Effective November 10, 2021
1. Information Collection and Use
- Information Requests (Business to Business). If you wish to request more information about Castlight’s business, you are required to provide contact information such as your name and email address. This information will only be used by Castlight to contact you about our services.
- Log Files. As with of most websites, Castlight automatically collects and stores in log files the Internet Protocol (IP) address of the computer you are using; the name of the domain and host from which you access the Internet; the browser software you use and your operating system; the date and time you access the service; and the Internet address of the website from which you directly linked to Castlight. We may combine this automatically collected log information with other information we collect about you. Castlight uses this log file information to analyze trends, monitor service traffic and usage patterns for internal marketing and security purposes, and to help make the Castlight Health Corporate Websites more useful.
- Information from Third Parties. We may receive information about you from third parties. For example, we may supplement the information we collect with outside records or third parties may provide information in connection with a business relationship. If others give us your information, we will only use that information for the specific reason for which it was provided to us.
- Information from Your Contacts. We may also collect from you information about your contacts. Your disclosure of such information is completely voluntary. When you provide us with information about your contacts, we will only use this information for the specific reason for which it was provided.
- Survey you to evaluate and improve the Castlight service. If you choose to participate, we will request certain personal information from you. Participation in these surveys is completely voluntary. The requested information typically includes contact information (such as name and business address). We use this information to improve the service accuracy and develop new products. We may use a third party service provider to conduct these surveys or fulfill any prizes associated with campaigns. Unless we give you prior notice and choice, we will not share the personal information you provide through a contest or survey with other third parties for a reason unrelated to the contest or survey.
- Locator information, which may include your name, email address, physical address, and/or other data that enables someone to personally identify you. Castlight and your Internet Access Provider may use locator information as is necessary to enforce any of the terms of the Castlight Terms of Service.
- Provide access to gated areas of the Castlight Health Corporate Websites such as for webinars.
- Operate the Castlight Health Corporate Websites.
- Provide information as required by law.
- Update you on Castlight’s services and its benefits.
- Communicate with you.
2. Disclosure of Information
- We may disclose your personal information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request, subpoena or similar legal process and if Castlight is involved in a merger, acquisition, or sale of all or a portion of its assets. You will be notified via email and/or a prominent notice on the Castlight Health Corporate Websites of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
- Service Providers. We may provide your personal information to companies that provide services to help us with our business activities (e.g. marketing). We may also provide personal information you choose to share with us on our recruiting webpage with third parties who provide recruiting related services to us. These companies are authorized to use your personal information only as necessary to provide these services to us.
3. Opting Out or Opting In to Specific Uses of Information
- If your personal information changes or if you no longer desire information regarding our service, you may correct, update, amend, or ask to have the information removed by emailing [email protected] or by postal mail at Castlight Health, Inc., 50 California Street, Suite 1800 San Francisco, CA 94111, Attn: Chief Privacy Officer. We will respond to your request within forty-five (45) days.
- In certain situations, Castlight has no direct relationship with the individuals whose personal information it processes (e.g. if someone submits your name and email address to refer you for a job posting). An individual who seeks access, or who seeks to correct, update, amend, or delete inaccurate data should direct her query to Castlight. We will respond to requests within forty-five (45) days.
- Updates and Castlight Service Marketing. Castlight may provide service updates, tips or education, or may promote the Castlight service to you as a prospective customer. You will be able to opt-out of any such email communications at any time. To opt-out of Castlight emails, please click the “unsubscribe” link at the bottom of any email or send an email with the subject line “Unsubscribe” to [email protected].
- Text Messages. To opt-out of any text messages from Castlight via the text to down the Castlight mobile app on https://my.castlighthealth.com/, please reply with “unsubscribe” in your message.
4. Storage and Maintenance of Information
Castlight will retain your information as needed to provide you services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure and we cannot guarantee its absolute security. If you have any questions about security on the Castlight Health Corporate Websites, you can contact us at [email protected].
6. Tracking Technologies
In relation to the Castlight Health Corporate Websites, we may use technologies such as cookies, web beacons, tags, scripts and other storage technologies to collect or receive information. These technologies help us save your preferences, understand how you navigate through the Castlight Health Corporate Websites and improve your experience.
Other Tracking Technologies. We may also use tracking technologies to collect “clickstream” data, such as the domain name of the service providing you with Internet access, your device type, IP address used to connect your computer to the Internet, your browser type and version, operating system and platform, the average time spent on the Castlight Health Corporate Websites, webpages viewed, content searched for, access times and other relevant statistics, and assign unique identifiers to the device or other credentials you use to access the Castlight Health Corporate Websites for the same purposes.
