LENUX HEALTH PRIVACY POLICY
Last updated May 3, 2024
This Privacy Policy explains how Lenux Health (“Lenux Health” “us” or “we”) treats information we collect about you through lenuxhealth.com and the products and services offered there (the “Site”) and how you can exercise your privacy rights. Lenux Health contracts with employers, health insurance companies, and other organizations (“Sponsors”) to provide the Sponsor’s program participants (“Participants”) with access to our health and wellness program products and features. This Privacy Policy is governed by and part of the Lenux Health Terms of Use between us and you as a user of the Site.
Our Privacy Promise
Lenux Health offers tools to assess the impact of Participant behaviors and habits on their general health and information to help them make healthy lifestyle choices. We know that maintaining your privacy is important to Site users, and we want you to have a very clear understanding of how we collect, protect, and use your information. Here is a summary of our privacy promise to you:
· The Site is private by default. We will never allow your Sponsor or anyone else to see your Personal Data in a format that allows you to be identified.
· We will never sell your Personal Data.
· The Site is designed for adult users located in the United States and Canada.
· We only work with service providers and affiliates that meet or exceed our own privacy standards.
· Any reporting we do on trends or content consumption is done in the aggregate. Your user data is 100% anonymous in these reports.
· This Privacy Policy only applies to Lenux Health. It does not apply to any third-party platforms or services, even if linked or accessible from the Site.
· The Site is for informational purposes only. The Site does not replace medical services, healthcare, professional services, or your own good judgement.
· We welcome your requests to exercise your privacy rights. If you have questions about our privacy practices or would like to make a complaint, please contact us at privacy@lenuxhealth.com.
By accessing or using the Site in any manner, you agree to our privacy practices as described in this Privacy Policy. If you do not agree with this Privacy Policy, do not access or use the Site.
Personal Data Defined
As used in this Privacy Policy, “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Data falls within certain categories, for example:
· Identifiers (e.g., name, email, telephone number, address, username);
· Commercial information (e.g., products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies);
· Educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99);
· Employment information (e.g., current or past employment);
· Sensitive information (e.g., government identification number; precise geolocation; racial or ethnic origin; religious beliefs; health information; contents of messages when we are not the recipient; in some cases, information about a known child);
· Legally protected information (e.g., race, citizenship, marital status, sex);
· Biometrics (e.g., DNA, face/voice prints, health data) and audio, electronic, visual, thermal, or olfactory information;
· Internet activity (e.g., browsing history; content interactions); and
· Inferences drawn from Personal Data to create a profile about preferences, characteristics, trends, predispositions, behaviors, attitudes, intelligence, and aptitudes.
Not all information about a person qualifies as Personal Data under privacy laws. For example, publicly available information, aggregated data, and anonymized information are often exempt from legal rights and protections.
Designed for 18+
Lenux Health is designed for adults aged 18 and over. The Site is not intended for use by children. Lenux Health does not knowingly collect any Personal Data from persons under the age of 18. If we discover we have collected Personal Data from a child, we will delete it from our systems. If you are the legal guardian of a child under the age of 18 and think that we have inappropriately collected Personal Data from this child, please contact us.
Your Sponsor
We will never disclose your Personal Data to a Sponsor. However, your Sponsor may collect and process Personal Data about you through other means. We have no control over the type or scope of Personal Data collected, used, or stored by Sponsors. Personal Data processed by Sponsors belongs to the Sponsor and is collected, processed, stored, shared, and disclosed by each Sponsor according to its own terms of use and privacy policies. Personal Data processed by Sponsors is not subject to this Privacy Policy, and we are in no way responsible for such information.
Participant Health Information
The health information processed via the Site may be protected as PHI under the U.S. federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). If your relationship you’re your Sponsor is as a HIPAA covered entity, Lenux Health processes PHI as a “business associate” to the Sponsor. Your Sponsor instructs our activities with this data, and your Sponsor, not Lenux Health, is responsible for all decisions for its use, disclosure, and security. Please contact your Sponsor if you have questions. For all other uses of the Site, Lenux Health is not subject to HIPAA or any of their equivalent or complimentary laws, and we make no warranty or representation that disclosures of information via the Site are permissible under such laws or that the Site complies with any law or regulation governing health care, insurance services, or medical practice.
No Payment Information
We will never ask for your credit card number. If anyone calls claiming to be Lenux Health asking for your credit card number, please contact us using the information at the bottom of this notice.
