Location Icon Little map pin. Change location here. Profile Icon Little person shape. Access or change account information here. Bell Icon Little bell shape. Access notification center here. Search Icon Magnifying glass. Start a search here. Star Icon Rating - one star Half Star Icon Rating - half star Star Icon Illustration of a star Telephone icon Graphic of a telephone handset Medicines icon Image of a prescription bottle See more icon Ellipses Map pin Location on map Map pin Location on map Stethoscope icon Illustratration of a stethoscope Injection Icon Illustration of a hypodermic needle Lab Flask Icon Illustration of a laboratory flask Medical Practitioner Illustration of a medical practitioner Benefit Icon Illustration of a shield with a heart on it to represent health benefits Hospital Icon Illustration of a hospital building Medical Bag Icon Illustration of a medical bag to represent medical treatment Facility Icon Illustration of a medical facility Prescription Bottle Icon Illustration of a prescription bottle Conditions icon Image of an arrhythmic heartbeat to represent a health condition Price Alert Icon Illustration of a dollar sign in a warning triangle Price Message Icon Illustration of a dollar sign in a circle Checkmark Icon Illustration of a checkmark to represent confirmation Clock Icon Illustration of a clockface to represent reminders Dollar Sign Icon Illustration of a dollar sign to represent savings Leaf Icon Illustration of a leaf to represent behavioral health programs Telephone icon Graphic of a telephone handset Mail icon Image of a mail envelope Chat icon Image of a speech bubble

Castlight Health Privacy Policy


Last Updated November 10, 2017

At Castlight Health, Inc. (“Castlight”), our most important asset is our relationship with you. Castlight respects your privacy and takes Internet privacy very seriously.

By accepting Castlight’s Terms of Use (which incorporates this Privacy Statement by reference), you are also agreeing to the terms and conditions of this Privacy Statement, including consenting to the use and disclosure of certain information, including personal information provided to us as outlined in this Privacy Statement.

This Privacy Statement only applies to https://us.castlighthealth.com/ (including its subpages) and our mobile app (Castlight Mobile), collectively, “Sites,” both of which are owned and operated by Castlight. This Privacy Statement describes how Castlight collects and uses the personal information on our Sites and when such information may be disclosed. It also describes the choices available to you regarding our use of your personal information and how you can access and update this information. You can obtain information about yourself and/or your dependents that you provide at any time on our Sites.

If you have questions or complaints regarding this Privacy Statement or privacy practices, you can contact us at Castlight Health, Inc., 150 Spear Street, Suite 400, San Francisco, CA 94105, Attn: Chief Privacy Officer, privacy@castlighthealth.com, or call us at (888) 722-0483.

A. Collection of Information

Because Castlight provides healthcare navigation services, we may ask you for the type of personal and medical information needed in order to provide our services. We will not sell, share or rent this information that is collected in the Castlight service to others in ways different than from what is disclosed in this Privacy Statement. Castlight collects information about you from both you and others at several points in our service. You can always view the account identifying information you entered in Castlight voluntarily by accessing your account.

