TRUSTe
Last Updated September 17, 2018
CASTLIGHT COMPANIES’ PRIVACY STATEMENT

Castlight Health, Inc. (“Castlight”), and its wholly owned subsidiary Jiff, Inc. (“Jiff”) (collectively “Castlight Companies”), value our relationship with you and we respect your privacy. We have prepared this Privacy Statement to help you better understand how we collect, use, store, process, and transfer your “Personal Information” (i.e. any data that can be used on its own or with other information to identify you), and your choices regarding collected Personal Information.

This Privacy Statement applies to https://us.castlighthealth.com (including its subpages), the Castlight mobile app (“Castlight Mobile”), https://app.jiff.com/ (including its subpages), and the Jiff - Health Benefits mobile app (“Jiff Mobile”), collectively, the “Complete Sites.” The Complete Sites include the provision of health care decision support services to users based in the United States (the “Care Guidance Service”). The Complete Sites also include the provision of wellness related services, which is available to users within the United States as well as other countries (the “Wellbeing Service”). The Care Guidance Service and the Wellbeing Service are collectively referred to as the “Complete Service.”

Please take a minute to ensure that you understand the terms of this Privacy Statement applicable to your use of the Care Guidance Service, the Wellbeing Service, or both (i.e. the Complete Service). The availability of the Care Guidance Service, the Wellbeing Service, or the Complete Service is based on your “Employer” (i.e. the specific Castlight Companies’ customer who authorized your access to the applicable service). For ease of review, Part One of this Privacy Statement is organized in sections which are specific to the Care Guidance Service, the Wellbeing Service, or both (i.e. the Complete Service). Part Two of this Privacy Statement provides information regarding our participation and certification with the Privacy Shield Framework. Part Three of this Privacy Statement describes our use of tracking technologies. Finally, Part Four of this Privacy Statement provides information on data handling activities for the Complete Sites.

By accepting the Castlight Companies’ Terms of Use (which incorporates this Privacy Statement by reference), you are accepting the practices described in this Privacy Statement. If you do not agree with or are not comfortable with this Privacy Statement, you should immediately discontinue use of the Complete Sites. If there is a conflict between the terms of this Privacy Statement and the Terms of Use, this Privacy Statement will prevail.

If you have questions or concerns regarding this Privacy Statement, contact us at Castlight Health, Inc., 150 Spear Street, Suite 400, San Francisco, CA 94105, Attn: Chief Privacy Officer/Data Protection Officer. For questions or concerns regarding the Care Guidance Service, the Wellbeing Service or both (e.g. the Complete Service), please contact us by email at support@castlighthealth.com.

PART ONE – OUR SERVICES

I.
PERSONAL INFORMATION WE COLLECT

1.
Complete Service

i.

Information Requests: When you request more information about the Complete Service prior to registering, you will be required to provide Personal Information (such as your name and email address) so we can connect with you to provide information you seek.

ii.

Communications: The Castlight Companies record and maintain certain communications (for example, emails and other communications with us). We consider these communications to be personal and private and unless your explicitly agree to additional use and disclosure of such communications, we will not use or disclose these communications except as provided for in this Privacy Statement.

iii.

When Information Is Collected (Complete Service and PSPs): You may be asked to provide Personal Information: (a) when you use the Complete Services; or (b) when you use products or services offered by our platform partners (“Platform Service Providers” or “PSPs”, collectively the “PSP Services”). Please note that for certain PSP Services, certain information (for example demographic and general health and financial information, such as height, weight, gender, zip code) is required as part of your registration process. Each PSP (as chosen by your Employer) has its own privacy policy and/or terms of use that will govern your use of that PSP's products or services. Your Personal Information may also be provided to us and PSPs by you or your Employer. For clarity, the Complete Services integrate PSP Services. However, PSP Services are provided by third parties and are not part of the Complete Services offered by the Castlight Companies.

iv.

Information You Authorize PSPs to Provide: By linking certain PSP Service accounts through the Complete Service, the Complete Service will have access to data collected through such PSPs. Please note that for PSP Services, the Complete Service will continue to receive your data unless you contact such PSPs and request that they stop sharing your data.

v.

Information Collected and Shared by and Between Us and PSPs: The Personal Information the Castlight Companies or PSPs may collect and share with each other (as part of our agreement with your Employer to provide PSP Services and the Complete Service) may include:

1.

User data derived from physical activity (such as steps, standing time and active minutes), sleep, calories burned or consumed, heart rate, food activity data, nutrition data, satisfaction data, cognition, stress, survey comments, parenting advice, collaborative games, news feed comments and other data that you enter or upload.

2.

User enrollment, registration, and account creation data.

3.

Healthcare claims data and pharmacy claims data from third-parties such as your health plan, as requested or provided indirectly by your Employer.

4.

Activity completion status (for example, “Started,” “In Progress,” or “Completed”).

5.

Data concerning health status such as Health Risk Assessments (HRA), lab data, risk scores and user responses to questions in HRA with action steps for scheduling and completion of survey(s) and biometric screenings.

6.

Biometric data such as BMI (body mass index), blood pressure, cholesterol, and related health screenings with action steps for scheduling and completion of tests towards incentives for achieving set thresholds or improving set thresholds, and other health status programs.

7.

Managed health programs related data such as: (i) disease and care management for chronic conditions such as diabetes, participation in program(s), action steps indicating completion of tasks towards incentives for achieving set thresholds or improving set thresholds; (ii) Employee Assistance Programs (EAP), including enrollment, participation and action steps towards incentives for completion of task(s); (iii) medication management; prescription and nonprescription medications used, dosage, frequency action steps towards incentives for completion of task(s) and; (iv) other managed health programs.

