Last Updated November 10, 2017
At Castlight Health, Inc. (“Castlight”), our most important asset is our relationship with you. Castlight respects your privacy and takes Internet privacy very seriously.
This Privacy Statement only applies to https://us.castlighthealth.com/ (including its subpages) and our mobile app (Castlight Mobile), collectively, “Sites,” both of which are owned and operated by Castlight. This Privacy Statement describes how Castlight collects and uses the personal information on our Sites and when such information may be disclosed. It also describes the choices available to you regarding our use of your personal information and how you can access and update this information. You can obtain information about yourself and/or your dependents that you provide at any time on our Sites.
If you have questions or complaints regarding this Privacy Statement or privacy practices, you can contact us at Castlight Health, Inc., 150 Spear Street, Suite 400, San Francisco, CA 94105, Attn: Chief Privacy Officer, firstname.lastname@example.org, or call us at (888) 722-0483.
A. Collection of Information
Because Castlight provides healthcare navigation services, we may ask you for the type of personal and medical information needed in order to provide our services. We will not sell, share or rent this information that is collected in the Castlight service to others in ways different than from what is disclosed in this Privacy Statement. Castlight collects information about you from both you and others at several points in our service. You can always view the account identifying information you entered in Castlight voluntarily by accessing your account.
B. Information Collected
- Information Requests. If you wish to request more information about Castlight prior to registering, you are required to provide contact information such as your name and email address. It is optional for you to provide additional contact information (for example, health plan and physician). This information will be used by Castlight to contact you about our services.
- Communications. The purpose of Castlight is to provide you with the ability to understand, analyze and better organize your healthcare and related financial information. Certain communications (for example, emails and other communications with Castlight) are recorded and maintained by Castlight. Castlight considers these communications to be personal and private and will not use or disclose these communications except as provided for in this Privacy Statement, where required by law, or unless you agree to additional use and disclosure of such information.
- Provided Information. From time to time, your health plan (either directly or through its TPAs) may provide Castlight with, or Castlight may otherwise access and collect from such parties, healthcare financial information (which may include medical or other information contained in their medical records, patient files or bills) or other information about you. This may include sharing of information about you via integration between our service and certain systems used by you and by your health plan or its TPAs containing information about you. The provision and sharing of this information is optional by your health plan or its TPAs and they may require you to provide them with certain consents. Personal information from your health plan (either directly or through its TPAs) will only be used for the specific reason for which it was provided to us. In some cases, our ability to access and collect information from such systems may require additional information from you, such as your log-in information (for example, your username and password). Upon your provision of such information, you consent to Castlight using such information solely to log in to such systems to access and collect your information for use in accordance with this Privacy Statement. In your access and use of the Castlight service, you may also share information with Castlight (such as search terms or information regarding your health care provider) which we may retain and display in your account.
- Payor Information. Castlight may request financial information and relevant health plan or other payor information from you.
- Device and OS Version. When you download and use Castlight Mobile, we collect information on the type of device you use and operating system version.
- Log Files. As with most websites, Castlight automatically collects and stores in log files the Internet Protocol (IP) address of the computer you are using; the name of the domain and host from which you access the Internet; the browser software you use and your operating system; the date and time you access the service; and the Internet address of the website from which you directly linked to Castlight. We may combine this automatically collected log information with other information we collect about you. Castlight uses this log file information to analyze trends, administer the service, and monitor service traffic and usage patterns for internal security purposes and to help make the Castlight service more useful.
C. Viewing Your Information
- You can always view the account identifying information you entered in Castlight voluntarily by accessing your account.
- If another individual is viewing/managing your account with your permission (for example, parent managing account of her child), this person can view all your information entered in Castlight on your behalf.
D. Use and Disclosure of Your Information
Your information may also be used and disclosed as follows:
- Certain claims data may be used and disclosed in order to facilitate and coordinate your receipt of insurance benefits.
- To survey you in order to evaluate and improve the Castlight service. If you participate, we will request certain personal information from you. Participation in these surveys is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact information (such as name and shipping address) and demographic information (such as age). We use this information to improve the service accuracy and develop new products. We may use a third party service provider to conduct these surveys. We will not share the personal information you provide through a contest or survey with third parties unless we give you prior notice and choice.
