data covered by GDPR?
  16. International Transfers
  17. Does Vitality Comply with the EU-US Privacy Shield Framework?
  18. How can I contact Vitality with my privacy concerns or inquiries?

FROM WHOM OR WHERE DOES VITALITY COLLECT PERSONAL INFORMATION ABOUT ME?

  • From your Program Provider: As part of your eligibility for the Program, your Program Provider will provide Vitality the information necessary to verify your identity when you register for the Program and to manage your account on an ongoing basis. If you do not want Vitality to receive this information, please contact your Program Provider and ask them to stop sending Vitality any information about you. Please note that this will make you ineligible to participate in the Program.
  • Directly from You, including from your devices: By engaging with the Program, information linked to you and your interactions with the Program (e.g. your physical activity, reward earning events and redemption, and form submission) will be collected or created by Vitality. You can also choose to allow certain devices and mobile applications, such as Google Fit, to sync data to a Vitality Application you use. You can modify these permissions at any time through the settings menu of the applicable application.
  • From authorized Third-Party Service Providers on behalf of you or your Program Provider: When you or your Program Provider grant authorization Vitality may receive information about your participation with Third-Parties Service Providers. The authorization from your Program Provider is based on the service agreement, or related agreement, it has in place with Vitality.

Additionally, if you engage with Vitality on a social media platform Vitality may respond or contact you through the applicable social media platform.

 

WHAT TYPES OF INFORMATION DOES VITALITY COLLECT ABOUT ME?

For the purposes of this Privacy Notice, Vitality’s definition of Personal Information is any information relating to an identified or identifiable natural person.

The following is a list of the types of information that Vitality may collect through its Program(s). Please note that the types of information collected about you will depend on the particular Program you are using and the activities in which you participate:

  • Name
  • Gender
  • Address
  • Contact details
  • Date of birth
  • Program enrollment or Program registration date
  • Reporting classifications (e.g. at which branch location you are employed)
  • A unique ID (e.g. your employee ID or SSN)
  • Dependents / Spouse / Partner (if applicable)
  • Eligibility start and end date data (if relevant)
  • Cookies
  • Log data including IP address
  • Answers to questionnaires about your health and well-being
  • Program engagement information
  • Survey responses, commentary, or feedback you give on POV or Vitality Applications
  • otherwise provide to Vitality
  • Reward partner engagement if authorized
  • Devices’ information such as the type of device, operating system, data that you have synched, which may include health and fitness related information and location data if you have consented to this data synching for example where you have consented to data synching from Google Fit
  • Details of rewards you have earned and your reward redemptions
  • Financial information such as transactions and payment details
  • Health information including biometrics and medical conditions
  • Additional information provided by you through online form submission or by otherwise contacting Vitality

HOW DOES VITALITY USE PERSONAL INFORMATION IT COLLECTS ABOUT ME?

Vitality will use the Personal Information that it collects about you, to facilitate the Vitality Program which may include the use cases specified below. Vitality will only use Personal Information in accordance with this Privacy Notice. For example, Personal Information collected from a mobile application or device such as Google Fit, will only be used to facilitate the Vitality Program.