B. Information Collected

  • Information Requests. If you wish to request more information about Castlight prior to registering, you are required to provide contact information such as your name and email address. It is optional for you to provide additional contact information (for example, health plan and physician). This information will be used by Castlight to contact you about our services.
  • Pre-Registration. You may be pre-registered for Castlight by your health plan or its third party administrator, which may include, administrators for medical, dental, pharmacy, and behavioral health services (“TPAs”). The pre-registration process requires the collection of contact information about you (for example, name and email address). Your health plan may provide (or may have its TPAs provide) additional information such as your social security number (SSN), employee ID number, or another unique identifier. This information is used by Castlight to securely verify your identity to set up your Castlight account. In order to complete registration to use Castlight, you will be asked to agree to Castlight’s Terms of Use. You may request not to receive information from Castlight at any time.
  • Registration. We require the collection of certain contact information as part of the registration process (for example, name, email address, home zip code, birth date, some of which may be provided by your health plan or its TPAs to Castlight). You may provide additional contact information (for example, health plan, health plan subscriber ID number, physician name and contact information, email address, home phone number, and home address). We encourage you to provide this information in order to enable optimal use of our service. In many cases, you will be asked to enter this contact information directly. In other cases, that information may be pre-filled if we have already received such information from your health plan (either directly or through its TPAs). In circumstances where the information has been received from your health plan (either directly or through its TPAs), you will be asked to agree to Castlight’s Terms of Use before being able to use Castlight (and, since the Terms of Use incorporates by reference this Privacy Statement, you are also agreeing to this Privacy Statement). If you arrive at Castlight directly, the registration process requires you to choose a unique identifier (for example, username and password) for your account. If you arrive at Castlight through a customer or business partner website, such website may provide a unique identifier that confirms to Castlight that you are an authorized member from such customer or business partner website. You will be asked to agree to Castlight’s Terms of Use before being able to use Castlight
  • Communications. The purpose of Castlight is to provide you with the ability to understand, analyze and better organize your healthcare and related financial information. Certain communications (for example, emails and other communications with Castlight) are recorded and maintained by Castlight. Castlight considers these communications to be personal and private and will not use or disclose these communications except as provided for in this Privacy Statement, where required by law, or unless you agree to additional use and disclosure of such information.
  • Provided Information. From time to time, your health plan (either directly or through its TPAs) may provide Castlight with, or Castlight may otherwise access and collect from such parties, healthcare financial information (which may include medical or other information contained in their medical records, patient files or bills) or other information about you. This may include sharing of information about you via integration between our service and certain systems used by you and by your health plan or its TPAs containing information about you. The provision and sharing of this information is optional by your health plan or its TPAs and they may require you to provide them with certain consents. Personal information from your health plan (either directly or through its TPAs) will only be used for the specific reason for which it was provided to us. In some cases, our ability to access and collect information from such systems may require additional information from you, such as your log-in information (for example, your username and password). Upon your provision of such information, you consent to Castlight using such information solely to log in to such systems to access and collect your information for use in accordance with this Privacy Statement. In your access and use of the Castlight service, you may also share information with Castlight (such as search terms or information regarding your health care provider) which we may retain and display in your account.
  • Payor Information. Castlight may request financial information and relevant health plan or other payor information from you.
  • Device and OS Version. When you download and use Castlight Mobile, we collect information on the type of device you use and operating system version.
  • Log Files. As with most websites, Castlight automatically collects and stores in log files the Internet Protocol (IP) address of the computer you are using; the name of the domain and host from which you access the Internet; the browser software you use and your operating system; the date and time you access the service; and the Internet address of the website from which you directly linked to Castlight. We may combine this automatically collected log information with other information we collect about you. Castlight uses this log file information to analyze trends, administer the service, and monitor service traffic and usage patterns for internal security purposes and to help make the Castlight service more useful.

C. Viewing Your Information

  • You can always view the account identifying information you entered in Castlight voluntarily by accessing your account.
  • If another individual is viewing/managing your account with your permission (for example, parent managing account of her child), this person can view all your information entered in Castlight on your behalf.

D. Use and Disclosure of Your Information

Your information may also be used and disclosed as follows:

  • Certain claims data may be used and disclosed in order to facilitate and coordinate your receipt of insurance benefits.

  • To survey you in order to evaluate and improve the Castlight service. If you participate, we will request certain personal information from you. Participation in these surveys is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact information (such as name and shipping address) and demographic information (such as age). We use this information to improve the service accuracy and develop new products. We may use a third party service provider to conduct these surveys. We will not share the personal information you provide through a contest or survey with third parties unless we give you prior notice and choice.
  • To operate the Castlight service and decide what services will meet our members’ needs.
  • To provide information as required by law.
  • To communicate back to you about customer service issues.
  • To inform you about features of the Castlight service and its benefits.
  • To use your health care provider and/or insurance plan information to customize your experience, or to show your health plan or its TPAs’ logos on Castlight web pages.
  • We may collect your location-based information for the purpose of enforcing the Castlight’s Terms of Use and to provide the Castlight service.