Pages of the Castlight Health Corporate Websites and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
Pages of the Castlight Health Corporate Websites may also use Java scripts, which are code snippets embedded in various parts of websites and applications that facilitate a variety of operations including accelerating the refresh speed of certain functionality or monitoring usage of various online components; entity tags, which are HTTP code mechanisms that allow portions of websites to be stored or “cached” within your browser to accelerate website performance; and HTML5 local storage, which allows data from websites to be stored or “cached” within your browser to store and retrieve data in HTML5 pages when the website is revisited.
First Party Cookies: You can enable, disable or delete cookies via your browser settings. To do this, follow the instructions provided by your browser, usually located within the “Help”, “Tools”, or “Edit” settings of your browser. Many browser manufacturers provide helpful information about cookie management, including, but not limited to: Google Chrome; Internet Explorer; Mozilla Firefox; Safari (desktop or mobile); Android Browser, and Opera.
Third Party Cookies: Any cookies that are placed on your browsing device by a third party can be managed through your browser (as described above) or by checking the third party’s website for more information about cookie management and how to “opt-out” of receiving cookies from them. Also, most web browsers provide help pages relating to setting cookie preferences. More information may be found for the following browsers here:
Do Not Track: Some Internet browsers (e.g. Internet Explorer, Mozilla Firefox, and Safari) include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, the Castlight Health Corporate Websites currently do not process or respond to “DNT” signals.
Location Information: You may be able to adjust the settings of your device so that information about your physical location is not sent to us or third-parties by: (a) disabling location services within the device settings; or (b) denying certain websites or mobile applications permission to access location information by changing the relevant preferences and permissions in your mobile device or browser settings. Please note that your location may be derived from your WiFi, Bluetooth, and other device settings. Please see your device settings for more information.
8. Notice to California Residents
This Section 8 applies only to California residents and contains the information that the Californian Consumer Privacy Act of 2018 (“CCPA“) requires us disclose. Any terms defined in the CCPA have the same meaning when used in this Section 8. For purposes of this Section 8 only, “Personal Information” has the meaning given in the CCPA, but excludes information exempted from the scope of the CCPA.
This Section 8 describes Castlight’s collection, use and sharing practices in relation to Personal Information of California residents during the twelve (12) months preceding the effective date of this notice, and informs California residents of their rights with respect to that Personal Information.
Below is a summary of the “Personal Information” categories, as identified and defined by the CCPA (see California Civil Code section 1798.140 (o)), that Castlight collects, the reason Castlight collects your Personal Information, where Castlight obtains your Personal Information, and the parties with whom Castlight may share your Personal Information.
Information We Collect
The Castlight Companies collect the following categories of Personal Information about you when you visit or use the Castlight Health Corporate Websites:
- Identifiers such as a name, contact information, and online identifiers, such as device IP address and identification numbers associated with your devices;
- Commercial information such as name, contact information, title, the types of Castlight services an prospective (business) customer is interested in purchasing and communications with prospective (business) customers;
- Internet or other electronic information regarding your browsing history, search history, the webpage visited before you came to the Castlight Health Corporate Websites, length of visit and number of page views, click-stream data, locale preferences, your mobile carrier, date and time stamps associated with transactions, and system configuration information; and
- Your geolocation, to the extent you have configured your device to permit us to collect such information.
We generally do not collect financial information, inferences, protected classifications, education-related information, physical description, biometric information, sensory information or medical information.
Sources of, Use of, and Sharing of Personal Information
We describe the sources from which we collect this information and the business and commercial purposes for which we collect this information in the section above entitled Information Collection and Use. The CCPA defines a “business purpose” as the use of Personal Information for the business’s operational purposes, or other notified purposes, provided the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or another operational purpose that is compatible with the context in which the Personal Information was collected.
For information about the categories of third parties with whom we may share your Personal Information please see the section above entitled “Disclosure of Information.”
Your Rights and Choices
- As a California resident, you have rights in relation to your Personal Information; however, your rights are subject to certain exceptions. For instance, we cannot disclose specific pieces of Personal Information if the disclosure would create a substantial, articulable, and unreasonable risk to the security of the Personal Information, your account with us or the security of our network systems.
- You may exercise your California privacy rights to know, access and deletion by emailing [email protected]. Please note that we will need to confirm your identity and California residency to process your requests to exercise your rights to know, access or delete your Personal Information. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.
- Right Against Discrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions. We will not discriminate against you for exercising your right to know, access, deletion or to opt-out of sales.
- Right to Know. You have the right to request the following information about how we have collected and used your Personal Information during the past twelve (12) months:
- The categories of Personal Information that we have collected.
- The categories of sources from which we collected Personal Information.
