Lux Health Privacy Policy

Last Revised: February 29, 2020

Lux Health (“Lux”, “we”, or “us”) is committed to respecting the privacy of users of our Site and Service. This Privacy Policy (“Privacy Policy”) is intended to describe how Lux Health collects, uses and discloses information in order to provide you with www.myluxhealth.com, and our mobile applications (the “Site”) and Service.

The Service provides individuals accessing it with general information on health care and other general content pertaining to health and wellness topics and access to wellness professionals and facilities offering their services via the Service (the “Practitioners”). This Privacy Policy applies to anyone accessing our Site or Service (collectively, “you”), including (a) casual visitors to our Site who do not sign up for an account (“Site Visitors”) and (b) individuals who have registered to use our Site or Service (“Registered Users”). This Privacy Policy is incorporated into our Terms of Use, as applicable. Therefore, terms used in this Privacy Policy that have been previously defined will have the same meanings as provided in our Terms of Use, as applicable. As with our Terms of Use, if we make any changes to our Privacy Policy, we will post the revised Privacy Policy to the Site and update the “Last Revised” date of the Privacy Policy.

WHAT INFORMATION DO WE COLLECT?

  1. As described in this Privacy Policy, we may collect certain Personal Data from or about you in connection with your use of, or your submissions to, the Site and the provision of the Service. You are not required to provide all Personal Data identified in this Privacy Policy; however, please be advised that if you do not provide the Personal Data requested, we may be unable to provide some or all of the Services to you.

  2. Personal Data. “Personal Data,” for purposes of this Privacy Policy, means information relating to an identified or identifiable natural person. The Personal Data we collect may include:

  3. Name, Contact, and Demographic Data. We may collect information such as your name, date of birth, gender, e-mail address, phone number, billing and physical addresses, and company information. If you are a Registered User, we may also collect your username and password.

  4. Health and Wellness Data. We may also collect certain information related to your wellness background, weight, height, lifestyle information, medication history, healthcare providers you visited, your reason for visiting a healthcare provider, date of visit, medical history and condition, images or videos, diagnoses, treatment plans, prescription information, laboratory results, and other health-related information in order to provide the Service (“Health and Wellness Data”). Please see the following section for information regarding the collection of special categories of Personal Data.

  5. Payment and Insurance Data. We may collect payment data and insurance information, such as insurance eligibility and coverage and information regarding your dependents, if applicable, in order to provide the Service.

  6. Location Data. We may obtain information regarding your location or the location of your device through which you access our Service. For example, we collect general location data when you provide us with your zip code. In addition, if you use our mobile applications, our Service may obtain precise information about the location of your device with your express consent. Once you have consented to the collection of the precise location of your device, you may revoke this consent by managing your location services preferences through the settings of your device.

  7. Special Categories of Personal Data. We generally do not require you to submit special categories of Personal Data in order to visit our Site. However, as our Service provides general information on health care and other general content pertaining to health and wellness topics, we may need to collect certain special categories of Personal Data, such as health information, in order to provide the Service. In the event we need to collect data that would constitute special categories of Personal Data in order to provide a specific service to you, we will obtain your consent as required by law.

  8. Cookies and Similar Technologies. We may collect certain Personal Data using cookies and other technologies, such as web beacons, device IDs, geolocation, HTML5 local storage, Flash cookies, and IP addresses. We specifically use browser cookies for different purposes, including cookies that are strictly necessary for functionality and cookies that are used for personalization, performance/analytics, and advertising. When you visit the Site, we may also automatically collect certain data about your device, including information about your web browser, IP address, time zone, language preferences, and information regarding your device and browser, including device identifiers. Additionally, as you browse the Site, we may collect information about the individual web pages or services that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. Our “Use of Cookies and Similar Technologies” section contains more information and options to control or opt-out of certain data collection or uses related to cookies and similar technologies.

  9. Anonymous Data. We may create de-identified or anonymous data from Personal Data by removing data components (such as your name, email address, or linkable tracking ID) that makes the data personally identifiable to you or through obfuscation or through other means. Our use of anonymized data is not subject to this Privacy Policy.

HOW DO WE COLLECT INFORMATION?

We may collect Personal Data as follows:

When you create an account or otherwise utilize our Service. We may collect Personal Data, such as your name, address, phone number, email address, username and password, when you create an account with us or otherwise utilize our Services. In addition, we may collect Health and Wellness Data about you and your dependents, if applicable, in order to provide a specific Service to you. We may also collect payment data and insurance information in connection with providing the Service to you.