E. Disclosure of Information

  • Compliance with Laws. Castlight will not disclose personal information (contact, health and/or billing) to third parties other than as provided for in this Privacy Statement, except when required to do so by law (such as to comply with a subpoena or similar legal process), or you have otherwise consented to additional use or disclosure of the information. We may also disclose your personal information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request, and if Castlight is involved in a merger, acquisition, or sale of all or a portion of its assets. You will be notified via email and/or a prominent notice on our Site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
  • Business Partners. Castlight may work with business partners in making our services available to consumers. Our policy is to require companies with whom we do business to support the substantially similar privacy policies we do. When you sign up for our services, we will share information only as necessary for the third party to provide related services or assist us in providing our services such as offering customer service, and behavioral health related services. These parties are not allowed to use personal information except for the purpose of providing these services. Note that any disclosures to your health plan will be in strict compliance with the limitations imposed on disclosures of PHI to group health plans under the HIPAA Privacy Rule.
  • Third Party Websites. If you use Castlight to link to another website, you may decide to disclose personal information at that website. For example, you might provide your contact information to obtain an information packet from an organization. Please be aware that in contacting that website, or in providing information on that website, that third party may obtain personal information about you. This Privacy Statement does not apply when you leave Castlight and go to a third party website from Castlight. We structure the Castlight service so that no personal or health information goes in the search string or URL when you move from the Castlight service to a linked website. We encourage you to be aware when you leave our service and to read the privacy policy of each and every website that collects personal information.

F. De-identified Information

On occasion, Castlight may make arrangements with certain customers or business partners to share certain de-identified aggregate information in order to assist such customers or business partners evaluate patterns, utilization, usage and trends. Castlight may also share such information with you or other users of our service. This type of information may be based in part on information related to you, but does not allow for the personal identification of any individual (in other words, it is “patient de-identified”). This information will not be used by the customer or business partner for marketing and/or any purpose other than as set forth above.

  • Castlight removes your identity from your personal information (contact, health and/or financial) and may work with it as anonymous (“de-identified”) information.
  • De-identified individual information is information about a user presented in a form where information about one anonymous user would be indistinguishable from information relating to other anonymous users. De-identified individual information is not in a form that allows anyone studying the information to personally identify any user.
  • Aggregate information is information that describes the habits, usage patterns and/or demographics of users as a group but does not reveal the identity of particular users. Your anonymous data is combined with the anonymous data of other Castlight users and becomes statistics. We may use aggregate information within Castlight to understand the needs of the Castlight user community and determine what kinds of programs and services we can offer you. Castlight could use this anonymous information to give potential users or business partners a picture of the Castlight community and services. Aggregate information may be provided or sold to third parties. Absolutely no personal identifying information is included in the aggregate reports; each individual remains anonymous.
  • Locator information is your name, email, physical address, and/or other data that enables someone to personally identify you. Castlight and your Internet Access Provider may use Locator information as is necessary to enforce any of the terms of the Castlight Terms of Use.

G. Opting Out or Opting In to Specific Uses Of Information

  • Account Management. If your personal information changes or if you no longer desire our service, you may correct, update, amend, delete/remove, or ask to have it removed from a public forum, directory or testimonial on our Sites or deactivate it by making the change on our member information page or by emailing us at privacy@castlighthealth.com or contacting us at (888) 722-0483. We will respond to your request to access within thirty (30) days.
  • In certain situations, Castlight has no direct relationship with the individuals whose personal information it processes. An individual who seeks access, or who seeks to correct, update, amend, or delete inaccurate data should direct their query to Castlight’s customer (the data controller). If you have any questions regarding this, we will respond to requests within thirty (30) days.
  • Medical Information. You have the ability to request the activation or deactivation of the authorization of an account manager at any time by notifying Castlight at privacy@castlighthealth.com.
  • Invitations. If you no longer wish to receive invitations to register for Castlight, you may so notify Castlight by contacting us at (888) 722-0483 or at privacy@castlighthealth.com and we will cease sending such invitations to you.
  • Updates and Castlight Service Marketing. Castlight may provide service updates, tips or education, or may promote the Castlight service to you to provide information about available benefits. You can expect to receive one to two communications per month from Castlight. You will be able to opt-out of any such communications at any time. To opt-out of Castlight email, please click the “unsubscribe” link in any such communication or communicate back to Castlight with the subject line “Unsubscribe” to support@castlighthealth.com. To opt-out of any text messages from Castlight, please reply with “unsubscribe” in your message.
  • You may opt-out of Castlight Mobile’s location based services at any time by editing your setting at the device level.
  • Added Services. As we add services to the Castlight service that require the collection, use or disclosure of data other than as set forth in this Privacy Statement, we will offer users the option to opt-in or out of those services. If you wish to opt-out of these services, you may notify us at privacy@castlighthealth.com

