Last Updated July 10, 2015
At Castlight Health, Inc. (“Castlight”), our most important asset is our relationship with you. Castlight respects your privacy and takes Internet privacy very seriously. In this Privacy Statement, we would like to tell you what personal data we collect, what we use it for and when it may be disclosed. You can obtain information about yourself and/or your dependents that you provide at any time on our website.
This Privacy Statement applies to https://us.castlighthealth.com/ owned and operated by Castlight Health. This Privacy Statement describes how Castlight collects and uses the personal information you provide on our websites. It also describes the choices available to you regarding our use of your personal information and how you can access and update this information.
Castlight has received TRUSTe’s Privacy Seal signifying that this Privacy Statement and our practices have been reviewed for compliance with the TRUSTe program viewable on the validation page available by clicking the TRUSTe seal. The TRUSTe program covers only information that is collected through this Web site.
If you have questions or complaints regarding our Privacy Statement or practices, please contact us at Castlight Health, Inc., Two Rincon Center 121 Spear Street, Suite 300, San Francisco, CA 94105, Attn: Chief Privacy Officer or firstname.lastname@example.org or call us at (888) 226-8021. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact TRUSTe here.
A. Collection of Information
Because Castlight provides a service for evaluating your healthcare and healthcare bills, we ask you for the sort of personal and medical information needed in order to make such evaluations. We will not sell, share or rent this information that is collected in the Castlight service to others in ways different than from what is disclosed in this Statement. Castlight collects information about you from both you and others at several points in our service.
B. Information Collected
- Information Requests. If you wish to request more information about Castlight prior to registering, you are required to provide contact information (for example, name and e-mail address). It is optional for you to provide additional contact information (for example, health plan and physician). This information will be used by Castlight to contact you about our services.
- Communications. The purpose of Castlight is to provide you with the ability to understand, analyze and better organize your healthcare and related financial information. Certain communications (for example, e-mails and other communications with Castlight) are recorded and maintained by Castlight. Castlight considers these communications to be personal and private and will not use or disclose these communications except as provided for in this Privacy Statement, where required by law, or unless you agree to additional use and disclosure of such information.
- Provided Information. From time to time, your health plan (either directly or through its TPAs) may provide Castlight with, or Castlight may otherwise access and collect from such parties, healthcare financial information (which may include medical or other information contained in their medical records, patient files or bills) or other information about you. This may include sharing of information about you via integration between our service and certain systems used by you and by your health plan or its TPAs containing information about you. The provision and sharing of this information is optional by your health plan or its TPAs and they may require you to provide them with certain consents. In some cases, our ability to access and collect information from such systems may require additional information from you, such as your log-in information (for example, your user ID and password). Upon your provision of such information, you consent to Castlight using such information solely to log in to such systems to access and collect your information for use in accordance with this Privacy Statement.
- Payor Information. Castlight requests financial information and any relevant health plan or other payor information from you.
- Log Files. As is true of most websites, Castlight automatically collects and stores in log files the Internet Protocol (IP) address of the computer you are using; the name of the domain and host from which you access the Internet; the browser software you use and your operating system; the date and time you access the service; and the Internet address of the Web site from which you directly linked to Castlight. We may combine this automatically collected log information with other information we collect about you. Castlight uses this log file information to analyze trends, administer the service, and monitor service traffic and usage patterns for internal security purposes and to help make the Castlight service more useful.
C. Use And Disclosure of Your Information
In addition to the uses and disclosures of information outlined above, your information may also be used and disclosed as follows:
- You can always view the account identifying information you entered in Castlight voluntarily by accessing your account.
- If another individual is viewing/managing your account with your permission (for example, mother managing account of her child), this person can view all your information entered in Castlight on your behalf.
- Supply certain claims data in order to facilitate and coordinate your receipt of certain insurance benefits.
- Survey you to evaluate and improve the Castlight service. If you participate, we will request certain personal information from you. Participation in these surveys is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact information (such as name and shipping address), and demographic information (such as age). We use this information to improve the service accuracy and develop new products.
- We may use a third party service provider to conduct these surveys. We will not share the personal information you provide through a contest or survey with other third parties unless we give you prior notice and choice.
- Operate the Castlight service and decide what services will meet our members’ needs.
- Provide information as required by law.
- Communicate back to you about customer service issues.
- Update you on service and Castlight benefits.
- Use your provider and/or insurance plan information to customize your experience, or to show your health plan or its TPAs logos on Castlight web pages.
D. Disclosure of Information
- Compliance with Laws. Castlight will not disclose personal information (contact, health and/or billing) to third parties other than as provided for in this Privacy Statement, except when required to do so by law such as to comply with a subpoena or similar legal process, or you have otherwise consented to additional use or disclosure of the information. We may also disclose your personal information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request, and if Castlight is involved in a merger, acquisition, or sale of all or a portion of its assets. You will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
- Business Partners. Castlight may work with business partners in making our services available to consumers. Our policy is to require companies with whom we do business to support the same privacy policies we do. When you sign up for these services, we will share information only as necessary for the third party to provide related services or assist us in providing our services such as offering customer service, and behavioral health related services. These parties are not allowed to use personal information except for the purpose of providing these services. Note that any disclosures to your health plan will be in strict compliance with the limitations imposed on disclosures of PHI to group health plans under the HIPAA Privacy Rule.
E. De-identified Information
On occasion, Castlight may make arrangements with certain customers or business partners to share certain de-identified aggregate pattern information in order to assist such customers or business partners improve their service (such as evaluating patterns, utilization, usage and trends). Castlight may also share such information with you or other users of our service. This type of information may be based in part on information related to you, but does not allow for the personal identification of any individual (in other words, it is “patient de-identified”). This information will not be used by the customer or business partner for marketing and/or any purpose other than as set forth above.