When you communicate with us or sign up for materials. We may collect Personal Data, such as your name, email address, and other contact information, when you communicate with us, including when you submit information through the Site, submit inquiries, or request information from us. We also collect information when you communicate with Practitioners through the Service. We may also collect Personal Data when you sign up to join our email list or to access or receive information about our Service, news and updates, webinars, white papers, or other information and content.

When you engage with our online communities and forums. We may collect Personal Data when you engage with our online communities and forums, including any information you may provide through your interaction with or participation in our blogs and social media pages and groups. Please note that online forums may be publicly accessible and other users may view information you post in the forums. We encourage you to exercise care in deciding what information and content you wish to disclose on the areas of the Site that are accessible to the general public.

When we collect data from third parties, such as your employer or Practitioners. We may obtain certain data about you from third-party sources in order to provide the Services and for marketing and advertising. For example, we collect certain information about you and your dependents, if applicable, from your employer in order to verify your eligibility to participate in the Service, such as name, email address, address, and whether you are enrolled in your employer’s health plan. We may also collect certain information, including Health and Wellness Data, from the Practitioners who provide treatment or other services to you in connection with our Service. We may combine Personal Data with data we obtain from our Services, other users, or third parties to enhance your experience and improve the Services.

When we leverage and/or collect cookies, device IDs, location, data from the environment, and other tracking technologies. We may collect certain Personal Data using cookies and other technologies, such as web beacons, device IDs, geolocation, HTML5 local storage, Flash cookies, and IP addresses, as further described in this Privacy Policy. Our “Use of Cookies and Similar Technologies” section contains more information and options to control or opt-out of certain data collection or uses related to cookies and similar technologies. ‍

HOW DO WE USE THE INFORMATION WE COLLECT?

We may use Personal Data for a variety of different purposes as set out in further detail in this Privacy Policy. In some cases, we may ask for your consent so that we may process your Personal Data. However, in certain circumstances, applicable data protection laws allow us to process your Personal Data without needing to obtain your consent. Subject to applicable law, the purposes for which we use and process your Personal Data, and the legal basis for such processing, are set forth below.

For the performance of a contract. We may use Personal Data to perform our contractual obligations, including to fulfill your request for a Service, to contact you in relation to the Service, to take steps in response to information or inquiries you may submit prior to entering into an agreement with us, and to provide your Personal Data to our service providers.

Legitimate Interests. We may use Personal Data in order to operate our organization and provide the Service, other than in performing our contractual obligations to you, for our “legitimate interests” for the purposes of applicable law, except where our interests are overridden by the interests or fundamental rights and freedoms of the data subject. Our legitimate interests may include:

To maintain the Site and provide the Service, including for technical support, to facilitate the provision of healthcare services to you by Practitioners, and to provide Practitioners the services and support necessary for health care operations;

To administer your account and Service, including to process payments, fulfill orders, verify your age or identity, and to authenticate and authorize access to the Site and the Service;

To communicate with you regarding the Service, including to send you communications on behalf of Practitioners and to provide you important notices regarding this Privacy Policy or our Terms of Use;

To provide customer support and address and respond to your requests, inquiries, and complaints;

To protect the confidentiality or security of information;

To develop, provide, and improve the Site and Service, including to better tailor the features, performance, and support of the Site and Service, and for statistical and analytics purposes;

For our direct marketing purposes;

To send surveys in connection with our Service;

For fraud, loss, and other crime prevention purposes, to assist in the investigation of suspected illegal or wrongful activity, and to protect and defend our rights and property, or the rights or safety of third parties;

To enforce our Terms of Use, this Privacy Policy, or agreements with third parties;

To comply with laws, regulators, court orders, or other legal obligations, or pursuant to legal process.

Consent. In some cases where we are not already authorized to process the Personal Data under applicable law, we may ask for your consent to process your Personal Data, including:

Special Categories of Personal Data. As indicated above, we may collect certain Health and Wellness information in order to provide the Service. In the event we may need to collect data that would constitute special categories of Personal Data in order to provide a specific Service to you, we will obtain your consent as required by law. In certain circumstances, subject to applicable law, we may process or otherwise disclose special categories of Personal Data without consent, such as to protect the vital interests of you or of another person.

Precise Location Data. If we collect precise location data, we will obtain your consent as required by law. We use information regarding your location or the location of your device through which you access our Service for a number of purposes, including, but not limited to: (a) identifying Practitioners who may provide you with healthcare services; (b) providing you with a list of nearby pharmacies that may fulfill any prescriptions provided to you by your Practitioner; and (c) identifying other healthcare providers whom you may visit at the recommendation of your Practitioner.