8.

Access to care related data such as: (i) virtual care services such as second opinion and telemedicine including registration/enrollment, health profile, service utilization and action steps towards incentives for completion of task(s); (ii) in-person care such as retail clinics, medical and dental care providers including scheduled visit(s), primary diagnosis, ordered lab tests, biometric results and action steps towards incentives for completion of task(s), provider search and scheduling, user search terms, search results, scheduled appointments and action steps towards incentives for completion of task(s); (iii) medical and dental insurers including available plan options, plan membership, medical and dental claims, triggers for recommended services based on processed claims; and (iv) other access care programs.

9.

Health maintenance and wellness related data such as: (i) weight management including weight tracking, participation in programs and action steps indicating completion of tasks towards incentives for achieving set thresholds or improving set thresholds; (ii) pregnancy/fertility including weight, exercise, and due date; (iii) stress/resilience, cognitive and emotional assessments through games and videos with action steps for scheduling and completion of tasks; (iv) nutrition management including completion data towards incentives for achieving set thresholds or improving set threshold; (v) smoking cessation including tobacco use, nicotine replacement therapy, action steps towards incentives for completion of the task(s); (vi) physical fitness including fitness center check-ins, workout participation, and action steps towards incentives for completion of the task(s); (vii) sleep management including sleep duration, sleep quality and action steps towards incentives for completion of task(s); and (viii) other health maintenance and wellness programs.

10.

Finance and wealth management related data such as: (i) retirement services, available retirement plan options, enrollment, participation and action steps towards incentives for completion of task(s); (ii) tax-advantaged savings services (such as Health Savings Accounts, Flexible Spending Accounts) and available services, enrollment, participation, and action steps towards incentives for completion of task(s); (iii) financial wellness including available educational programs, content, participation action steps towards incentives for completion of the task(s); and (iv) other finance and wealth programs.

vi.

Information Collected from Your Employer: To enable your use of the Complete Service, you authorize your Employer to provide us with your Personal Information (for example, first and last name, email address and employee ID) so we can verify your eligibility to use the Complete Service. You also authorize your Employer to provide us with additional information as required for us to provide the Complete Service to you.

vii.

Registration: We require the collection of Personal Information as part of the registration process (for example, first and last name, email address, birth date, or employee ID). You may provide additional information, some of which may be Personal Information (for example, home phone number, and home address) to enable optimal use of the Complete Service. In many cases, you will be asked to enter this information directly. In other cases, that information may be pre-filled if we have already received such information from your Employer. If you arrive at the Complete Sites directly, the registration process requires you to choose a unique identifier (for example, username and password) for account creation. If you arrive at the Complete Sites through an Employer or Employer designated website, such website may provide a unique identifier that confirms to us that you are an authorized member from such Employer or Employer-designated website.

viii.

Device, OS Version and Computer: When you download and use any of our mobile apps, we collect information on the type of device you use, device identifiers, and operating system version. We may also collect hardware information about your computer.

ix.

Log Files. As with most websites, we collect and store in log files the Internet Protocol (“IP”) address of the computer you are using and other system characteristics (for example, the name of the domain and host from which you access the Internet, the browser software you use and your operating system, the date and time you access the Complete Service, and the Internet address of the website from which you directly linked to the Complete Sites). We may combine this automatically collected log information with other information we collect about you. We use this log file information to analyze trends, administer the Complete Service, and monitor service traffic and usage patterns for internal security purposes and to help make the Complete Service more useful.

x.

Other Information You May Share or Add: In your access and use of the Complete Service, you may share information with us (for example, search terms, answers to surveys/questionnaires, preferences) or manually add information (for example, profile information), which we may retain and/or display in your account for the Complete Service.

xi.

Location Based Information: We may also collect your location-based information (i.e. IP address, email, physical address, zip code and/or other data that may personally identify you) for the purpose of enforcing our Terms of Use and to provide the Complete Service. The Castlight Companies and your Internet Access Provider may use locator-based information as is necessary to enforce the our Terms of Use.

2.
Care Guidance Service

i.

Pre-Registration: You may be pre-registered for the Care Guidance Service by a health plan sponsored by your Employer, or such health plan’s third-party administrator, which may include, administrators for medical, dental, pharmacy, and behavioral health services (“TPAs”). The pre-registration process requires the collection of Personal Information about you (for example, name and email address). Your health plan may provide (or may have its TPAs provide) additional information such as a unique identifier (for example, your employee ID or social security number). This information is used to securely verify your identity to set up your account for the Care Guidance Service.

ii.

Payor Information: Castlight may request and collect financial information and relevant health plan or other payor information from you.

iii.

Health Plan Related Information: Your health plan (either directly or through its TPAs) may provide Castlight with, or Castlight may otherwise access and collect from such parties, healthcare financial information or other information about you for Castlight to provide the Care Guidance Service and only for that purpose. This may include sharing of information about you via integration between the Care Guidance Service and certain systems used by you and by your health plan (or its TPAs) containing information about you. The provision and sharing of this information is optional by your health plan (or its TPAs) and they may require you to provide them with certain consents.

3.
Wellbeing Service

i.

When Information Is Collected (third-party applications and devices): You may be asked to provide information when you choose to import or export data between various third-party applications or devices (for example, fitness trackers) and the Wellbeing Service. Each third-party application or device has its own privacy policy and/or terms of use that will govern your use of that service.

ii.

Information Collected from You. The following Personal Information may be collected from you for your use of the Wellbeing Service:

1.