- The business or commercial purpose for collecting and/or selling Personal Information.
- The categories of third parties with whom we share Personal Information.
- Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third party recipient.
- Whether we have sold your Personal Information, and if so, the categories of Personal Information received by each category of third party recipient.
- Right to Access. You have the right to request a copy of the specific Personal Information we collected about you during the twelve (12) months before your request.
- Right to Deletion. You have the right to request a copy of the specific Personal Information we collected about you during the twelve (12) months before your request.
- Right to Opt-Out of Sales. You have the right to opt-out of having your Personal Information sold. In the last twelve (12) months, we shared certain identifiers to our advertising partners for retargeting relevant advertisements. Under the CCPA, such sharing may be considered a “sale” of Personal Information. As of the effective date of this Policy, we no longer share certain identifiers with our advertising partners for retargeting advertisements, and we do not sell your Personal Information.
In addition, California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of Personal Information to third-parties for their direct marketing purposes. To make such a request, you can contact us by emailing [email protected], or by postal mail at Castlight Health, Inc., 50 California Street, Suite 1800 San Francisco, CA 94111, Attn: Chief Privacy Officer.
For more information on our policies for California residents, click here.
9. Notice to Individuals in the EEA, the United Kingdom and Switzerland
This section 9 only applies to individuals who are in the European Economic Area, United Kingdom or Switzerland (collectively, the “EEA”) at the time of data collection. We are a data controller with regard to any Personal Data (as defined under the EU’s General Data Protection Regulation) collected from visitors of our Site.
Direct Marketing. We will only contact individuals located in the EEA by electronic means (including email or SMS) based on our legitimate interests, as permitted by applicable law, or the individual’s consent. If you do not want us to use your Personal Data in this way please click an unsubscribe link in your emails from the Castlight, or contact us at [email protected]. You can object to direct marketing at any time and free of charge.
Legal Bases for Processing. We use your Personal Data if it is necessary to carry out our obligations arising from any contracts entered into between you and us or to take steps at your request prior to entering into a contract with you. We may process your Personal Data for specific purposes based on your prior consent. We may collect and process your Personal Data for our legitimate interests to protect our property, rights or safety of our customers or others or to offer information on our services we feel may interest you. In addition, it may be our legal obligation to use or share your Personal Data with third parties, such as public authorities or law enforcement bodies.
Additional Rights. You can exercise your privacy rights described below by contacting us at [email protected] and we will handle your request under applicable law. Please note that your privacy rights are not absolute, and we may be unable to permit you to exercise your rights in certain circumstances, including (a) denial of access is required or authorized by law, or otherwise not required; (b) granting access would have a negative impact on another data subject’s privacy; (c) we must protect our or others’ rights and properties; and (d) where the request is frivolous, unreasonably repetitive, systematic, require disproportionate technical effort (for instance, requests concerning information residing on backup tapes), or extremely impractical. When you make a request, we will verify your identity to protect your privacy.
- Right to withdraw consent. To the extent we requested your consent to process your Personal Data, you have the right to withdraw your consent.
- Right of access to and rectification. You may request that we provide you with a copy of your Personal Data held by us.
- Right to erasure (i.e. “Right to be Forgotten”). You have the right to request erasure of Personal Data that we hold on you subject to limitations by relevant data protection laws.
- Right to data portability. You may request to receive your Personal Data in a structured, commonly used and machine-readable format, unless exercise of this right adversely affects the rights and freedoms of others or is not possible.
- Right to restriction of or object to processing. You have the right to restrict or object to our processing of your Personal Data under certain circumstances.
- Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except as allowed under applicable data protection laws. We do not engage in such automated processing.
If you believe that we have infringed your rights, we encourage you to first contact us at [email protected] so that we can try to resolve the issue or dispute informally. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement.
EEA Data Transfers. We rely primarily on Standard Contractual Clauses approved by the European Commission to facilitate the international transfer of Personal Data collected in the EEA and any onward transfer of such information to the extent the business receiving the Personal Data is located in a country that the EU considers to not provide an adequate level of data protection. We may also rely on an adequacy decision of the European Commission confirming an adequate level of data protection in the jurisdiction of the party receiving the information.
Castlight is responsible for the processing of Personal Data received under the Privacy Shield Framework, and subsequent transfers to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of Personal Data from the European Union and Switzerland, including the onward transfer liability provisions. In the case of onward transfers to these third parties, Castlight may be liable for breaches of Personal Data regarding such transfers; however, all third-party agents and processors used by Castlight will be similarly held to provide at minimum the same level of protection of Personal Data as required by the Privacy Shield Framework.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, Castlight is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Castlight may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
10. Contact Us