Personal Data Collection & Use
Lenux Health only collects and uses Personal Data with your consent as informed by this Privacy Policy and freely given by you, as a service provider to a Sponsor, or as authorized or required by law. It is our policy to collect, use, retain, and disclose Personal Data as is adequate and relevant to the specific, express purposes described below or as reasonably necessary and proportionate to provide the Site and offer our services to Sponsors. Over the last 12 months, we have collected Participant identifiers (like name, email, address, and date of birth), health information, and internet and similar information as follows:
From you, with your consent when:
· You participate in a Personal Health Assessment or submit your Personal Data via our interactive tools.
· You complete one of our online forms.
· You contact us or submit your Personal Data to Lenux Health online, via email, or otherwise.
From your Sponsor, acting as a service provider to the Sponsor when:
· Your Sponsor identifies you as an eligible Participant so we can facilitate your access to the Site.
· Your Sponsor directs your health insurance provider to share claims-related information with us.
From third parties, with your consent and prior approval, for example:
· A company we collaborate with for provide biometric or lab testing services may share your results with us.
· We may receive healthcare-related information from your healthcare provider and a clinic or organized care facility with which your provider is associated.
Automatically from your use of the Site with a legitimate interest of managing and improving the Site and to troubleshoot and keep the Site secure:
· When you interact with the Site, we automatically collect technical data (e.g., IP address, device information, ISP, session details), some of which may be Personal Data, about your online activity.
· The Site uses cookies and related technologies to track Site traffic, content interactions, visitor search history, internet provider details, and session data. Cookies are small files that are placed on your device when you visit a website. Lenux Health uses cookies or similar technologies to analyze trends, administer the website, track users’ movement around the website, and to gather demographic information about our user base. Data we collect through cookies is never shared with third parties.
· You can adjust your device or web browser settings or install a third-party plugin to block cookies or alert you when a cookie is set but doing so may prevent you from using some or all of the features on the Site.
We may also process Personal Data for other purposes that we disclose to you or as compatible with the context of how we collected your Personal Data. In addition to the specific uses described above, we reserve the right to use your Personal Data to (i) protect your privacy and the privacy of others; (ii) comply with a law, regulation, legal process, or order; (iii) monitor your compliance with this Privacy Policy and your agreements with us; (iv) if we believe it is necessary, to identify, contact or bring legal action against persons or entities who may be causing injury to you, to us, or to others; or (v) for any other purpose with your consent. We will not collect additional categories of Personal Data or use your Personal Data for purposes that are incompatible with the purpose stated at the time of collection without first notifying you by updating this Privacy Policy or through other means.
Personal Data Retention
Lenux Health only retains Personal Data for the minimum period necessary to provide our products and services. We retain your Personal Data while we are contracted as a service provider to your Sponsor. In all other cases we retain Personal Data for the period required by our internal data retention and handling policies. Lenux Health reserves the right to retain data for longer periods as required by law or court order or if doing so is critical to our business. We securely delete data at the conclusion of the applicable retention period. as needed to provide our Services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Personal Data Disclosures
Lenux Health never shares your financial or health information with your Sponsor. We will only disclose Personal Data to the third parties as described in this section, with your permission, or as required by law. In the preceding 12 months, we have disclosed Personal Data in the categories of identifiers, health information, and internet and similar information with third parties for a business purpose, including to:
Your Health Care Provider
· We may disclose your Personal Data with your health care provider, clinic, or organized health care organization with whom your health care provider is associated, such as an Accountable Care Organization (ACO) with your consent and subject to applicable law.
Your Sponsor
· Your Sponsors will only have access to the information needed to plan and deliver health programs.
· We will not disclose your individually identifiable PHI with your employer except where your Sponsor is a covered entity under HIPAA and requires it for plan administration purposes and coordination of your care.
· We may further limit the way we share your Personal Data based on the direction of your Sponsor and any privacy policy to which they ask us to adhere.
· If your Sponsor contracts to provide you with access to the MoneyWellth application, you may access and use the MoneyWellth application, and your Personal Data may be shared between Lenux Health and MoneyWellth to facilitate your use of both services.
Our Service Providers
· Service Providers like IT service providers, analytics services, and email and data hosting providers may have access to Personal Data as needed to perform their contractual obligations to Lenux Health.
· For example, we rely on Braze to support our user communications and engagement efforts. We may disclose your Personal Information with Braze subject to the Braze Privacy Policy.
· We contractually prohibit our service providers from selling or disclosing the Personal Data we provide, and we require all service providers to maintain confidentiality standards and appropriate technical and organizational measures to ensure the security of your Personal Data.
Third Parties
· Lenux Health may be required by law to disclose Personal Data to protect the rights, property or safety of us or others, or in emergency situations.
· If Lenux Health goes through a business transition (e.g., merger, acquisition, or sale of a portion of our assets) where all or substantially all of our assets are acquired by one or more third parties, we will have to disclose Personal Data to those third parties.