Financial information, including credit card information.

2.

Activity data that you enter or upload into your tracking device, webpage or mobile application such as steps activity data, sleep and food activity data.

3.

Medical or lab completion data or claims data submitted by your health plan, if authorized by you through your Employer.

4.

Data through access to your calendar, if you authorize such access.

5.

Geolocation information that is automatically transmitted based on your choice to use certain tracking devices and applications that automatically provide this information along with other activity data.

6.

Fitness tracker information you provide.

iii.

Information You Authorize Third-Parties to Provide: You may authorize third-parties to provide certain data to us, such as fitness tracker information through third-party devices, applications, or services. By linking your tracking device or tracking application through the Wellbeing Service, the Wellbeing Service will have access to Personal Information collected through such tracking device or tracking application. At any time, you can unlink your tracking device or tracking application to the Wellbeing Service by revoking access through the applicable tracking device or tracking application, which stops the flow of Personal Information from that specific tracking device to the Wellbeing Service. You can also manage the tracking devices or tracking applications linked to your Wellbeing Service user account by turning the sync setting “on” or “off” provided however, your selection does not stop Personal Information from tracking devices or tracking applications from being sent to us but rather, the Wellbeing Service stops syncing such data with your account.

iv.

Information You Share About Your Contacts: You may provide information about your contacts, such as names and email addresses to share content or to invite your contacts to register for the Wellbeing Service. When you provide us with your contact’s Personal Information, we will only use the information for the specific purpose for which it was provided. If you believe that one of your contacts has provided us with your Personal Information and you would like to request that it be removed from our database, please contact us at support@castlighthealth.com.

II.
HOW YOUR PERSONAL INFORMATION MAY BE USED AND DISCLOSED

1.
Complete Service

i.

Surveys: Your Personal Information may be used and disclosed so that we can survey you to evaluate and improve the Complete Service. If you decide to participate, we may request Personal Information from you such as contact information (for example, name and shipping address) and demographic information (for example, age). Your participation in the survey and the provision of Personal Information is completely voluntary. We use this information to improve the Complete Service and develop new products. We may use a third-party service provider to conduct these surveys. Such third-party service providers may not use or disclose your Personal Information other than to provide such survey related services to us.

ii.

Business Partners: The Castlight Companies may work with business partners in making the Complete Service available to our users. When you sign up for the Care Guidance Service, the Wellbeing Service, or both (i.e. the Complete Service), we may share Personal Information only as necessary for our business partner to provide us related services. Such services include user support, email communications management services, and other subcontracted services for the Castlight Companies. These parties are not allowed to use your Personal Information except for the purpose of providing service to us and are obligated to protect your Personal Information.

iii.

PSPs: We may share email addresses with PSPs for the programs in which you have registered so they can send you information concerning the program pertaining to you.

iv.

Disclosures to Your Employer: To the extent permitted under applicable laws including HIPAA, we may provide necessary data to your Employer to enable your Employer to manage, administer and evaluate its health and wellness programs. Unless permitted under HIPAA, we will not disclose Protected Health Information (as defined in HIPAA) to your Employer.

v.

Other Third Parties: We may disclose your Personal Information to any other third-party with your prior affirmative consent.

vi.

Your Personal Information may also be used and disclosed to:

1.

Operate, promote, improve, administer, monitor and provide the Complete Service and PSP Services.

2.

To ensure that that you have registered or completed setting up an account for the Complete Sites, that you are using the Complete Service, or that you have started or completed some set of activities or achieved a desired goal using the PSP Services or the Complete Service.

3.

Help us decide what services will meet our users’ needs.

4.

Communicate with you about support or service issues.

5.

Inform you about Complete Service features and the benefits of such features.

6.

To customize your experience in using the Complete Service.

7.

Enforce our Terms of Use.

8.

Diagnose or troubleshoot problems, administer the Complete Sites and to detect and protect against error.

9.

Comply with laws (for example, if we are required to comply with a subpoena or similar legal process).

10.

Protect your safety or the safety of others, investigate fraud, respond to a government request, or protect our rights.

11.

To help a PSP support its programs for you in the Complete Service

12.

Facilitate a merger, acquisition, or sale of all or a portion of our assets. You will be notified by email and/or a prominent notice on the Complete Sites of any change in our current ownership, uses of your Personal Information, and choices you may have regarding your Personal Information.

13.

To direct you to programs, actions, content and events that may be pertinent and helpful to you based on relevant data, such as information you choose to share with us or benefit programs your Employer wishes to promote.

2.
Care Guidance Service

i.

Facilitating and Coordinating Benefits: Your Personal Information, such as healthcare related claims data, may be used and disclosed to facilitate and coordinate your receipt of insurance benefits.

ii.

Health Plan: Any disclosures of Personal Information to your health plan will be in strict compliance with the limitations imposed on disclosures of Protected Health Information (as defined by HIPAA) to group health plans under the HIPAA Privacy Rule.

3.
Wellbeing Service

i.

Sharing Options with Spouses, Domestic Partners, Family or Friends: Some programs allow you to share your Personal Information with a spouse, domestic partner, other family member or other third person that you designate, while using the PSP Services and Wellbeing Service. Additionally, you may tag your friends to follow them or allow others to follow you, add comments and notes, have conversations and otherwise share your Personal Information. Please note that comments, postings, or content posted by an individual following or mentioning you cannot be removed by you.

ii.