Marketing. Where we are not relying on our legitimate interests or another legal basis for processing Personal Data, we may ask for your consent to contact you by telephone, SMS, post and/or email about other offers, products, promotions, developments, or services which we think may be of interest to you and for other marketing purposes.

Cookies. We may also request consent for some cookies in accordance with our cookie policy.

To comply with legal obligations. We may use Personal Data in order to comply with laws, regulators, court orders, or other legal obligations, or pursuant to legal process.

To protect data subjects’ vital interests. We may use Personal Data where we believe it is necessary to protect the vital interests of you or of another person. ‍

HOW DO WE DISCLOSE INFORMATION?

We may disclose your information to third parties in connection with the provision of our Service or as otherwise permitted or required by law, including:

Affiliates. We may disclose some or all of your Personal Data to our subsidiaries, joint ventures, and other companies under our common control (collectively, “Affiliates”), for the purposes described in this Privacy Policy. Where we share Personal Data with our Affiliates, we will require our Affiliates to honor this Privacy Policy.

Service Providers and Business Partners. We may engage third parties to perform certain functions on our behalf. To do so, we may disclose certain information to our third-party service providers that provide services, such as the hosting of our Service, data analysis, IT services and infrastructure, customer service, e-mail delivery, auditing and other similar services, and for marketing and advertising purposes. We require third-party providers to use information only as necessary to provide the service for which we have engaged them. For example, we may disclose Personal Data to the following types of third-party providers:

Customer Service and Communications. We utilize third-party solutions and systems to manage our contacts and programs, and for customer service, communications, and marketing purposes.

Account and Program Administration. We use third-party solutions to assist with our program and Service administration and management activities, such as appointment scheduling and prescription fulfillment. We also utilize third-party solutions to administer and provide the Site and Service. We may also share information with certain third parties, such as clearinghouse entities, in connection with your participation in employer wellness programs.

Payment Processing. We use third parties to process payments and authenticate transactions.

Analytics. We use third-party solutions to help us understand how visitors use the Site and to evaluate usage trends.

Social Media. We may use widgets and tools from social networks to enable sharing and other functions through social networks.

Practitioners. We may disclose Personal Data to Practitioners in order to provide the Service. For example, we may share information with Practitioners to schedule and fulfill appointments and provide health care services as part of the Service and for other treatment, payment, or healthcare operations purposes. In addition, when you communicate with us or submit information through the Site or Service, we may share that information with Practitioners to enable them to communicate with you and provide the Service.

Employers. In the event that your access to the Site and use of the Services are offered in connection with a program offered or supported by your employer, we may disclose certain group health results with your employer. The information we share with employers is aggregated and not personally identifiable to individual employees.

Pursuant to Legal Process. We may also disclose Personal Data to comply with applicable laws and regulations, to respond to a subpoena, search warrant, or other lawful request for information we receive, or as otherwise pursuant to legal process.

Protection of Rights and Interests. We may also use and disclose Personal Data to establish or exercise our legal rights, to enforce our Terms of Use, this Privacy Policy, or agreements with third parties, to assert and defend against legal claims, or if we believe such disclosure is necessary to investigate, prevent, or take other action regarding actual or suspected illegal or fraudulent activities or potential threats to the physical safety or well-being of any person.

Business Transactions. Subject to applicable law, we reserve the right to transfer some or all Personal Data in our possession to a successor organization in the event of any reorganization, merger, sale, joint venture, assignment, transfer, liquidation, or other disposition of all or any portion of our business, assets, or stock. If any such transaction occurs, the purchaser will be entitled to use and disclose the Personal Data collected by us in the same manner that we are able to, and the purchaser will assume the rights and obligations regarding Personal Data as described in this Privacy Policy. With respect to transfers to third party agents of Lux Health under the Privacy Shield, the Privacy Shield requires that Lux Health remain liable should those agents process your information in a manner inconsistent with the Privacy Shield Principles. ‍

HOW LONG DO WE STORE INFORMATION? We will retain your Personal Data for as long as is necessary to fulfill the purposes for which we obtained the Personal Data, including to provide the Service, or for such longer period as may be required or permitted by applicable law. We will also retain your Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We use the following criteria to set our retention periods: (i) the duration of our relationship with you; (ii) the purposes for processing your Personal Data and associated legal bases; (iii) the existence of a legal obligation as to the retention period; and (iv) the advisability of retaining the information in light of our legal position (for example, in light of applicable statutes of limitations, litigation, or regulatory investigations). ‍