H. Storage and Maintenance of Information

Castlight will store and maintain Personal Information (as defined below) and contact information in accordance with the requirements agreed to by Castlight and your health plan or its TPA even if you terminate employment with your current employer, unless you notify Castlight by contacting us at privacy@castlighthealth.com or calling us at (888) 722-0483, that either: (i) you wish to have all or a portion of your Personal Information Removed (as defined below) from Castlight’s system; or (ii) you wish to have Castlight retain all or a portion of such information. We will also retain your information for as long as your account is active or as needed to provide you services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For the purposes of this Privacy Statement, “Removed” shall mean that your data has been de-identified in accordance with the HIPAA Privacy Rule so the data is no longer associated with any identifier of you and cannot be re-identified in accordance with the HIPAA Privacy Rule. For more information on the specific requirements that Castlight and your health plan or its TPA agreed we would follow, you may contact us at (888) 722-0483 or at privacy@castlighthealth.com or you may contact your health plan or its TPA. “Personal Information” shall mean your sensitive personal information, including but not limited to social security numbers, account numbers, protected health information (PHI), claim data, financial data, driver’s license number, date of birth, prescription-related information, next of kin contact information and passwords, but shall exclude Contact Data. “Contact Data” shall mean your name and email address and electronic communications between you and Castlight (such as ask Castlight inquiries and emails). Castlight shall not sell or disclose Personal Information or Contact Data to any unrelated third party other than disclosures to you and your health plan or its TPA or as may be required in connection with our business operations. Note that any disclosures to your health plan will be in strict compliance with the limitations imposed on disclosures of PHI to group health plans under the HIPAA Privacy Rule.

I. Security

The security of your personal information is important to us. All communication between you and the Castlight server is secured by using TLS v1.2. Castlight takes commercially reasonable measures to secure your personal information (such as social security number) on our servers. The data center we use is both physically and electronically secured. Our internet servers are protected on the internet behind a firewall which is a hardware and software system that blocks access by unauthorized parties. For more information, please refer to Castlight’s Security Statement.

We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet or method of electronic storage is 100% secure and we cannot guarantee its absolute security. If you have any questions about security on our Sites, you can contact us at privacy@castlighthealth.com.

J. Tracking Technologies

Technologies such as: cookies, beacons, tags, scripts and other storage technologies to collect or receive information are used by Castlight and our partners (including digital advertising partners such as Facebook and Google), affiliates, or analytics or service providers (such as video hosting providers). These technologies (such as Google Analytics) are used in analyzing trends, providing measurement services administering our Sites, tracking users’ movements around our Sites and elsewhere on the internet, marketing our services (including via targeted remarketing ads), and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our Sites, but your ability to use some features or areas of our Sites may be limited. You may opt-out of our partners’ use of cookies by exercising your choice here and here. Additionally, you can find out more about how Google uses data here. Our third party partners may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest based advertising click here. Please note you will continue to receive generic ads.

We use Local Storage Objects (LSOs) such as HTML5 to store content information and preferences. Third parties with whom we partner to provide certain features on our Sites or to display advertising based upon your web browsing activity use LSOs such as HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.

We use mobile analytics software to allow us to better understand the functionality of Castlight Mobile on your phone. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage and performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within Castlight Mobile.

K. Miscellaneous

  • Protection of Privacy. In order to protect your privacy, never share your sign-in name or password and always log out of Castlight when you are finished using the service.
  • Questions. If you have any questions about this Privacy Statement or the use of your information via Castlight, please contact us at privacy@castlighthealth.com.

L. Changes to the Privacy Statement

Castlight will only use your personal information in the manner described in the Privacy Statement in effect when we collected the information from you. However, we reserve the right to change the terms of this Privacy Statement at any time by posting those changes on our service so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point, we decide to use personal health information in a manner different from that stated at the time it was collected or if we make any material changes, we will notify users by email or at the time the user logs in prior to the change becoming effective. You will be notified and be given the opportunity to opt-out for any additional uses or disclosures of your personal health information that you made available to us prior to any such change in our Privacy Statement. In addition, from time to time, we recommend that you to check for any updates to this Privacy Statement.

M. EU-U.S./EU-Swiss Privacy Shield

Castlight participates in and has certified its compliance with the EU-U.S. and Swiss-EU Privacy Shield Framework. Castlight is committed to subjecting all personal data received from European Union (EU) member countries or Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List

Castlight is responsible for the processing of personal data it receives under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Castlight complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Castlight is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Castlight may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) here.

Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.