Third Party Orders: If you order a device, application, or service through the Wellbeing Service that is marketed or sold by a third-party, we may provide your name and contact information to such third-party to facilitate the order. Your payment information will not be shared with these third-parties. However, if you use a credit card to make a purchase through the Wellbeing Service, your credit card information will be shared with our credit card processing company. If you do not want us to share your Personal Information with these third-parties, do not order any devices, applications or service through the Wellbeing Service.

iii.

Disclosures to Third Party Administrators (TPAs): If required by your Employer and you consent, we may provide your Personal Information to TPAs who will access your Personal Information, de-identify it and create aggregated anonymous analytical data for your Employer's health and wellness programs.

iv.

Disclosure of User Profiles and Submissions: Profile information, including your name, location, and any video or image content that you upload in the Wellbeing Service may be displayed to other users to facilitate user interaction within the Wellbeing Service. You can limit the profile information that can be seen by others by: (a) only uploading certain information; or (b) adjusting your account privacy settings. Any content you upload to your public user profile, along with any Personal Information or content that you voluntarily disclose online in a manner that other users can view (on discussion boards, in messages and chat areas, etc.) becomes publicly available, and can be collected and used by others. We reserve the right in our sole discretion to remove any comments we deem inappropriate. Your user name may also be displayed to other users when you send messages or comments or upload images or videos in the Wellbeing Service, and other users can contact you through messages and comments. We do not control the policies and practices of any other third-party site or service, including any PSP site or service.

v.

Your Personal Information may also be used to:

1.

Support incentives that encourage you to use programs that can help you achieve your goals.

2.

To administer any sweepstakes or promotions, purchases, donations or other activities that you are involved in using the Wellbeing Service and the PSP Services.

III.
YOUR CHOICES AND ACCESS TO PERSONAL INFORMATION

1.
Complete Service

i.

No Direct Relationship: In certain situations, we have no direct relationship with individuals whose Personal Information we process. An individual who seeks to access, change, correct, or remove Personal Information should direct their inquiry to his/her Employer (the data controller). If you have any questions regarding this or to ascertain whether we hold Personal Information about you, please contact us by emailing privacy@castlighthealth.com and we will respond to requests within thirty (30) days.

ii.

Update or Correct Personal Information: You can update or correct some of your Personal Information through your account profile page in the Care Guidance Service, the Wellbeing Service, or both (i.e. the Complete Service). To the extent you need further assistance updating or correcting your Personal Information, you may request our assistance by emailing privacy@castlighthealth.com and we will respond within a reasonable time frame.

iii.

Remove Personal Information and Account Deactivation: You may request that we remove all your Personal Information, in which case your account on the Complete Sites will be deactivated. Similarly, you can ask us to deactivate your account on the Complete Sites by emailing privacy@castlighthealth.com, which will result in the deletion of all your Personal Information. We will respond to any deactivation requests within a reasonable time frame.

iv.

Mobile Device Level Settings: You may opt-out of any location based services or push notifications at any time by adjusting your device setting.

2.
Care Guidance Service (for United Stated Based Users)

i.

Invitations: If you no longer wish to receive invitations to register for the Care Guidance Service, you may contact us at (888) 722-0483 or at privacy@castlighthealth.com and we will stop sending you invitations.

ii.

Emails: We may provide updates, tips or education, or may promote the Care Guidance Service to inform you about available benefits from your Employer. You can expect to receive up to five (5) communications per month. You can opt-out of any such communications by clicking on the “unsubscribe” link in such communication or email support@castlighthealth.com with “Unsubscribe” in the subject line.

iii.

Mobile Messaging: We may send you marketing related SMS or other text or native mobile messages (“Castlight Health Alerts”). You are not required to accept Castlight Health Alerts to use the Care Guidance Service. To opt-out of any Castlight Health Alerts, text "STOP" to 35925 or reply "STOP" to a text message received from Castlight. For additional information, text HELP to 35925. If you are not signed up for Castlight Health Alerts but would like to opt-in, text “SIGNUP” to 35925. You can expect to receive up to four (4) messages per month from Castlight. You may also call (888) 722-0483 or email support@castlighthealth.com.

1.

Message and data rates may apply from your mobile carrier. Supported carriers are: AT&T, T-Mobile® (T-Mobile® is not liable for delayed or undelivered messages), Verizon Wireless, Sprint, Boost, Cricket, MetroPCS, U.S. Cellular, Virgin Mobile, ACS Wireless, Appalachian Wireless, Bluegrass Cellular, Carolina West Wireless, Cellcom, C-Spire Wireless (formerly Cellsouth), Cellular One of East Central Illinois, Cincinnati Bell Wireless, Cross (dba Sprocket), Duet IP, Element Mobile, EpicTouch, GCI Communications, Golden State, Hawkeye (Chat Mobility), Hawkeye (NW Missouri Cellular), Illinois Valley Cellular, Immix (Keystone Wireless / PC Management), Inland Cellular, iWireless, Mobi PCS (Coral Wireless LLC), Mosaic, MTPCS / Cellular One (Cellone Nation), Nex-Tech Wireless, nTelos, Panhandle Telecommunications, Peoples Wireless, Pioneer, Plateau, Revol Wireless, Rina – Custer, Rina – All West, Rina – Cambridge Telecom Coop, Rina – Eagle Valley Comm, Rina – Farmers Mutual Telephone Co, Rina – Nucla Nutria Telephone Co, Rina – Silver Star, Rina – South Central Comm, Rina – Syringa, Rina – UBET, Rina – Manti, South Canaan / CellularOne of NEPA, Thumb Cellular, Union Wireless, United, Viaero Wireless, West Central Wireless, Leaco, Nemont/Sagebrush.

iv.