· Transfers to subsequent third parties are covered by the service agreements with our Sponsors.
Aggregated and Deidentified Information
Rest assured that we will never allow your Sponsor or anyone else to see your Personal Data in a format that allows you to be identified. We might use your Personal Data to provide aggregated reporting on user trends out outcomes from use of the Site. We reserve the right to disclose, share, or sell aggregated, anonymized, or deidentified data to third parties for any purpose, without restriction.
Controlling Your Personal Data
Lenux Health provides you a variety of methods and options to directly control how we collect and use your Personal Data:
· You may access and review your Personal Data on the Site.
· If you notice any inaccuracies of your Personal Data, please notify us at privacy@lenuxealth.com.
· If we determine that the information is inaccurate and we are the source of the error, we will correct it.
· Lenux Health may send you informational or support emails related to your use of the Site. If you do not wish to receive emails from us, you can send us a request to opt-out.
· If you provide us with your wireless phone number, you consent to Lenux Health sending you informational or service text messages related to your use of the Site. The number of texts you receive will depend on your use of the Site and the Sponsor with which you are affiliated. You can opt-out by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
· Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests.
Your Privacy Rights
Depending on where you reside, you may be entitled to additional controls over your Personal Data. This section provides courtesy notices of privacy rights that may be available to you. Please note that not all privacy laws apply to the Site or our company. Lenux Health supports consumer exercise of their privacy rights as required of us by law.
Participants should contact their Sponsor to exercise their privacy rights.
If have submitted Personal Data directly to Lenux Health without the involvement of a Sponsor, you can submit a request to privacy@lenuxhealth.com to exercise your rights under applicable privacy laws. You must provide us with sufficient information to verify your identity and understand the nature and scope of your request. We do not charge a fee to process these requests unless we have legal grounds to do so and without first providing you with a cost estimate. We endeavor to respond to privacy requests in the legally required timeline. If we are delayed in responding, you can appeal by contacting privacy@lenuxhealth.com.
United States Privacy Rights
In the United States, consumer privacy is governed by federal privacy laws covering specific industries or data uses and state privacy laws providing general consumer privacy rights. For example, California, Colorado, Connecticut, Iowa, Nevada, Oregon, Texas, Tennessee, Utah, Virginia, and other states require companies to inform consumers about their privacy rights and provide a method to exercise those rights. Depending on where you live, you may be entitled to some or all of the following privacy rights:
· Right to know how we treat your Personal Data. We have set the required notices in this Privacy Policy. We may provide you with additional notices about other ways we process your Personal Data, such as by sending you a notice via email or by other means of communication.
· Right to request confirmation that we have collected Personal Data about you and that we provide you with access to that Personal Data. If you submit an access request, we will provide you with copies of the requested pieces of Personal Data in a portable and readily usable format. Please note that MoneyWellth may be prohibited by law from disclosing certain pieces of Personal Data, and we may be limited in the number or frequency of requests we must fulfill.
· Right to request that we correct inaccurate Personal Data about you on our systems. If you become aware that the Personal Data that we hold about you is incorrect, or if your information changes, please inform us and we will update our records.
· Right to delete your Personal Data that we collected and retained, with certain exceptions.
· Right to request that we disclose information to you about our collection and use of your Personal Data, such as: (i) the categories of Personal Data we have collected about you; (ii) the categories of sources for the Personal Data we have collected about you; (iii) our business purpose for collecting, using, processing, sharing or selling that Personal Data, as applicable; (iv) the categories of third parties with whom we share that Personal Data; and (v) if we sold or shared your Personal Data under applicable laws, two separate lists stating: (A) sales or sharing, identifying the Personal Data categories that each category of recipient purchased; and (B) disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.
· You may have the right to opt out or limit our use of your sensitive Personal Data. MoneyWellth does not seek to collect sensitive Personal Data about any individual, and in no case do we disclose any sensitive Personal Data for inferring characteristics about you or otherwise use your sensitive Personal Data without your consent. If this ever changes in the future, we will update this Privacy Policy and provide you with methods to opt-out or limit our use and disclosure of sensitive Personal Data.
· We do not sell Personal Data or share it with third parties for cross-contextual advertising purposes, as defined by privacy laws.
· We do not process your Personal Data to evaluate, analyze, or predict your interests and preferences or otherwise use automated profiling to produce significant effects that concern you. If this changes in the future, we will update this Privacy Policy and provide you with a method to opt-out.
· We may collect and process health data as described in this Privacy Policy. We do not sell health data and we only disclose it to third parties as described above under Personal Data Disclosures. You can request more information, change your consent to processing, or request that we update or delete your Personal Data by contacting privacy@lenuxhealth.com.