- To operate the Castlight service and decide what services will meet our members’ needs.
- To provide information as required by law.
- To communicate back to you about customer service issues.
- To inform you about features of the Castlight service and its benefits.
- To use your health care provider and/or insurance plan information to customize your experience, or to show your health plan or its TPAs’ logos on Castlight web pages.
E. Disclosure of Information
- Compliance with Laws. Castlight will not disclose personal information (contact, health and/or billing) to third parties other than as provided for in this Privacy Statement, except when required to do so by law (such as to comply with a subpoena or similar legal process), or you have otherwise consented to additional use or disclosure of the information. We may also disclose your personal information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request, and if Castlight is involved in a merger, acquisition, or sale of all or a portion of its assets. You will be notified via email and/or a prominent notice on our Site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
- Business Partners. Castlight may work with business partners in making our services available to consumers. Our policy is to require companies with whom we do business to support the substantially similar privacy policies we do. When you sign up for our services, we will share information only as necessary for the third party to provide related services or assist us in providing our services such as offering customer service, and behavioral health related services. These parties are not allowed to use personal information except for the purpose of providing these services. Note that any disclosures to your health plan will be in strict compliance with the limitations imposed on disclosures of PHI to group health plans under the HIPAA Privacy Rule.
F. De-identified Information
On occasion, Castlight may make arrangements with certain customers or business partners to share certain de-identified aggregate information in order to assist such customers or business partners evaluate patterns, utilization, usage and trends. Castlight may also share such information with you or other users of our service. This type of information may be based in part on information related to you, but does not allow for the personal identification of any individual (in other words, it is “patient de-identified”). This information will not be used by the customer or business partner for marketing and/or any purpose other than as set forth above.
- Castlight removes your identity from your personal information (contact, health and/or financial) and may work with it as anonymous (“de-identified”) information.
- De-identified individual information is information about a user presented in a form where information about one anonymous user would be indistinguishable from information relating to other anonymous users. De-identified individual information is not in a form that allows anyone studying the information to personally identify any user.
- Aggregate information is information that describes the habits, usage patterns and/or demographics of users as a group but does not reveal the identity of particular users. Your anonymous data is combined with the anonymous data of other Castlight users and becomes statistics. We may use aggregate information within Castlight to understand the needs of the Castlight user community and determine what kinds of programs and services we can offer you. Castlight could use this anonymous information to give potential users or business partners a picture of the Castlight community and services. Aggregate information may be provided or sold to third parties. Absolutely no personal identifying information is included in the aggregate reports; each individual remains anonymous.
G. Opting Out or Opting In to Specific Uses Of Information
- Account Management. If your personal information changes or if you no longer desire our service, you may correct, update, amend, delete/remove, or ask to have it removed from a public forum, directory or testimonial on our Sites or deactivate it by making the change on our member information page or by emailing us at email@example.com or contacting us at (888) 722-0483. We will respond to your request to access within thirty (30) days.
- In certain situations, Castlight has no direct relationship with the individuals whose personal information it processes. An individual who seeks access, or who seeks to correct, update, amend, or delete inaccurate data should direct their query to Castlight’s customer (the data controller). If you have any questions regarding this, we will respond to requests within thirty (30) days.
- Medical Information. You have the ability to request the activation or deactivation of the authorization of an account manager at any time by notifying Castlight at firstname.lastname@example.org.
- Invitations. If you no longer wish to receive invitations to register for Castlight, you may so notify Castlight by contacting us at (888) 722-0483 or at email@example.com and we will cease sending such invitations to you.
- Updates and Castlight Service Marketing. Castlight may provide service updates, tips or education, or may promote the Castlight service to you to provide information about available benefits. You can expect to receive one to two communications per month from Castlight. You will be able to opt-out of any such communications at any time. To opt-out of Castlight email, please click the “unsubscribe” link in any such communication or communicate back to Castlight with the subject line “Unsubscribe” to firstname.lastname@example.org. To opt-out of any text messages from Castlight, please reply with “unsubscribe” in your message.
- You may opt-out of Castlight Mobile’s location based services at any time by editing your setting at the device level.
