CALIFORNIA PRIVACY POLICY

Effective January 1, 2020

This California Privacy Policy (“Policy“) applies only to California residents, and supplements the Castlight Companies’ Privacy Statement. This Policy contains the information that the Californian Consumer Privacy Act of 2018 (“CCPA“) requires us disclose. Any terms defined in the CCPA have the same meaning when used in this Policy. For purposes of this Policy only, “Personal Information” has the meaning given in the CCPA, but excludes information exempted from the scope of the CCPA.

This Policy describes the Castlight Companies’ collection, use and sharing practices in relation to Personal Information of California residents during the twelve (12) months preceding the effective date of this policy, and informs California residents of their rights with respect to that Personal Information.

Below is a summary of the “Personal Information” categories, as identified and defined by the CCPA (see California Civil Code section 1798.140 (o)), that the Castlight Companies collect, the reason the Castlight Companies collect your Personal Information, where Castlight Companies obtain your Personal Information, and the parties with whom Castlight Companies may share your Personal Information.

Information We Collect

The Castlight Companies collect the following categories of Personal Information about you when you visit or use the Complete Sites:

  • Identifiers such as a name, contact information, and online identifiers, such as device IP address and identification numbers associated with your devices.
  • Internet or other electronic information regarding your browsing history, search history, the webpage visited before you came to the Complete Sites, length of visit and number of page views, click-stream data, locale preferences, your mobile carrier, date and time stamps associated with transactions, and system configuration information.
  • Your geolocation, to the extent you have configured your device to permit us to collect such information.
  • Protected classifications, such as gender (for purposes of confirming your identity for inbound SSOs to the extent such information is not exempted from the scope of CCPA).
  • Inferences about your preferences, characteristics, behavior and attitudes.

We generally do not collect commercial information, financial information, professional or employment related information, or education-related information.

Sources of, Use of and Sharing of Personal Information

We describe the sources from which we collect this information in the section entitled Personal Information We Collect, and the business and commercial purposes for which we collect this information in the section entitled How Your Personal Information May be Used and Disclosed in our Privacy Statement. The CCPA defines a “business purpose” as the use of Personal Information for the business’s operational purposes, or other notified purposes, provided the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or another operational purpose that is compatible with the context in which the Personal Information was collected.

For information about the categories of third parties with whom we may share your Personal Information, please see the section entitled “Disclosure of Information” in our Privacy Statement.

Your Rights and Choices

As a California resident, you have rights in relation to your Personal Information; however, your rights are subject to certain exceptions. For instance, we cannot disclose specific pieces of Personal Information if the disclosure would create a substantial, articulable, and unreasonable risk to the security of the Personal Information, your account with us or the security of our network systems.

You may exercise your California privacy rights to know, access and deletion by emailing [email protected]. Please note that we will need to confirm your identity and California residency to process your requests to exercise your rights to know, access or delete your Personal Information. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.

  • Right Against Discrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions. We will not discriminate against you for exercising your right to know, access, deletion or to opt-out of sales.
  • Right to Know. You have the right to request the following information about how we have collected and used your Personal Information during the past twelve (12) months:
    • The categories of Personal Information that we have collected.
    • The categories of sources from which we collected Personal Information.
    • The business or commercial purpose for collecting and/or selling Personal Information.
    • The categories of third parties with whom we share Personal Information.
    • Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third party recipient.
    • Whether we have sold your Personal Information, and if so, the categories of Personal Information received by each category of third party recipient.
  • Right to Access. You have the right to request a copy of the specific Personal Information we collected about you during the twelve (12) months before your request.
  • Right to Deletion. You can ask us to delete the Personal Information that we have collected from you.
  • Right to Opt-Out of Sales. You have the right to opt-out of having your Personal Information sold. In the last twelve (12) months, we shared certain identifiers to our advertising partners for retargeting relevant advertisements. Under the CCPA, such sharing may be considered a “sale” of Personal Information. As of the effective date of this Policy, we no longer share certain identifiers with our advertising partners for retargeting advertisements, and we do not sell your Personal Information.

In addition, California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of Personal Information to third-parties for their direct marketing purposes. To make such a request, you can contact us by emailing [email protected], or by postal mail at Castlight Health, Inc., 150 Spear Street, Suite 400, San Francisco, CA 94105, Attn: Chief Privacy Officer.