Included Health Privacy Policy for California Workforce

Effective Date: 1/1/2023

This Privacy Policy for California Residents supplements the information contained in Included Health’s Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any terms defined in the CCPA have the same meaning when used in this Policy. 

This Policy applies to workforce-related personal information collected from California-based employees, job applicants, contractors, or similar individuals (See https://www.lever.co/privacy).

Information We Collect

Included Health collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information“). Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, like:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data;
    • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

In particular, Included Health collected the following categories of personal information from consumers within the last twelve (12) months: 

CategoryExamplesCollected
A. Identifiers.A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, medical information, or health insurance information.Some personal information included in this category may overlap with other categories.YES
C. Protected classification characteristics under California or federal law.Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).YES
D. Commercial information.Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.NO
E. Biometric information.Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.NO
F. Internet or other similar network activity.Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.YES
G. Geolocation data.Physical location or movements. YES
H. Sensory data.Audio, electronic, visual, thermal, olfactory, or similar information.NO
I. Professional or employment-related information.Current or past job history or performance evaluations.YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. YES
K. Inferences drawn from other personal information.Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.YES

Included Health obtains the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or information you provide as part of a job application or benefits enrollment.
  • Indirectly from you. For example, from observing your actions on our Website.

Use of Personal Information

Included Health may use or disclose the personal information we collect for one or more of the following purposes: 

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information as part of a job application, we will use that information to process your application.
  • To provide, support, personalize, and develop our Website, products, and services.
  • To create, maintain, customize, and secure your account with us.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
  • To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our [Website users/consumers] is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

Included Health may share your personal information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract.

We do not sell personal information.

Your Rights and Choices 

 

The right to know and to portability

You have the right to request that we disclose to you:

  • the categories and sources of the personal information that we collect about you, the purposes for which we use your information and with whom such information is shared;
  • in case of sale of personal information or disclosure for a business purpose, two separate lists where we disclose:
    • for sales, the personal information categories purchased by each category of recipient; and
    • for disclosures for a business purpose, the personal information categories obtained by each category of recipient.
  • The disclosure described above will be limited to the personal information collected or used over the past 12 months.

If we deliver our response electronically, the information enclosed will be “portable”, i.e. delivered in an easily usable format to enable you to transmit the information to another entity without hindrance – provided that this is technically feasible.

The right to request the deletion of your personal information

You have the right to request that we delete any of your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on this Website, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights etc.). For example, we cannot delete information that explains medical treatment decisions, as we are legally obligated to keep such information.

If no legal exception applies, as a result of exercising your right, we will delete your personal information and direct any of our service providers to do so.

 

How to Exercise Your Privacy Rights

How to Make a Request:

At Included Health, member and consumer privacy are very important to us. As a result, before we process any requests we first must verify your identity and ensure we have enough information. To exercise rights described throughout the Privacy Policy, you must submit to us a “verifiable request by:

  • Providing sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and
  • Describing your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

With that in mind, at this time:

  • Requests from Members are considered verified if submitted using our Services. If you are an existing Member, please submit your request either by calling us and confirming your identity, or by submitting via the application (e.g., using the chat service, or via an open case). If, however, there is indication or suspicion of fraud or other malicious activity on the Member’s account, we may suspend reliance on these verification methods and defer to other methods to confirm authenticity. 
  • You may alternatively contact us via the information provided below under “Contact Us”. However, please note that emailed requests are not considered verified, and we may request additional information from you (that we would already have in our records) in order to confirm your identity. 
  • We may also recognize verified requests submitted on an individual’s behalf by “Authorized Agents”. To be valid, we must receive from the Agent a signed authorization from the individual on whose behalf the Agent is acting. We will also need to verify the authorization with the consumer.
  • For “household” requests subject to the CCPA, we will need to verify each household Member’s individual identity and current status as household members.
  • And we will not process any requests of children under 13 years of age without verifiable consents from their parents or legal guardians. 

We will not respond to or process any unverified request.  This is all done to protect your confidentiality and ensure, to the best of our ability, that we only process such requests for the right persons. 

You can submit a maximum number of 2 requests over a period of 12 months.

If you choose to exercise your privacy rights, you will not receive discriminatory treatment or a lesser degree of service from us.

How and When We Are Expected to Handle Your Request:

Unless otherwise specified in this Policy, the following applies for timing and expectations around how and when we will respond to your requests. If our response to a privacy request is restricted by an agreement between us and your Employer, we will process your requests in accordance with that agreement and related authorization. Otherwise, the following applies. 

To the best of our ability, we will confirm receipt of your verifiable request within 10 days and provide information about how we will process your request.

For CCPA-related requests, we will respond to your request within 45 days of its receipt, and for all other requests within 30 days of receipt. Should we need more time, we will explain to you the reasons why, and how much more time we need. In this regard, please note that we may take up to 90 days to fulfill your request.

Our CCPA disclosures will cover the preceding 12 month period.

Should we deny your request, we will explain to you the reasons behind our denial.

We do not charge a fee to process or respond to your verifiable request unless such request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee, or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind it.

What is our policy on children users?

Included Health does not knowingly collect or maintain personally identifiable information from persons under 13 years old, and no part of our Sites is directed to persons under 13. IF YOU ARE UNDER 13 YEARS OF AGE, PLEASE DO NOT USE OR ACCESS OUR SITES AT ANY TIME OR IN ANY MANNER, except where allowed in accordance with our Terms of Service. Where permitted, any personal information relating to those children will be health information governed by this Privacy Policy or the applicable Notice of Privacy Practices.

If you are a parent or guardian and discover that your child under the age of 13, or equivalent minimum age depending on jurisdiction, has obtained an Included Health account, then you may alert us using the contact information below under “Contact Us” and request that we delete that child’s personal information from our systems. If we learn that we have collected the personal information of a child under 13, or equivalent minimum age depending on jurisdiction, outside the above circumstances we will take steps to delete the information as soon as possible, except where prohibited by applicable law.

Personal Information Sales Opt-Out and Opt-In Rights

To the extent our website uses third party cookies and these cookies collect personal information, such collection may in some cases be considered a “sale” of personal information for purposes of the CCPA. 

You have the right to opt out of the sale of your personal information. This means that whenever you request us to stop selling your data, we will abide by your request. 

You can opt out of such sales. Such requests can be made freely, at any time, without submitting any verifiable request, simply by contacting us at the contact details below under “Contact Us”, or following the below instructions.

 

Instructions To Opt Out of the Sale of Personal Information

On our Sites are cookie banners with a button labeled “Do Not Sell My Data.” This button was added in order to comply with the CCPA, and it offers information about our use of these third-party cookies, and provides consumers an opportunity to opt-out of certain of these cookies. 

Should you wish to opt-out of these cookies, please click on the “Do not sell my data” button on the banner that pops up. This will result in the placement of an opt-out cookie on your device browser. 

If you’d like to know more, you can contact us at the contact details below under “Contact Us”.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

If you choose to exercise your privacy rights, you will not receive discriminatory treatment or a lesser degree of service from us.  

Changes to Our Privacy Policy

We reserve the right to amend this privacy policy at our discretion and at any time. When we make changes to this privacy policy, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have questions, want to submit a request, have concerns about this Policy or Included Health’s Privacy Practices, or would like to report a violation, see the below contact options:

  • You may contact us by mail at:

Included Health, Inc., Privacy Officer
1 California Street, Ste. 2300
San Francisco, CA 94111

  • You may email us at privacy@includedhealth.com. 

If you need to access this Policy in an alternative form or format, please contact privacy@includedhealth.com and/or 855-431-5533.