  • To administer and manage your account
    • Creating and maintaining your profile
    • Generating goals, activities, and/or targets
    • Recommending activities and engagements
    • Applying rewards earned
    • Making Program features available to you
    • Fulfilling purchase orders you make through the Program
    • Tracking your progress through the Program
  • To resolve any complaints or inquiries you may have
    • Registering complaints and inquiries
    • Managing and resolving complaints and inquiries
  • For management of any debts owed to Vitality, if applicable
    • Tracking and administration of payment installments (if any)
    • Recovery of unpaid debts or reimbursement of damages under a contract
  • To prevent, detect, and investigate fraud or security incidents
    • Investigating suspicions of fraud
    • Prosecuting fraud
    • Investigating security incidents
  • For Vitality company and management information purposes and internal analysis of products and services
    • Accounting and financial records; analysis and reporting
    • Audit requirements
    • System security and effective operation
    • Program quality assessments, improvements, and developments
  • To report to your Program Provider for your incentive administration
    • Vitality may share with your Program Provider information for them to administer your incentives.
  • For training purposes: to improve your customer experience
    • Assessing customer experiences
    • Developing and improving your customer experience
  • To fulfill legal obligations
    • Reporting necessary information to your Program Provider for benefit administration
    • Complying with any applicable law, regulation, subpoena, or legal process, or responding to any governmental requests and cooperating with law enforcement, if we believe such action is required or permitted by law
    • Enforcing our Terms and Conditions
  • Creating De-identified or Aggregated Data Sets
    • De-identified data sets are data sets that contain member-level information, without identifiers that can be used to link the information back to a particular individual.
    • Aggregated data sets are data sets that contain only aggregated information which cannot be decompiled or reverse engineered to identify any individual whose data may be included.
    • De-identified and Aggregated Data Sets are not Personal Information; subject to any applicable laws or other restrictions, Vitality may use and disclose De-identified and Aggregated data sets for any purpose.

Vitality may also seek to use your Personal Information in a way not described above, such as in using a testimonial you have written on our website or in our marketing materials. Before using your Personal Information in this way, Vitality will first seek your voluntary and explicit consent.

 

HOW IS VITALITY PROTECTING MY PERSONAL INFORMATION?

Personal Information that you share on the website is kept strictly confidential and fully secure. Your encrypted (encoded) Personal Information is protected using “Secure Socket Layers (SSL)” as it passes between your browser and this website. We follow generally accepted industry standards to protect the Personal Information we receive, both during transmission and upon receipt. Personal Information collected by the Program, for example Personal Information received from Google Fit, will be stored securely in accordance with accepted industry standards.

No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee absolute security.

 

WHO CAN ACCESS MY PERSONAL INFORMATION AT VITALITY?

Your Personal Information is accessible by Vitality employees, including employees of Vitality affiliates, only on a need-to-know basis for the provision of services and support. Only such authorized persons are permitted to access your Personal Information. All authorized persons must abide by security, privacy, and confidentiality agreements, rules and laws.

 

OUTSIDE OF VITALITY, WITH WHOM WOULD VITALITY SHARE MY PERSONAL INFORMATION?

Your Program Provider: Vitality may share with your Program Provider (or a third party that assists and is authorized by your Program Provider) the minimum necessary information for them to administer your incentives. Vitality will share information only to the extent needed for administration of your incentives, such as calculation of health plan premium discounts, health club dues subsidies, applicable taxation, reward redemption, or other arrangements for which such information is relevant.

Your Program Provider’s authorized Third-Party Service Providers: Your Program Provider may make additional incentives available to you that are provided by Third-Party Service Providers. In order to administer this benefit, Vitality relies on the service agreement in place with your Program Provider, and/or any related agreement, to share your Personal Information with the Third-Party Service Provider to the extent necessary to make the offering available to you. Vitality has also entered into agreements with the Third-Party Service Providers.

Service Providers to Vitality: There are instances when Vitality may disclose your Personal Information, such as Personal Information collected from Google Fit, to our agents, service providers, third-party partners, affiliates and subsidiaries to enable them to perform functions or provide services on our behalf. These service providers are only permitted to share, store and/or use Personal Information for contracted business purposes.

Additionally, We may share your Personal Information when We believe that such action is necessary to:

  • Fulfill an enforceable government request;
  • Conform with the requirements of the law or legal process;
  • Protect or defend Our legal rights or property, Our Websites or Applications, or other;
  • users; or
  • Protect your health and safety or the health and safety of this website’s users or the general public.

With your express authorization and consent, We may share your Personal Information for a specific purpose not provided above. Agreeing to the terms and conditions and privacy notice is not your express authorization for such uses. When appropriate, while you are logged into POV or a Vitality Application, you will be presented with a specific electronic authorization form on which you may or may not provide your consent. You may revoke such authorization at any time by navigating to your My Accounts page within the Power of Vitality website.

