This Privacy Policy explains how Lenux Health (“Lenux Health” “us” or “we”) treats information we collect about you through lenuxhealth.com and the products and services offered there (the “Site”) and how you can exercise your privacy rights. Lenux Health contracts with employers, health insurance companies, and other organizations (“Sponsors”) to provide the Sponsor’s program participants (“Participants”) with access to our health and wellness program products and features. Lenux Health offers tools to assess the impact of Participant behaviors and habits on their general health and information to help them make healthy lifestyle choices.

By accessing or using the Site in any manner, you agree to our privacy practices as described in this Privacy Policy. If you do not agree with this Privacy Policy, do not access or use the Site. If you have questions about our privacy practices or would like to make a complaint, please contact us at privacy@lenuxhealth.com.

This Privacy Policy is governed by and part of the Lenux Health Terms of Use between us and you as a user of the Site. Note that this Privacy Policy only applies to Lenux Health. It does not apply to any third-party platforms or services, even if linked or accessible from the Site.

Personal Data Defined

As used in this Privacy Policy, “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Data falls within certain categories, for example:
• Identifiers (e.g., name, email, telephone number, address, username);
• Sensitive Personal Data (e.g., government identification number; precise geolocation; racial or ethnic origin; religious beliefs; health information; contents of messages when we are not the recipient; in some cases, information about a known child);
• Legally protected information (e.g., race, citizenship, marital status, sex);
• Employment-related information (e.g., current or past employment);
• Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99);
• Biometrics (e.g., DNA, face/voice prints, health data) and audio, electronic, visual, thermal, or olfactory information;
• Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
• Internet or other similar activity (e.g., browsing history; content interactions); and
• Inferences drawn from Personal Data to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes. Information that is not protected as Personal Data includes publicly available information; aggregated information (meaning data summaries or reports with Personal Data removed); and anonymized information that cannot be linked back to an individual.

Designed for 18+

Lenux Health is designed for adults aged 18 and over. The Site is not intended for use by children. Lenux Health does not knowingly collect any Personal Data from persons under the age of 18. If we discover we have collected Personal Data from a child, we will delete it from our systems. If you are the legal guardian of a child under the age of 18 and think that we have inappropriately collected Personal Data from this child, please contact us.

No Payment Information

We will never ask for your credit card number. If anyone calls claiming to be Lenux Health asking for your credit card number, please contact us using the information at the bottom of this notice.

Personal Data Collection & Use

Lenux Health only collects and uses Personal Data with your consent, as a service provider to a Sponsor, or as authorized or required by law. It is our policy to collect, use, retain, and disclose Personal Data as is adequate and relevant to the specific, express purposes described below or as reasonably necessary and proportionate to provide the Site and offer our services to Sponsors. Over the last 12 months, we have collected Participant identifiers (like name, email, address, and date of birth), Participant health information, and Participant internet and similar information as follows:

From you, with your consent when:
• You participate in a Personal Health Assessment or submit your Personal Data via our interactive tools.
• You complete one of our online forms.
• You contact us or submit your Personal Data to Lenux Health online, via email, or otherwise.
From your Sponsor, acting as a service provider to the Sponsor when:
• Your Sponsor identifies you as an eligible Participant so we can facilitate your access to the Site.
• Your Sponsor directs your health insurance provider to share claims-related information with us.
From third parties, with your consent and prior approval, for example:
• A company we collaborate with for provide biometric or lab testing services may share your results with us.
• We may receive healthcare-related information from your healthcare provider and a clinic or organized care facility with which your provider is associated.
Automatically from your use of the Site with a legitimate interest of managing and improving the Site and to troubleshoot and keep the Site secure:
• When you interact with the Site, we automatically collect technical data, some of which may be Personal Data, about your online activity.
• The Site uses cookies and related technologies to track Site traffic, content interactions, visitor search history, internet provider details, and session data.
Other Personal Data Uses. Lenux Health uses your Personal Data to facilitate your use of the Site, for our internal business purposes, and to:
• Generate and use reports and statistics from Personal Data in a fully anonymized, deidentified, or aggregated format to support our research, marketing, advertising, or other internal uses.
• Any purpose to which you consent.
• Provide the Services and personalize your experience.
• Send you support and administrative messages.
• Monitor your compliance with any of your agreements with us.
• Protect your privacy and enforce this Privacy Policy.
• Identify, contact, or bring legal action against persons or entities who may be causing injury to you, to Lenux Health, to your Sponsor, or to others if we believe it is necessary.
• Comply with a law, regulation, legal process, or court order.
We will update this Privacy Policy or otherwise notify you and obtain your consent where required under applicable law before we collect additional categories of Personal Data or use your Personal Data for purposes that are incompatible with the purpose stated at the time of collection.