- Added Services. As we add services to the Castlight service that require the collection, use or disclosure of data other than as set forth in this Privacy Statement, we will offer users the option to opt-in or out of those services. If you wish to opt-out of these services, you may notify us at email@example.com
H. Storage and Maintenance of Information
Castlight will store and maintain Personal Information (as defined below) and contact information in accordance with the requirements agreed to by Castlight and your health plan or its TPA even if you terminate employment with your current employer, unless you notify Castlight by contacting us at firstname.lastname@example.org or calling us at (888) 722-0483, that either: (i) you wish to have all or a portion of your Personal Information Removed (as defined below) from Castlight’s system; or (ii) you wish to have Castlight retain all or a portion of such information. We will also retain your information for as long as your account is active or as needed to provide you services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For the purposes of this Privacy Statement, “Removed” shall mean that your data has been de-identified in accordance with the HIPAA Privacy Rule so the data is no longer associated with any identifier of you and cannot be re-identified in accordance with the HIPAA Privacy Rule. For more information on the specific requirements that Castlight and your health plan or its TPA agreed we would follow, you may contact us at (888) 722-0483 or at email@example.com or you may contact your health plan or its TPA. “Personal Information” shall mean your sensitive personal information, including but not limited to social security numbers, account numbers, protected health information (PHI), claim data, financial data, driver’s license number, date of birth, prescription-related information, next of kin contact information and passwords, but shall exclude Contact Data. “Contact Data” shall mean your name and email address and electronic communications between you and Castlight (such as ask Castlight inquiries and emails). Castlight shall not sell or disclose Personal Information or Contact Data to any unrelated third party other than disclosures to you and your health plan or its TPA or as may be required in connection with our business operations. Note that any disclosures to your health plan will be in strict compliance with the limitations imposed on disclosures of PHI to group health plans under the HIPAA Privacy Rule.
The security of your personal information is important to us. All communication between you and the Castlight server is secured by using TLS v1.2. Castlight takes commercially reasonable measures to secure your personal information (such as social security number) on our servers. The data center we use is both physically and electronically secured. Our internet servers are protected on the internet behind a firewall which is a hardware and software system that blocks access by unauthorized parties. For more information, please refer to Castlight’s Security Statement.
We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet or method of electronic storage is 100% secure and we cannot guarantee its absolute security. If you have any questions about security on our Sites, you can contact us at firstname.lastname@example.org.
J. Tracking Technologies
Technologies such as: cookies, beacons, tags, scripts and other storage technologies to collect or receive information are used by Castlight and our partners (including digital advertising partners such as Facebook and Google), affiliates, or analytics or service providers (such as video hosting providers). These technologies (such as Google Analytics) are used in analyzing trends, providing measurement services administering our Sites, tracking users’ movements around our Sites and elsewhere on the internet, marketing our services (including via targeted remarketing ads), and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
We use Local Storage Objects (LSOs) such as HTML5 to store content information and preferences. Third parties with whom we partner to provide certain features on our Sites or to display advertising based upon your web browsing activity use LSOs such as HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.
We use mobile analytics software to allow us to better understand the functionality of Castlight Mobile on your phone. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage and performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within Castlight Mobile.
- Protection of Privacy. In order to protect your privacy, never share your sign-in name or password and always log out of Castlight when you are finished using the service.
- Questions. If you have any questions about this Privacy Statement or the use of your information via Castlight, please contact us at email@example.com.
L. Changes to the Privacy Statement
Castlight will only use your personal information in the manner described in the Privacy Statement in effect when we collected the information from you. However, we reserve the right to change the terms of this Privacy Statement at any time by posting those changes on our service so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point, we decide to use personal health information in a manner different from that stated at the time it was collected or if we make any material changes, we will notify users by email or at the time the user logs in prior to the change becoming effective. You will be notified and be given the opportunity to opt-out for any additional uses or disclosures of your personal health information that you made available to us prior to any such change in our Privacy Statement. In addition, from time to time, we recommend that you to check for any updates to this Privacy Statement.
M. EU-U.S./EU-Swiss Privacy Shield
Castlight participates in and has certified its compliance with the EU-U.S. and Swiss-EU Privacy Shield Framework. Castlight is committed to subjecting all personal data received from European Union (EU) member countries or Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List
Castlight is responsible for the processing of personal data it receives under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Castlight complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Castlight is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Castlight may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) here.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.