 

DO VITALITY’S WEBSITES OR APPLICATIONS CONTAIN LINKS TO THIRD-PARTY WEBSITES OR APPS?

Vitality’s Power of Vitality portal and its mobile applications, Vitality Today and Vitality One, may contain links to other websites that are not owned or controlled by Us or our clients (i.e., your Program Provider). We provide these links to other websites or mobile applications for your convenience to participate. If you choose to submit Personal Information while visiting these websites or using these mobile applications, please be aware your rights will be governed by the third parties’ privacy policies. We strongly encourage you to carefully read the privacy policies of any website or mobile application you visit or use.

 

DOES VITALITY SELL MY PERSONAL INFORMATION?

No. Vitality will never sell, rent, or lease your Personal Information.

 

WHAT ARE COOKIES AND HOW DOES VITALITY USE THEM?

A cookie is a file containing an identifier that is automatically sent by Us to your browser or mobile device and is stored by the browser or mobile device. The identifier is then sent back to the server each time the browser or device requests a page from the server. This information might be about you, your preferences or your device and is mostly used to make the Website or Application work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized experience.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

Vitality uses different categories of cookies for certain purposes:

  • Strictly Necessary: These cookies are necessary for the Website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling out forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. These cookies do not store any personally identifiable information.
  • Performance: These cookies allow Us to count visits and traffic sources so We can measure and improve the performance of Our site. They help us to know which pages are the most and least popular and see how users move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, We will not know when you have visited Our Website and will not be able to monitor its performance.
  • Functional: These cookies enable the Website to provide enhanced functionality and personalization. If you do not allow these cookies, then some or all of these services may not function properly.
  • Cookies used by our third-party service providers: We use Google Analytics to analyze the use of Our Website. The information gathered relating to Our Website is used to create reports about the use of Our Websites. Additionally, We use MaxMind to assist in determining from where Our Program is being accessed.

You can find more information about the cookies Vitality uses by reading our Cookie Notice – or cookies in general by visiting www.allaboutcookies.org iincluding how to disable certain cookies. If you use different computers or devices to access the Websites, you will need to ensure that each browser is adjusted to suit your cookie preferences. If you restrict Our Websites and Applications from setting cookies, you may worsen your overall user experience and/or lose the ability to access the Programs. Doing so may also stop you from saving customized settings.

 

HOW LONG WILL MY PERSONAL INFORMATION BE RETAINED?

Unless otherwise specified herein, Personal Information will only be retained for as long as is required for Us to administer the Program, subject to: legislative or regulatory retention periods; requirements by the Program Provider; or as required for Our legitimate business reasons – after which any Personal Information will be anonymized, archived or destroyed.

 

HOW WILL I KNOW IF THIS PRIVACY NOTICE CHANGES?

Vitality reserves the right to update this Privacy Notice from time to time. If We decide to change this website’s privacy policies, We will post those changes to this Privacy Notice, the homepage, and other places that We deem appropriate so that you are aware of what information is being collected, how the information is being used, and under what circumstances, if any, the information may be disclosed. You should therefore refer to this Privacy Notice each time you make use of the Program.

 

WILL VITALITY COMMUNICATE WITH ME DIRECTLY?

As a Vitality member, We aim to provide you with a fully invested experience and dedication to your wellness journey. Depending on your particular Program, We will deliver marketing, status updates, or other informational emails to you via the email address you provide on your My Account page. If you choose, you may opt out of receiving these emails at any time by adjusting the settings on your account on POV or the Application you use. If you use a Vitality Application, push notifications and triggered communication may be sent to you through the App. These notifications can be turned off at any time by adjusting the application’s settings on your device.

Certain communications are necessary and cannot be turned off; these include; transactional emails, such as order confirmations, emails relating to payment processing activities, and reward redemptions; communications from our Customer Care team in response to contacts initiated by you; or other important updates like security and fraud notices or change in services.