Participant Health Information

The health information processed via the Site may be protected as PHI under the U.S. federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). If your Sponsor is a HIPAA covered entity, Lenux Health processes PHI as a business “associate to the Sponsor. Your Sponsor instructs our activities with this data, and your Sponsor (not Lenux Health) is responsible for all decisions for its use, disclosure, and security. Please contact your Sponsor if you have questions. For all other uses of the Site, Lenux Health is not subject to HIPAA or any of their equivalent or complimentary laws, and we make no warranty or representation that disclosures of information via the Site are permissible under such laws or that the Site complies with any law or regulation governing health care, insurance services, or medical practice.

Personal Data Retention

Lenux Health only retains Personal Data for the minimum period necessary to provide our products and services. We retain your Personal Data while we are contracted as a service provider to your Sponsor. In all other cases we retain Personal Data for the period required by our internal data retention and handling policies. Lenux Health reserves the right to retain data for longer periods as required by law or court order or if doing so is critical to our business. We securely delete data at the conclusion of the applicable retention period. as needed to provide our Services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Personal Data Disclosures

Lenux Health will only disclose Personal Data to the third parties as described in this section, with your permission, or as required by law. In the preceding 12 months, we have disclosed Personal Data for a business purpose to:
Your Health Care Provider
• We may disclose your Personal Data with your health care providers and any clinics or organized health care organizations with whom they are associated, such as an Accountable Care Organization (ACO).
Your Sponsor
• We may disclose PHI with Sponsors that are covered entities under HIPAA for plan administration purposes and coordination of your care.
• Your employer will only have access to the information needed to plan and deliver health programs. We will not disclose your individually identifiable PHI with your employer.
• We may further limit the way we share your Personal Data based on the direction of your Sponsor and any privacy policy to which they ask us to adhere.
Our Service Providers
• Service Providers like IT service providers, analytics services, and email and data hosting providers may have access to Personal Data as needed to perform their contractual obligations to Lenux Health.
• We contractually prohibit our service providers from selling or disclosing the Personal Data we provide, and we require all service providers to maintain confidentiality standards and appropriate technical and organizational measures to ensure the security of your Personal Data.
Third Parties
• Lenux Health may be required by law to disclose Personal Data to protect the rights, property or safety of us or others, or in emergency situations.
• If Lenux Health goes through a business transition (e.g., merger, acquisition, or sale of a portion of our assets) where all or substantially all of our assets are acquired by one or more third parties, we will have to disclose Personal Data to those third parties.
• Transfers to subsequent third parties are covered by the service agreements with our Sponsors.

Aggregated and Deidentified Information

We might use your Personal Data to provide aggregated reporting on user trends out outcomes from use of the Site. Rest assured that we will never allow your Sponsor or anyone else to see your Personal Data in a format that allows you to be identified. We reserve the right to share aggregated, anonymized, or deidentified information about any individuals with nonaffiliated entities for marketing, advertising, research or other purposes, without restriction.

Controlling Your Personal Data

Lenux Health provides you a variety of methods and options to directly control how we collect and use your Personal Data:
• You may access and review your Personal Data on the Site.
• If you notice any inaccuracies of your Personal Data, please notify us at privacy@lenuxealth.com. If we determine that the information is inaccurate and we are the source of the error, we will correct it.
• Lenux Health may send you informational or support emails related to your use of the Site. If you do not wish to receive emails from us, you can send us a request to opt-out.
• If you provide us with your wireless phone number, you consent to Lenux Health sending you informational or service text messages related to your use of the Site. The number of texts you receive will depend on your use of the Site and the Sponsor with which you are affiliated. You can opt-out by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
• Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests.