Permissions: If another individual is viewing/managing your account with your permission (for example, one spouse managing the account another spouse), this person can view all your information entered in your Care Guidance Service account on your behalf. You can request the activation or deactivation of the authorization of an account manager at any time by notifying privacy@castlighthealth.com.

v.

Storage and Maintenance of Information: Your Personal Information will be maintained and stored in accordance with the requirements agreed to by Castlight and your health plan or its TPA even if you terminate employment with your Employer, unless you notify Castlight by contacting us at privacy@castlighthealth.com or by calling us at (888) 722-0483, that either: (i) you wish to Remove (as defined below) all or a portion of your Personal Information from Castlight’s system; or (ii) you wish to have Castlight retain all or a portion of such Personal Information. We will also retain your Personal Information for as long as your Care Guidance Service account is active or as needed to provide you services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

1.

For the purposes of this Privacy Statement, “Removed” shall mean that your data has been de-identified in accordance with the HIPAA Privacy Rule, so the data is no longer associated with any identifier of you and cannot be re-identified in accordance with the HIPAA Privacy Rule. For more information on the specific requirements that Castlight and your health plan or its TPA agreed we would follow, you may contact your health plan or its TPA or contact us at (888) 722-0483 or at privacy@castlighthealth.com.

3.
Wellbeing Service (for Users Based in the United States and in Other Countries)

i.

Personal Information from the European Union (“EU”)

1.

Legal Bases for Processing Personal Information from the EU: As described in this Privacy Statement, we use your Personal Information if it is necessary to carry out our obligations arising from any contracts entered into between you and us or to take steps at your request prior to entering into a contract with you. We may process your Personal Information for specific purposes based on your prior consent. We may collect and process your Personal Information for our legitimate interests to protect our property, rights or safety of our customers or others or to offer information on our services we feel may interest you. In addition, it may be our legal obligation to use or share your Personal Information with third parties, such as public authorities or law enforcement bodies. We may also use standard contractual clauses for international transfers of EU Personal Information.

2.

Direct Marketing: If you are located in the European Economic Area (EEA), we will only contact you by electronic means (email or SMS) with information about products or services that are similar to those you previously or currently use. You can object to any direct marketing at any time and your Personal Information will no longer be processed for such purposes. Direct marketing includes any communications to you that are only based on advertising or promoting products and services. If you do not want us to use your Personal Information in this way, or to pass your Personal Information on to third parties for marketing purposes, please contact us at support@castlighthealth.com. You may not unsubscribe from non-promotional, service-related communications.

3.

Privacy Rights: Where EU data protection laws apply, you will have the rights described below. In certain situations, the Castlight Companies, as a processor, have no direct relationship with individuals whose Personal Information it processes. An individual who seeks access, or who wishes to change, correct or remove Personal Information may want to first direct such inquiries to his/her Employer. You can ask us whether we hold Personal Information about you. You can exercise your privacy rights by contacting us at support@castlighthealth.com and we will handle your request under applicable law. When you make a request, we will verify your identity to protect your privacy and security.

a.

Right to withdraw consent. To the extent we requested your consent to process your Personal Information, you have the right to withdraw your consent to the processing of your Personal Information at any time. Your withdrawal will not affect the lawfulness of our processing based on consent before your withdrawal.

b.

Right of access to and rectification of your Personal Information. You can update or correct some of your Personal Information through your account profile page in the Wellbeing Service. You may also request that we provide you with a copy of your Personal Information held by us. If you request to access or rectify any other information, we will do our best to provide it to you without undue delay, subject to some fee associated with gathering of the information, as permitted by law. We may reject part or all of your request if responding to your request could adversely affect the rights and freedoms of others. Please contact us at support@castlighthealth.com and we will respond to all reasonable inquiries.

c.

Right to erasure (i.e. “Right to be Forgotten”). We allow you to delete your account at any time. You have the right to request erasure of Personal Information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing that you previously consented, but later withdraw such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. Our assistance with your request for erasure is subject to limitations by relevant data protection laws.

d.

Right to data portability. If we process your Personal Information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your Personal Information in a structured, commonly used and machine-readable format, unless exercise of this right adversely affects the rights and freedoms of others.

e.

Right to restriction of or object to processing. You have the right to restrict or object to our processing of your Personal Information where one of the following applies: (a) you dispute the accuracy of Personal Information processed by the Castlight Companies (for a period enabling us to verify its accuracy); (b) the processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use instead; (c) we no longer needs the Personal Information for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims; and (d) you have objected to certain processing relying on legitimate interest, pending verification of whether our legitimate grounds override your rights. In some cases, your ability to use all or portions of the Wellbeing Service may be limited by our inability to use your Personal Information. Restricted Personal Information shall only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will notify you if the restriction is lifted.

f.

Notification of erasure, rectification and restriction. We will provide notice to each recipient that we disclosed your Personal Information to regarding any rectification or erasure of Personal Information or restriction of processing, unless you initiated the disclosure, or providing notice proves impossible or involves disproportionate effort.

g.

Right to object to processing. Where the processing of your Personal Information is based on consent, contract or legitimate interests described under Legal Bases for Processing heading above, you may restrict or object, at any time, to the processing of your Personal Information as permitted by applicable law. We may continue to process your Personal Information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.

h.

Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except as allowed under applicable data protection laws. The Wellbeing Services do not engage in such automated processing.

i.

Right to lodge a complaint. If you believe that we violated your rights under EU data protection law, we encourage you to contact us first at privacy@castlighthealth.com so that we can try to resolve your concern. You have also a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement.

j.