If you send questions or comments to an email address listed within a Program or via a contact form provided within a Program, We will share your correspondence with a Vitality associate most capable of addressing your questions and concerns. We will retain your communications until we have done our very best to provide you with a complete and satisfactory response. Ultimately, We will either discard your communication or, in some cases, archive it. We will not keep your email address for secondary purposes. All information and correspondence you share with us will be handled in the strictest confidence.

We may agree that email has become a standard communication tool used by many different parties. Unfortunately, by design standard Internet email is not secure. For that reason, please do not use unsecured email to communicate information to us that you may consider to be confidential.

 

I AM A CALIFORNIA RESIDENT, HOW CAN I EXERCISE MY RIGHTS UNDER CALIFORNIA LAW?

Under California Civil Code Section 1798.83 California residents have the right to request from companies conducting business in California a list of all third parties to which the company has disclosed certain personally identifiable information as defined under California law during the preceding year for third party direct marketing purposes. You are limited to one request per calendar year. Note that Vitality does not disclose any Personal Information to third parties for their direct marketing purposes.

Under the California Consumer Privacy Act (“CCPA”), if you are a California Consumer, or an authorized representative of a California Consumer as defined by the CCPA, you have the following rights regarding your Personal Information collected during the 12 months before your request:

  • The right to request disclosure of the categories of Personal Information collected about you;
  • The right to request deletion of Personal Information collected about you;
  • The right to request disclosure of the categories of sources from which your Personal Information is collected;
  • The right to request disclosure of the business or commercial purpose for collecting or selling your Personal Information. Note that We do not sell Personal Information We collect about you; however third-party cookies are used as described above. If you do not wish to permit such cookies, please visit http://optout.aboutads.info/
  • The right to request the categories of third parties with whom the business shares your Personal Information;
  • The right to request a copy of the specific Personal Information collected about you; and/or
  • The right not to be discriminated against because you have exercised any of these rights.

In order to exercise rights enumerated above, please contact Vitality in one of the following ways depending on the Vitality Program you use.

  • If you use the Power of Vitality Website or the Vitality Today Application, please contact Vitality through our Contact Us page.
  • If you use the Vitality One Application, please submit a request through the Application’s Contact Us feature located in the Support menu.
  • If you are not a current Vitality member or one of the above options does not work for you, please contact Vitality through the following link: https://www.vitalitygroup.com/contact-us/.
  • Alternatively, you may submit your request by calling Us at 877.224.7117.

Once a request is submitted, Vitality may first contact your Program Provider to inform them of the request and then work with them to complete the request.

 

I RECEIVE THE VITALITY PROGRAM IN THE EUROPEAN UNION OR THE UNITED KINGDOM, HOW CAN I EXERCISE MY RIGHTS UNDER GDPR OR THE DATA PROTECTION ACT?

Your Program Provider will indicate to Vitality whether a member has rights under the General Data Protection Regulation or the UK’s Data Protection Act (collectively referred to as “GDPR”). If you believe that you are entitled to the rights of GDPR, please contact your Program Provider to ensure that they have made this indication to Vitality.

Under the GDPR, you have the following rights regarding your Personal Information collected by Vitality:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page.

If you are not a current Vitality member or one of the above options does not work for you, please contact Vitality through the following link: https://www.vitalitygroup.com/contact-us/.

Alternatively, you may submit your request by calling Us at +1.877.224.7117.

Once a request is submitted, Vitality will first contact your Program Provider to inform them of the request and then work with them to complete the request.

In the first instance We ask that you notify your Program Provider and/or Us of any concerns you have about how we handle your Personal Information but if you are still unhappy you can contact your applicable Supervisory Authority, the details of which can be found using this link https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

 

DOES VITALITY PROCESS SPECIAL CATEGORY PERSONAL DATA AS DEFINED BY GDPR?