USE OF COOKIES AND SIMILAR TECHNOLOGIES The Site may use cookies and similar technologies to improve user experience, for performance and analytics, and to improve our content and the Service. A “cookie” is a small text file that a web server stores in browser software. The purpose of cookies is to remember the browser over time and distinguish one browser instance (or user) from all others. Some cookies and other technologies may serve to track Personal Data previously entered by a web user on the Site. Cookies can remember login information, preferences, and similar information. We may use cookies to collect certain information about you and your use of our Service, such as IP addresses, domain names, and the type of device and operating system being used. We may also use cookies to identify your device when you revisit our Service to, for example, recall your authentication information or to track statistical information related to navigation throughout the Site. Cookies, as well as other tracking technologies, such as HTML5 local storage, and Local Shared Objects (such as “Flash” cookies), and similar mechanisms, may record information such as a unique identifier, information you enter in a form, IP address, and other categories of data. We may also use web beacons or “pixels,” and in certain circumstances may collect IP address, screen resolution and browser software and operating system types, clickstream patterns, dates and times that our site is accessed, and other categories of data. Most browsers allow you to control cookies, including whether or not to accept them, and how to remove them. You may adjust your browser to refuse to accept cookies, remove cookies, or notify you when a cookie is set by editing your web browser preferences or options. (Each browser is different, so you should refer to the settings menu on your browser to change your cookie preferences.) Please note that if you choose to erase or block your cookies, you may not be able to use some features of the Service, or certain features may not function properly. ‍

DO-NOT-TRACK Do-Not-Track is a public-private initiative that has developed a “flag” or signal that an Internet user may activate in the user’s browser software to notify websites that the user does not wish to be “tracked” by third-parties as defined by the initiative. Please note that the Site does not alter its behavior or use practices when we receive a “Do Not Track” signal from browser software. ‍

SOCIAL NETWORK WIDGETS Our Site may include social network sharing widgets that may provide information to their associated social networks or third-parties about your interactions with our web pages that you visit, even if you do not click on or otherwise interact with the plug-in or widget. Information is transmitted from your browser and may include an identifier assigned by the social network or third party, information about your browser type, operating system, device type, IP address, and the URL of the web page where widget appears. If you use social network tools or visit social networking sites, we encourage you to read their privacy disclosures to learn what information they collect, use, and share. ‍

USE BY MINORS Our Service is intended for use by individuals 18 years of age or older. We do not knowingly collect information from individuals under the age of 13 years without parental consent. However, if you are a parent, legal guardian, or personal representative of a minor child, you may, in compliance with the Terms of Use, use our Service on behalf of such minor child. Any information you provide us on behalf of your minor child will be treated in accordance with this Privacy Policy. If we learn that we have received any information from an individual under the age of 13 without parental consent, we will take steps to remove the data as permitted by law. If you believe an individual under 13 years of age has provided us with Personal Data without parental consent, please contact us at support@luxhealth.com or by postal mail at the contact information listed in the “Contacting Us” section. ‍

LINKS TO OTHER SITES Our Site may contain links or otherwise provide access to another website, mobile application, or Internet location (collectively “Third-Party Sites”). For example, when you choose to contact a medical professional in response to your request for a recommendation, you are providing information (including Personal Data) directly to third parties outside of Lux Health. Please note that we have no control over and are not responsible for Third-Party Sites, their content, or any goods or services available through the Third-Party Sites. Our Privacy Policy does not apply to Third-Party Sites. We encourage you to review the Notice of Privacy Practices of each Practitioner who provides you with services and the privacy policies of any website or application with which you interact. ‍

SECURITY OF INFORMATION We implement technical and organizational security measures designed to safeguard Personal Data. Please note, however, we cannot fully eliminate security risks associated with the storage and transmission of Personal Data. You also must keep your password secure and your account confidential. If you have reason to believe that the security of your account has been compromised, please notify us immediately in accordance with the “Contacting Us” section below. ‍

DATA SUBJECT RIGHTS Data subjects in the European Economic Area, European Union, Switzerland, and certain other jurisdictions have certain rights under applicable data protection law, including the right to request confirmation from us as to whether or not we are processing your Personal Data. Where we are processing your Personal Data, subject to applicable law, you also have the right to:

Request access to, modification or rectification, or deletion. You have the right to request access to, modification of, or deletion of your Personal Data we maintain. Registered Users can also make changes to their profile by logging into their account and adjusting information through the settings.