Retention of your Personal Information. Unless you make a request for us to close your account or delete certain Personal Information we will store your Personal Information as long as your account is open. If you request to close your account, we will take steps to delete all your Personal Information, unless a longer retention period is required or permitted by law. We have established internal policies for the deletion of data from customer accounts following termination of our contractual obligations with an Employer.

4.

Privacy Rights Not Absolute: Please note that your privacy rights are not absolute. Access may be denied when:

a.

Denial of access is required or authorized by law.

b.

Granting access would have a negative impact on other's privacy.

c.

To protect our or others' rights and properties.

d.

Where the request is frivolous or burdensome.

PART TWO – PRIVACY SHIELD FRAMEWORK

The Castlight Companies participate in and have certified our compliance with the EU-U.S. and Swiss-EU Privacy Shield Framework. We are committed to subjecting all Personal Information received from European Union member countries or Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, you can visit the U.S. Department of Commerce’s Privacy Shield List.

The Castlight Companies are responsible for the processing of Personal Information received under the Privacy Shield Framework, and subsequent transfers to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of personal data from the European Union and Switzerland, including the onward transfer liability provisions. With respect to Personal Information received or transferred pursuant to the Privacy Shield Framework, the Castlight Companies are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, the Castlight Companies may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S. based third party dispute resolution provider (free of charge) here. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

PART THREE – TRACKING TECHNOLOGIES

I.

Castlight Sites. In relation to the Care Guidance Service, the Wellbeing Service, or both (e.g. the Complete Service) provided via https://us.castlighthealth.com and Castlight Mobile (collectively, “Castlight Sites”), we use technologies such as cookies, web beacons, tags, scripts and other storage technologies to collect or receive information.

1.

Cookies: Cookies are small data files that we transfer to your device to collect information about your use of the Castlight Sites. Cookies can be recognized by the website that downloaded them or other websites that use the same cookies. This helps websites know if your browsing device has visited them before. We use both first-party and third-party cookies on the Castlight Sites.

i.

First-party cookies are cookies that are placed on your device by us, while third-party cookies are set by parties other than us.

ii.

Third-party cookies are operated by third parties that can recognize your device both when it visits the Castlight Sites and when it visits other websites or mobile apps. We do not control how third-party cookies are used, and we encourage you to check the websites of any third-party cookie providers for more information about how they use cookie information.

2.

Flash Cookies: We also use “flash cookies” (also known as “Local Shared Objects” or “LSOs”) to store content and preferences related to your use of the Castlight Sites. Third parties with whom we partner to provide certain features on the Castlight Sites or to display advertising based upon your web browsing activity use LSOs such as HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.

3.

Tags: A “tag” or a “pixel” can be placed on a website or within an email for the purposes of tracking your interactions with the Castlight Sites or when emails are opened or accessed by email recipients. Pixels are often used in combination with cookies.

4.

Storage technologies such as cookies, bacons and tags are used by us and our partners (including digital advertising partners such as Facebook and Google), affiliates, or analytics or service providers (such as video hosting providers) to collect or receive information. More specifically, we use Google Analytics, including Google Analytics Advertising Features known as “Remarketing” and “Audience Demographics and Interest Reporting.” We may use these technologies for analyzing trends, providing measurement services administering the Castlight Sites, tracking users’ movements on the Castlight Sites and elsewhere on the internet, marketing our services (including via targeted remarketing ads), and to gather demographic information about our user base. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

5.

Mobile Analytics: We use mobile analytics software to allow us to better understand the functionality of Castlight Mobile on your mobile device. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage and performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any Personal Information you submit within Castlight Mobile.

II.

Jiff Sites. In relation to the Wellbeing Service provided via https://app.jiff.com/ and Jiff Mobile (collectively, “Jiff Sites”), Jiff uses first and third party cookies or similar technologies to analyze trends, administer the Jiff Sites, tracking users’ movements around the Jiff Sites, and to gather demographic information about our user base as a whole. The cookie allows the server to remember specific information about your visit while you are connected.

1.

First Party Cookies

i.

Session Cookies: Jiff uses session cookies to better understand how you interact with the Jiff Sites, and to monitor aggregate usage by users of such properties and web traffic routing on such properties. Session cookies are deleted from your phone, tablet or other computing device when you log off a website, close your browser, and/or close your browser or the applicable app.

ii.

Persistent Cookies: Jiff uses persistent cookies to save your registration ID and login password for future logins to the Jiff Sites. Persistent cookies remain on your phone, tablet or computing device after you log off from a website, close your browser, or close the applicable app. Cookies from Jiff web pages only collect information about your browser’s visit to the Jiff Sites.

2.

Third-party Cookies or Similar Technologies: Our third-party vendors (e.g. marketing partners), affiliates, or analytics or service providers (e.g. PSPs, online customer support providers) may use technologies such as cookies. We may receive reports based on the use of these technologies by these companies on an individual and aggregated basis.

3.

Web Beacons: Jiff may also occasionally use web beacons that allow us to collect non-personally identifiable information about your response to our email communications, and for other purposes. Because web beacons are used in conjunction with persistent cookies, if you set your browser to decline or deactivate cookies, web beacons cannot function.

4.

Mobile Analytics: We use mobile analytics software to allow us to better understand the functionality of the Jiff Mobile on your phone. We do not link the information we store within the analytics software to any Personal Information you submit within Jiff Mobile.

III.
Managing Cookies Via Browser Settings

1.

You can control the use of cookies at the individual browser level. If you reject cookies, you may not be able to use some or all portions or functionalities of the Castlight Sites or the Jiff Sites.

i.