· We will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (v) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.
· If you are a California resident, you may request certain disclosures regarding Personal Data sharing with affiliates and/or third parties for marketing purposes under the Shine the Light Act (Civil Code sections 1798.83-1798.84).
To exercise your rights under applicable privacy laws, please submit a privacy request to privacy@lenuxhealth.com. LENUX HEALTH IS CURRENTLY EXEMPT FROM CERTAIN U.S. STATE PRIVACY LAWS. We will respond to and fulfill your request to the extent required by applicable law.
Only you or someone legally authorized to act on your behalf may make a verifiable Privacy Request related to your Personal Data. You may also make a verifiable privacy request on behalf of your minor child. You may designate a third party to exercise your rights – an authorized agent – however we will require written proof of the authorization and potentially proof of your identity.
Canadian Privacy Rights
This section provides supplemental information in compliance with Canada’s Personal Data Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial laws. This section applies solely to residents of Canada where PIPEDA applies (“Canadian Consumers”). PIPEDA gives Canadian Consumers specific rights regarding Personal Data offering details on an identifiable person without the inclusion of name, title, telephone number, and business address of an employee of a business or organization. The following paragraphs describe PIPEDA rights and explain how to exercise those rights.
· Right to know why we collect, use, and distribute the Personal Data we process. We have set the required notices in this Privacy Policy. We may provide you with additional notices about other ways we process your Personal Data, such as by sending you a notice via email or by other means of communication.
· Right to expect us to collect, use, or disclose Personal Data responsibly and not for any other purpose other than which you consented. We set your expectations in this Privacy Policy and collect express or implied consent at various stages of collection or processing. If we collect or use your Personal Data based on your consent, we will also notify you of any changes and will request your further consent as needed. You may withdraw your consent at any time with reasonable notice by contacting us at privacy@lenuxhealth.com.
· Right to accuracy of your Personal Data. We take steps to reasonably ensure that your Personal Data we are using is accurate. In most cases, we rely on you to ensure that your information is current, complete, and accurate. We provide methods for you to correct, update, and delete inaccurate Personal Data in your account, and we will provide you with reasonable assistance to ensure that your Personal Data is accurate in our systems and with our service providers.
· Right to access your Personal Data. Upon written request and identity authentication, we will provide you with your Personal Data under our control, information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed. We will make the information available within 30 days or provide written notice where additional time is required to fulfil the request. If limited by law or potential infringement on another’s privacy rights, we may not be able to provide access to some or all of the Personal Data you request. If we must refuse an access request, we will notify you in writing, document the reasons for refusal, and outline further steps that are available to you.
For more information or to exercise a privacy right, please contact privacy@lenuxhealth.com. We will respond to and fulfill your request to the extent required by applicable law.
Owned and Operated in the United States
Lenux Health is a United States company using technical infrastructure in the United States and other countries. Lenux Health does not warrant that the Site is appropriate or authorized for use outside of the United States. If you access the Site from outside the United States, please be aware that your Personal Data may be transferred to, processed, stored, and used in the United States or other jurisdictions. When your information is moved from your home country to another country, the laws and rules that protect your Personal Data in the country to which your information is transferred may be different from those of the country where you live. For example, if your information is in the United States, it may be accessed by government authorities under United States law. You are solely responsible for determining whether your use of the Site complies with applicable laws. By allowing us to collect Personal Data about you, you consent to the transfer and processing of your Personal Data as described in this section.
Data Security
Lenux Health has implemented and maintains reasonable security measures to secure your Personal Data from accidental loss and unauthorized access, use, alteration, and disclosure. Our security measures are appropriate to the volume, scope, and nature of the Personal Data processed and designed to meet our duty of care with respect to your Personal Data.
Please note, however, that no transmission of data over the Internet or mobile platforms is 100% secure, and we cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Data for improper purposes. The security of your Personal Data also depends on how you use the Services. MoneyWellth encourages you to take steps to safeguard your Personal Data by signing off your device after use and keeping your login and password private. We are not responsible for any lost, stolen, or compromised passwords, or for any activity on your account via unauthorized activity.
Third-Party Platforms
The Site may include links to other online platforms. Lenux Health does not endorse and is not responsible for the information practices or privacy policies of any platforms that may be linked to or from our Site. If you decide to access a third party’s platforms that may be linked to or from our Site, you should consult that platform’s privacy policy to understand how the third party may use your data.
Updates
We may update this Privacy Policy from time to time. You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy. We will notify you about material changes to this Privacy Policy by email or by other measures that are appropriate to provide you with notice. We will collect your consent to these changes to the extent required by applicable law.