Request restriction of processing. You have the right to request that we restrict processing of your Personal Data in certain circumstances, such as where you believe that the Personal Data we hold about you is inaccurate or our processing is unlawful.

Object to processing. In certain circumstances, you may have the right to request that we stop processing your Personal Data, such as a request to stop sending you direct marketing communications. To opt-out of direct marketing communications, please see the instructions in the “Withdrawing Your Consent” section of this Privacy Policy.

Data portability. In certain circumstances, you may have the right to receive the Personal Data concerning you that you provided to us or to request that we transmit your Personal Data to another data controller.

Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority.

To exercise your rights, you may contact us as at support@luxhealth.com or by postal mail at the contact information listed in the “Contacting Us” section. As permitted by law, certain data elements may not be subject to access, modification, portability, restriction, and/or deletion. Furthermore, where permissible, we may charge for this service. We will respond to reasonable requests as soon as practicable and as required by law. To protect your privacy and security, we may take steps to verify your identity in order to respond to your request. ‍

WITHDRAWING YOUR CONSENT In most cases, we need to process certain of your Personal Data in order to fulfil our contractual obligations to you and for our legitimate interests. Where the basis of processing is legitimate interests, you have a right to object to the processing of your Personal Data. Please note that, subject to applicable law, we may continue to process your Personal Data even where you object if there are compelling legitimate grounds for processing that override your interests and rights, or where processing is necessary to establish, exercise, or defend legal claims. Where consent is the basis of processing, you may at any time withdraw the consent you provided for the processing of your Personal Data for the purposes set forth in this Privacy Policy by contacting us at support@luxhealth.com, provided that we are not required by applicable law or professional standards to retain such information. If you would like to stop receiving newsletters or other marketing or promotional messages, notifications, or updates, you may do so by following the unsubscribe instructions that appear in these e-mail communications, or you may contact us at support@luxhealth.com to opt-out of direct marketing. Please be advised that you may not be able to opt-out of receiving certain service or transactional messages from us, including legal notices. Please note that if you do not provide consent, if you withdraw your consent or object to processing, or if you choose not to provide certain Personal Data, we may be unable to provide some or all of the Services to you. ‍

TRANSFER OF DATA TO THE U.S. Please note that if you are visiting the Site from outside of the United States, your information may be transferred to, stored, and/or processed in the United States. The data protection and other laws of the United States and other countries might not be as comprehensive as those in your country. If you are located outside of the United States, the transfer of Personal Data is necessary to provide you with the requested information and Service and/or to perform any requested transaction. By using any portion of the Site, you acknowledge and consent to the transfer of your information to our facilities in the United States. ‍

CALIFORNIA PRIVACY RIGHTS Residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of personal information (as defined by California law) the business shares with third parties for those third parties’ direct marketing purposes, and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To exercise your rights, you may make one request per calendar year by submitting your request in writing using the email address support@luxhealth.com or by postal mail at the contact information listed in the “Contacting Us” section. ‍

PRIVACY SHIELD NOTICE FOR USERS IN THE EUROPEAN UNION AND SWITZERLAND Lux Health complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union or Switzerland, to the United States. Lux Health has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. In compliance with the Privacy Shield Principles, Lux Health commits to resolve complaints about our collection or use of your personal information. Individuals in the European Union or Switzerland with inquiries or complaints regarding our Privacy Shield policy should first contact Lux Health at support@luxhealth.com or by mail at the address below. We will respond to your inquiry or complaint within 30 days. Lux Health has further committed to refer unresolved Privacy Shield complaints to the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus, an alternative dispute resolution provider. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information or to file a complaint. The services of the BBB EU PRIVACY SHIELD alternative resolution services are provided at no cost to you. Under certain limited conditions, individuals may invoke binding arbitration as a last resort before the Privacy Shield Panel. The FTC has jurisdiction over Lux Health’s compliance with the Privacy Shield. ‍

UPDATES TO THIS POLICY We may update this Privacy Policy from time to time. The most recent version of the Privacy Policy is reflected by the version date located at the top of this Privacy Policy. We encourage you to review this Privacy Policy often to stay informed of how we may process your information. ‍

CONTACTING US If you have any questions about this Privacy Policy, please contact us by email at support@luxhealth.com or by regular mail at: Lux Health, Inc. USA