First Party Cookies: You can enable, disable or delete cookies via your browser settings. To do this, follow the instructions provided by your browser, usually located within the “Help”, “Tools”, or “Edit” settings of your browser. Many browser manufacturers provide helpful information about cookie management, including, but not limited to: Google Chrome; Internet Explorer; Mozilla Firefox; Safari (desktop or mobile); Android Browser, and Opera.

ii.

Third Party Cookies: Any cookies that are placed on your browsing device by a third party can be managed through your browser (as described above) or by checking the third party’s website for more information about cookie management and how to “opt-out” of receiving cookies from them.

iii.

Flash Cookies: You can manage flash cookies here.

iv.

Internet-Based Advertising Cookies-Castlight Sites: You may opt-out of partners’ use of internet-based advertising cookies by exercising your choice here and here. Additionally, you can find out more about how Google uses data here. Our partners may use cookies or similar technologies to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising, click here. Please note you will continue to receive generic ads.

v.

Internet-Based Advertising Cookies-Jiff Sites: Our third-party vendors may use technologies such as cookies to gather information about your activities on the Jiff Sites. If you do not wish to this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click on http://www.youronlinechoices.eu/). You will continue to receive generic ads.

2.

Do Not Track: Some Internet browsers (e.g. Internet Explorer, Mozilla Firefox, and Safari) include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, neither the Castlight Sites nor the Jiff Sites currently process or respond to “DNT” signals.

PART THREE – TRACKING TECHNOLOGIES

I.

Castlight Sites. In relation to the Care Guidance Service, the Wellbeing Service, or both (e.g. the Complete Service) provided via https://us.castlighthealth.com and Castlight Mobile (collectively, “Castlight Sites”), we use technologies such as cookies, web beacons, tags, scripts and other storage technologies to collect or receive information.

1.

Cookies: Cookies are small data files that we transfer to your device to collect information about your use of the Castlight Sites. Cookies can be recognized by the website that downloaded them or other websites that use the same cookies. This helps websites know if your browsing device has visited them before. We use both first-party and third-party cookies on the Castlight Sites.

i.

First-party cookies are cookies that are placed on your device by us, while third-party cookies are set by parties other than us.

ii.

Third-party cookies are operated by third parties that can recognize your device both when it visits the Castlight Sites and when it visits other websites or mobile apps. We do not control how third-party cookies are used, and we encourage you to check the websites of any third-party cookie providers for more information about how they use cookie information.

2.

Flash Cookies: We also use “flash cookies” (also known as “Local Shared Objects” or “LSOs”) to store content and preferences related to your use of the Castlight Sites. Third parties with whom we partner to provide certain features on the Castlight Sites or to display advertising based upon your web browsing activity use LSOs such as HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.

3.

Tags: A “tag” or a “pixel” can be placed on a website or within an email for the purposes of tracking your interactions with the Castlight Sites or when emails are opened or accessed by email recipients. Pixels are often used in combination with cookies.

4.

Storage technologies such as cookies, bacons and tags are used by us and our partners (including digital advertising partners such as Facebook and Google), affiliates, or analytics or service providers (such as video hosting providers) to collect or receive information. More specifically, we use Google Analytics, including Google Analytics Advertising Features known as “Remarketing” and “Audience Demographics and Interest Reporting.” We may use these technologies for analyzing trends, providing measurement services administering the Castlight Sites, tracking users’ movements on the Castlight Sites and elsewhere on the internet, marketing our services (including via targeted remarketing ads), and to gather demographic information about our user base. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

5.

Mobile Analytics: We use mobile analytics software to allow us to better understand the functionality of Castlight Mobile on your mobile device. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage and performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any Personal Information you submit within Castlight Mobile.

II.

Jiff Sites. In relation to the Wellbeing Service provided via https://app.jiff.com/ and Jiff Mobile (collectively, “Jiff Sites”), Jiff uses first and third party cookies or similar technologies to analyze trends, administer the Jiff Sites, tracking users’ movements around the Jiff Sites, and to gather demographic information about our user base as a whole. The cookie allows the server to remember specific information about your visit while you are connected.

1.

First Party Cookies

i.

Session Cookies: Jiff uses session cookies to better understand how you interact with the Jiff Sites, and to monitor aggregate usage by users of such properties and web traffic routing on such properties. Session cookies are deleted from your phone, tablet or other computing device when you log off a website, close your browser, and/or close your browser or the applicable app.

ii.

Persistent Cookies: Jiff uses persistent cookies to save your registration ID and login password for future logins to the Jiff Sites. Persistent cookies remain on your phone, tablet or computing device after you log off from a website, close your browser, or close the applicable app. Cookies from Jiff web pages only collect information about your browser’s visit to the Jiff Sites.

2.

Third-party Cookies or Similar Technologies: Our third-party vendors (e.g. marketing partners), affiliates, or analytics or service providers (e.g. PSPs, online customer support providers) may use technologies such as cookies. We may receive reports based on the use of these technologies by these companies on an individual and aggregated basis.

3.

Web Beacons: Jiff may also occasionally use web beacons that allow us to collect non-personally identifiable information about your response to our email communications, and for other purposes. Because web beacons are used in conjunction with persistent cookies, if you set your browser to decline or deactivate cookies, web beacons cannot function.

4.

Mobile Analytics: We use mobile analytics software to allow us to better understand the functionality of the Jiff Mobile on your phone. We do not link the information we store within the analytics software to any Personal Information you submit within Jiff Mobile.

III.

Managing Cookies Via Browser Settings

1.

You can control the use of cookies at the individual browser level. If you reject cookies, you may not be able to use some or all portions or functionalities of the Castlight Sites or the Jiff Sites.

i.