Vitality may receive the below Special Categories of Personal Data from your Program Provider, authorized third parties on behalf of you or your Program Provider, or directly from you, depending on the particular Program you are using and the activities in which you participate:

  • Health Data including but not limited to: information which includes your answers to questions about your health and well-being; annual biometric screening results; preventative screening proof; vaccination proof; proof of participation in a qualifying event; activity information collected from a personal device; smoking status.

Vitality receives the above, based on the consent you provided to your Program Provider or authorized third party/ies. If you wish to revoke such consent, please contact your Program Provider or authorized third parties. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent.

If you submit this information to Vitality on your own, Vitality may request your consent prior to your submission of such information. If you wish to revoke such consent, please refer to your rights in terms of section 14 above. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent.

 

WHAT IS VITALITY’S LEGAL BASIS FOR PROCESSING PERSONAL DATA COVERED BY GDPR?

Vitality acts as a Processor of Personal Data and signs a data protection addendum (“DPA”) with the Controller, that is most often the  Program Provider that makes the Vitality Program available to those members for which GDPR applies. This DPA provides the legal basis for which Vitality may process Personal Data covered by GDPR.

In addition to the above, in instances where Vitality collects Personal Information from you directly We may rely on the legal basis of consent or the agreement you have entered into with your Program Provider or the DPA. In such instances: (i) Vitality will be acting in accordance with the Program Provider’s instructions which are set out in the DPA and will remain a Processor; and where applicable (ii) Vitality will collect your consent and you will be entitled to revoke the provided consent in terms of your rights set out above under section 14, as applicable. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent.

 

INTERNATIONAL TRANSFERS

Vitality will process the Personal Information and Special Categories of Personal Data set out in this Privacy Notice, in the United States of America, and other countries where Vitality has entered into to the required agreements. Such information will be subject to foreign laws and may be disclosed to foreign authorities under such law. Where the GDPR applies, Vitality and the Program Provider have entered into the Standard Contractual Clauses, issued by the European Commission, to make provision for the applicable transfer. In terms of other jurisdictions which laws require consent or a DPA to be in place for the cross border transfer of Personal Information, Vitality relies on the consent you provide to your Program Provider and/or the DPA for the transfer.

 

DOES VITALITY COMPLY WITH THE EU-US PRIVACY SHIELD FRAMEWORK?

Yes. Vitality complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Information from European Union member countries. The Vitality Group, LLC, including and on behalf of its affiliate Vitality Group International, Inc., have certified adherence to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. In the event that Vitality makes an Onward Transfer of any information received under the Privacy Shield, it will maintain responsibility for the processing of personal information. If there is any conflict between the policies in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

Vitality acknowledges the Federal Trade Commission’s authority over Our compliance with the Privacy Shield. In compliance with the EU-US Privacy Shield Principles, The Vitality Group commits to resolve complaints about your privacy and Our collection or use of your Personal Information. European Union individuals with inquiries or complaints regarding this Privacy Notice should frs contact The Vitality Group at:

The Vitality Group, LLC

Attn: Data Privacy Officer

200 W. Monroe St., Suite 1900

Chicago, IL 60606

US_Privacy@vitalitygroup.com

+1.877.224.7117

 

The Vitality Group has elected the EU Data Protection Authorities (DPAs) as its independent recourse mechanism available to ensure users that Vitality is consistently in compliance with the Privacy Shield Privacy Principals. Users may contact the appropriate DPA by visiting http://ec.europa.eu/jusice/dataprotection/bodies/index_en.htm.

Under limited circumstances, an arbitration option is available to an individual to determine, for residual claims, whether The Vitality Group has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied.

 

HOW CAN I CONTACT VITALITY WITH MY PRIVACY CONCERNS OR INQUIRIES?

Individuals with inquiries or complaints regarding the privacy of their Personal Information at Vitality or this Privacy Notice should first contact The Vitality Group at:

The Vitality Group, LLC

Attn: Data Privacy Officer

200 W. Monroe St., Suite 1900

Chicago, IL 60606

US_Privacy@vitalitygroup.com