Your Right to Privacy

Depending on where you live or are located, you may have certain rights over your Personal Data. This section provides legally required notices of consumer privacy rights applicable in California, Colorado, Connecticut, Nevada, Utah, Virginia, and other states with similar requirements. Participants should direct privacy requests to their Sponsor. If you reside in a state offering privacy protections (“Consumer”), you may have some of all of the following rights related to your privacy:
• Right to correct inaccurate Personal Data about you on our systems.
• Right to delete your Personal Data that we collected and retained, with certain exceptions.
• Right to access, including to receive confirmation that we have collected Personal Data about you and copies of the requested pieces of Personal Data in a portable and readily usable format. Please note that we may be legally prohibited from disclosing certain pieces of Personal Data, and we may be limited in the number or frequency of requests we must fulfill.
• Right to opt-out or limit our use or disclosure of sensitive information. You may have the right to opt-out or limit our use of your sensitive information. Lenux Health does not collect sensitive information for its own purposes and does not disclose any sensitive information to third parties for the purpose of inferring characteristics about you or otherwise use your sensitive information without your consent.
• No selling or sharing. Some states entitle consumers to opt-out of the sale or sharing of Personal Data or targeted advertising practices. Lenux Health does not sell your Personal Data or share your Personal Data with third parties for cross-contextual behavioral advertising purposes. If this changes in the future, we will update this Privacy Policy and provide you with a method to opt-out.
• No Profiling. We do not process your Personal Data to evaluate, analyze, or predict your interests and preferences or otherwise use automated profiling to produce significant effects that concern you.
• Right to receive details about our collection and use of your Personal Data, such as: (i) the categories of Personal Data we have collected about you; (ii) the categories of sources for the Personal Data we have collected about you; (iii) our business purpose for collecting, using, processing, sharing or selling that Personal Data, as applicable; (iv) the categories of third parties with whom we share that Personal Data; and (v) if we sold or shared your Personal Data under the California Consumer Privacy Act, two separate lists stating: (a) sales or sharing, identifying the Personal Data categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.
• Right to Nondiscrimination. We will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (v) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.
• Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Data sharing with affiliates and/or third parties for marketing purposes.

Exercising Your Privacy Rights

Depending on where you reside, you may be entitled to exercise certain privacy rights provided by the laws that apply to your state. Participants should contact their Sponsor to exercise their privacy rights. If have submitted Personal Data directly to Lenux Health without the involvement of a Sponsor, you can submit a request to privacy@lenuxhealth.com to exercise your rights under applicable privacy laws. To submit a request, you must provide us with sufficient information to verify your identity and understand the nature and scope of your request. We do not charge a fee to process these requests unless we have legal grounds to do so and without first providing you with a cost estimate. We endeavor to respond to privacy requests in the legally required timeline. If we are delayed in responding, you can appeal by contacting privacy@lenuxhealth.com.

Owned and Operated in the United States

Lenux Health is a United States company using technical infrastructure in the United States and other countries. Lenux Health does not warrant that the Site is appropriate or authorized for use outside of the United States. If you access the Site from outside the United States, please be aware that your Personal Data may be transferred to, processed, stored, and used in the United States or other jurisdictions. When your information is moved from your home country to another country, the laws and rules that protect your Personal Data in the country to which your information is transferred may be different from those of the country where you live. For example, if your information is in the United States, it may be accessed by government authorities under United States law. You are solely responsible for determining whether your use of the Site complies with applicable laws. By allowing us to collect Personal Data about you, you consent to the transfer and processing of your Personal Data as described in this section.

Automated Technologies

As is true of most online platforms, Lenux Health uses cookies and other automated technologies to gather and analyze certain technical data about interactions with the Site. Cookies are small files that are placed on your device when you visit a website. They allow the website to analyze user trends, remember a user from one session to the next, and enable certain features to function. Lenux Health may collect internet protocol addresses, browser type, internet service provider, referring/exit pages, operating system, date/time stamp, and/or clickstream data. Lenux Health uses cookies or similar technologies to analyze trends, administer the website, track users’ movement around the website, and to gather demographic information about our user base. Data we collect through cookies is never shared with third parties. You can adjust your device or web browser settings or install a third-party plugin to block cookies or alert you when a cookie is set but doing so may prevent you from using some or all of the features on the Site.

Data Security

Lenux Health has implemented and maintains reasonable security measures to secure your Personal Data from accidental loss and unauthorized access, use, alteration, and disclosure. Our security measures are appropriate to the volume, scope, and nature of the Personal Data processed and designed to meet our duty of care with respect to your Personal Data. However, submission of information over the internet is never entirely secure. You are responsible for keeping your device access and login information confidential. You are also encouraged to install anti-virus and anti-malware software on your devices and keep all software updated to avoid security risks. We cannot guarantee the security of information you submit via our Services while it is in transit over the Internet, and any such submission is at your own risk.

Third-Party Platforms

The Site may include links to other online platforms. Lenux Health does not endorse and are not responsible for the information practices or privacy policies of any platforms that may be linked to or from our Site. If you decide to access a third party’s platforms that may be linked to or from our Site, you should consult that platform’s privacy policy to understand how the third party may use your data.

Updates

We may update this Privacy Policy from time to time. You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy. We will notify you about material changes to this Privacy Policy by email or by other measures that are appropriate to provide you with notice. We will collect your consent to these changes to the extent required by applicable law.