First Party Cookies: You can enable, disable or delete cookies via your browser settings. To do this, follow the instructions provided by your browser, usually located within the “Help”, “Tools”, or “Edit” settings of your browser. Many browser manufacturers provide helpful information about cookie management, including, but not limited to: Google Chrome; Internet Explorer; Mozilla Firefox; Safari (desktop or mobile); Android Browser, and Opera.

ii.

Third Party Cookies: Any cookies that are placed on your browsing device by a third party can be managed through your browser (as described above) or by checking the third party’s website for more information about cookie management and how to “opt-out” of receiving cookies from them.

iii.

Flash Cookies: You can manage flash cookies here.

iv.

Internet-Based Advertising Cookies-Castlight Sites: You may opt-out of partners’ use of internet-based advertising cookies by exercising your choice here and here. Additionally, you can find out more about how Google uses data here. Our partners may use cookies or similar technologies to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising, click here. Please note you will continue to receive generic ads.

v.

Internet-Based Advertising Cookies-Jiff Sites: Our third-party vendors may use technologies such as cookies to gather information about your activities on the Jiff Sites. If you do not wish to this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click on http://www.youronlinechoices.eu/). You will continue to receive generic ads.

2.

Do Not Track: Some Internet browsers (e.g. Internet Explorer, Mozilla Firefox, and Safari) include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, neither the Castlight Sites nor the Jiff Sites currently process or respond to “DNT” signals.

PART FOUR – DATA HANDLING ACTIVITIES RELATED TO THE COMPLETE SITES

I.

SECURITY

1.

The security of your Personal Information is important to us. All communication between you and our servers are encrypted. We take commercially reasonable measures to secure your Personal Information once it is on our servers. Our data centers are both physically and electronically secured. Internal access to your Personal Information is encrypted, reviewed and limited to business needs.

2.

We actively follow industry accepted standards to protect the Personal Information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet or method of electronic storage is 100% secure and we cannot guarantee its absolute security. If you have any questions about security on the Complete Sites, you can contact us at privacy@castlighthealth.com.

3.

To protect your privacy and security, never share your username or password for the Complete Sites and always log out of the Complete Sites as soon as you are finished using the service.

II.

RETENTION OF PERSONAL INFORMATION

1.

The Castlight Companies will retain your Personal Information for as long it is needed to provide you services via the Complete Sites or based on information we receive from your Employer. We will retain and use your Personal Information only to the extent it is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We have established internal policies for the deletion of data from customer accounts following termination of our contractual obligations with an Employer.

III.

DE-IDENTIFIED AND AGGREGATED INFORMATION

1.

The Castlight Companies may make arrangements with your Employer, customers, PSPs or business partners to share certain de-identified aggregate information in order to evaluate patterns, utilization, usage and trends. We may also share such information with you or other users of the Complete Sites. This type of information may be based in part on information related to you but does not allow for the personal identification of any individual (in other words, it is “de-identified”).

2.

The Castlight Companies remove your identity from your Personal Information (contact, health and/or financial) and may work with it as anonymous (“de-identified”) information. De-identified information is presented in a form where information about an anonymous user would be indistinguishable from information relating to other anonymous users. De-identified individual information is not in a form that allows anyone studying the information to personally identify any user.

3.

Aggregate information is information that describes the habits, usage patterns and/or demographics of users as a group but does not reveal the identity of particular users. Your anonymous data is combined with the anonymous data of other Castlight Companies’ users and becomes statistics. We may use aggregate information within services we provide through the Complete Sites to understand the needs of our user community and determine what kinds of programs and services we can offer you. The Castlight Companies may use this anonymous information to give potential customers, users, or business partners a picture of the services provided via the Complete Sites. Aggregate information may be provided or sold to third parties. Absolutely no personal identifying information is included in the aggregate reports; each individual remains anonymous.

IV.

NO CHILDREN’S PERSONAL INFORMATION

1.

You must be at least eighteen (18) years of age to use the Complete Sites. We do not knowingly request or collect personal information from any person under the age of 18. If a user submitting Personal Information is suspected of being younger than 18 years of age, we will require the user to close his or her account, and we will also take steps to delete the information as soon as possible. Please notify us if you know of any individuals under the age of 18 using the Complete Sites so we can take action to prevent such access.

V.

THIRD PARTY WEBSITES

1.

If you link to another website or mobile app from the Complete Sites, you may decide to disclose information (including Personal Information) to that other website or mobile app. Please be aware that in contacting that website or mobile app, or in providing information on that website or mobile app, that third party may obtain your Personal Information. This Privacy Statement does not apply when you leave the Complete Sites and go to a third party website (such as a PSP site) or mobile app from our Complete Sites. We structure the Complete Service so no Personal Information or health information goes in the search string or URL when you move from the Complete Sites to a linked website. Please be aware when you leave the Complete Sites and read the privacy policy of each and every website and mobile app that collects your Personal Information.

VI.

CHANGES TO THIS PRIVACY STATEMENT

1.

We reserve the right to modify this Privacy Statement to reflect changes to our practices and when required by law. If we make any material adverse changes, we will notify you on the Complete Sites, by email or at the time you log in. You will be notified and be given the opportunity to opt-out for any additional uses or disclosures of your Personal Information that you made available to us prior to any such change in our Privacy Statement. The Castlight Companies may also provide “just-in-time” disclosures or additional information about the data collection, use and share practice of the Complete Sites. These may supplement or clarify our privacy practices or may provide you with additional choices about how we process your Personal Information.