- Castlight removes your identity from your personal information (contact, health and/or financial) and may work with it as anonymous (“de-identified”) information.
- De-identified individual information is information about a user presented in a form where information about one anonymous user would be indistinguishable from information relating to other anonymous users. De-identified individual information is not in a form that allows anyone studying the information to personally identify any user.
- Aggregate information is information that describes the habits, usage patterns and/or demographics of users as a group but does not reveal the identity of particular users. Your anonymous data is combined with the anonymous data of other Castlight users and becomes statistics. We may use aggregate information within Castlight to understand the needs of the Castlight user community and determine what kinds of programs and services we can offer to you. Castlight could use this anonymous information to give potential users or business partners a picture of the Castlight community and services. Aggregate information may be provided or sold to third parties. Absolutely no personal identifying information is included in the aggregate reports; each individual remains anonymous.
F. Opting Out or Opting In to Specific Uses Of Information
- Account Management. If your personal information changes, or if you no longer desire our service, you may correct, update, amend, delete/remove, or ask to have it removed from a public forum, directory or testimonial on our site or deactivate it by making the change on our member information page or by emailing us at privacy@CastlightHealth.com or contacting us at (888) 226-8021. We will respond to your request to access within thirty (30) days.
- Medical Information. You have the ability to request the activation or deactivation of the authorization of an account manager at any time by notifying Castlight at privacy@CastlightHealth.com.
- Invitations. If you no longer wish to receive invitations to register for Castlight, you may so notify Castlight by contacting us at (888) 226-8021 or at privacy@CastlightHealth.com and we will cease sending such invitations to you.
- Email Updates and Castlight Service Marketing. Castlight may provide service updates, tips or education, or may market the Castlight service to you. Out of respect for your privacy, you will be able to opt-out of any such email communications at any time. You can expect to receive one to two emails per month from Castlight. To opt out of Castlight email, please click the “unsubscribe” link at the bottom of any email or send an email with the subject line “Unsubscribe” to support@CastlightHealth.com.
- Added Services. As we add services to the Castlight service that require the collection, use or disclosure of data other than as set forth in this Privacy Statement, we will offer users the option to opt in or out of those services. If you wish to opt out of these services, you may notify us at privacy@CastlightHealth.com.
G. Storage and Maintenance of Information
Castlight will store and maintain Personal Information (as defined below) and Contact information in accordance with the requirements agreed to by Castlight and your health plan or its TPA even if you terminate employment with your current employer, unless you notify Castlight by contacting us at privacy@CastlightHealth.com or calling us at (888) 226-8021, that either: (i) you wish to have all or a portion of your Personal Information Removed (as defined below) from Castlight’s system; or (ii) you wish to have Castlight retain all or a portion of such information. We will also retain your information for as long as your account is active or as needed to provide you services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For the purposes of this Privacy Statement, “Removed” shall mean that your data has been de-identified in accordance with the HIPAA Privacy Rule so the data is no longer associated with any identifier of you and cannot be re-identified in accordance with the HIPAA Privacy Rule. For more information on the specific requirements that Castlight and your health plan or its TPA agreed we would follow, you may contact us at (888) 226-8021 or at privacy@CastlightHealth.com or you may contact your health plan or its TPA. Personal Information shall mean your sensitive personal information, including but not limited to social security numbers, account numbers, protected health information (PHI), claim data, financial data, driver’s license number, date of birth, prescription-related information, next of kin contact information and passwords, but shall exclude Contact Data. “Contact Data” shall mean your name and email address and electronic communications between you and Castlight (such as ask Castlight inquiries and emails). Castlight shall not sell or disclose Personal Data or Contact Data to any unrelated third party other than disclosures to you and your health plan or its TPA or as may be required in connection with our business operations. Note that any disclosures to your health plan will be in strict compliance with the limitations imposed on disclosures of PHI to group health plans under the HIPAA Privacy Rule.
The security of your personal information is important to us. All communication between you and the Castlight server is secured by using TLS v1.2. Castlight takes commercially reasonable measures to secure your personal information such as Social Security Number on our servers. The data center we use is both physically and electronically secured. Our internet servers are protected on the internet behind a firewall which is a hardware and software system that blocks access by unauthorized parties. For more information, please refer to Castlight’s Security Statement.
We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our Web site, you can contact us at privacy@CastlightHealth.com.
I. Tracking Technologies
Technologies such as: cookies, beacons, tags and scripts are used by Castlight Health, Inc. and our partners (such as marketing partners) affiliates, or analytics or service providers (such as video hosting providers). These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
We use Local Storage Objects (LSOs) such as HTML5 to store content information and preferences. Third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use LSOs such as HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.
- Protection of Privacy. In order to protect your privacy, never share your sign-in name or password and always log out of Castlight when you are finished using the service.
- Questions. If you have any questions about this Privacy Statement or the use of your information via Castlight, please contact us at privacy@CastlightHealth.com.
K. Changes to Privacy Statement
Castlight will only use your personal information in the manner described in the Privacy Statement in effect when we collected the information from you. However, we reserve the right to change the terms of this Privacy Statement at any time by posting those changes on our service so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point, we decide to use personal health information in a manner different from that stated at the time it was collected or if we make any material changes, we will notify users by email or at the time the user logs in prior to the change becoming effective. You will be notified and be given the opportunity to opt-out for any additional uses or disclosures of your personal health information that you made available to us prior to any such change in our Privacy Statement. In addition, we urge you to check here for any updates to this Privacy Statement from time to time.