Published Date: January 1, 2021
Effective Date: January 31, 2021 Short on time?
INTRODUCTION
This Privacy Policy (this “Privacy Policy”) explains how b.well Connected Health, Inc. (“b.well”, “we”, “us” or “our”) collects, creates, uses, processes and shares personally identifiable information in any b.well-branded website, mobile application or interactive feature that links to this Privacy Policy, including our https://www.icanbwell.com website, the b.well mobile app and related services (collectively, “Services”). The b.well Terms of Service (“Terms”) include defined terms that we use in this Privacy Policy. While the Privacy Policy is a separate document, it should be read as part of the Terms. Conflicts or inconsistencies between this Privacy Policy and the Terms will be interpreted with precedence given to the Privacy Policy with respect to its subject matter.
We may provide additional privacy notices that supplement or amend the disclosures contained in this Privacy Policy. These notices are presented in the application, and maintained under Additional Privacy Notices.
We encourage you to read this Privacy Policy from top to bottom, or to use the following links to read specific sections. We’ve included easy-to-read takeaways at the top of each section. Please take care not to rely on the section headings or takeaways: they are intended for reference and convenience only. They are not considered in how this Privacy Policy is to be interpreted.
1. DATA
A. CATEGORIES OF DATA WE COLLECT
Takeaway: What types of data does b.well collect?
b.well collects different types of data which are explained in detail here, and presented in a chart too. An important category of data is Health Data. We define this to include any data linked to your b.well account that relates to the health status, the use of health care services, or the payment for health care by you or by others in your family.
We collect the Personal Data described more fully below. Personal Data means any information that can be used to identify you or a member of your family or household. We also use Personal Data to create Non-Personal Data for limited purposes, also defined below. Non-Personal Data means information that does not identify you or members of your family or household personally.
Personal Data includes any data from whatever source that is linked to your b.well account and relates to the health status, the use of health care services or the payment for health care by you or by others in your family (“Health Data”).
All other Personal Data (“Other Personal Data”) contains information that is linked to your b.well account, but does not contain Health Data. Examples of Other Personal Data include: the information we use to authenticate your identity and authorize your access to your Personal Data (“Account Information”); and content we receive from or about you that is unrelated to Health Data but which is associated to your Account (“User Content”). User Content includes self-reported data (“Self-Reported Data”), account credentials for patient portals and other third party applications that you connect to your b.well account. It also includes machine identifiers that we collect with tracking technologies (“Usage Data”). For more information about Usage Data, see our Cookie Policy.
Non-Personal Data takes different forms. It may be aggregated and summarized for reporting purposes (“Summarized Data”). If not aggregated, it may be stripped of personal identifiers and replaced by a pseudonym that does not include any individually identifiable data (“De-Identified Data”). For some purposes, b.well retains control of the secret that allows it to re-associate De-Identified Data. In those cases, the De-Identified Data is called Pseudonymized Data. When we and nobody else has access to the secret for re-associating De-Identified Data with your identity, we call that De-Identified Data “Anonymized Data”.
The following chart summarizes the foregoing discussion, and presents examples with sources of these different categories of Personal Data and Non-Personal Data.
| Personal Data | Sources / Examples |
| Health Data | Data originating from the employer-sponsored plans, health systems or health plans that pay for your access to a b.well user account (“Enterprise Sponsors”) Data from your health care providers or health plans Medicare claims data or Veterans Administration medical records data User Content that contains Health Data Health Data from connected health applications, devices or services |
| Protected Health Information (PHI) | A subset of Health Data, PHI is Personal Data in your b.well account that originates with your Enterprise Sponsor, or which you choose to share with your Enterprise Sponsor To learn more, read Enterprise Sponsors and b.well’s HIPAA Responsibilities and Granting Permissions for Others to Access Your Health Data → Enterprise Sponsors |
| Other Personal Data | |
| Account Information | name, login credentials, contact information |
| User Content | User Content that does not contain Health Data (related to your use of the app, for example) Other types of user-reported data, if it does not contain Health Data Account credentials that you give us to collect your Health Data from patient portals, plan member portals or connected health applications Data unrelated to Health Data from other connected health applications, devices or services (e.g. authentication tokens) Usage Data from Tracking Technologies, including those described in our Cookies Policy |
| Non-Personal Data | Sources |
| Summarized Data | Summary-level statistics derived from the Personal Data of multiple b.well user accounts |
| De-Identified Data (Anonymized or Pseudonymized Data) | Non-Personal Data created from the Personal Data of one or more b.well user accounts. |
B. HOW B.WELL COLLECTS PERSONAL DATA
Takeaway: How does b.well collect my Personal Data?
We collect data from the organization that gave you access to your b.well account. We also help you collect it from the health plans, health care providers, and websites that you choose. You can even ask us to collect data from the consumer health apps you use, so all your Health Data is in one place.
We collect Personal Data – including your Health Data – from a variety of sources, including:
- you, when you interact with any of our Services;
- your past or present health care providers or health plans (for more information, read Medical Record Connections;
- Enterprise Sponsors, in our capacity as a HIPAA business associate;
- third party Health Data aggregation sites, including Blue Button 2.0 from CMS and Lighthouse from the U.S. Veterans Administration;
- suppliers of digitally enabled services that we authorize onto the b.well service platform, if you choose to access their services through your b.well account;
- developers of connected health apps, devices or services that you choose to link with your b.well account; and
- other users that are permitted by applicable law to interact with our Services in your name, including members of your Health Circle, or your personal representative, legal representative or legal guardian.
C. ENTERPRISE SPONSORS AND B.WELL’S HIPAA RESPONSIBILITIES;
Takeaway: How do I know my Health Data is kept safe?
Protecting your privacy and the security of your Health Data is one of our most important responsibilities. We follow privacy and security standards that are at least as strict as what your health care providers and health plans must follow under the Health Insurance Portability and Accountability Act (“HIPAA”).
Your b.well account and our Services may be paid for by an “Enterprise Sponsor” or “Sponsor”. Your Sponsor may be a health care provider, a health plan or an employer that sponsors a group benefit plan in which you participate. These sponsors are required to protect any and all Health Data that identifies you personally as “Protected Health Information” (“PHI”) under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”). This includes PHI that they contribute to your b.well account, and Health Data from other sources that you choose to share with them. As their “HIPAA business associate”, b.well is legally and contractually bound to implement measures that safeguard all your Personal Data and to maintain data practices that are at least as stringent as requirements specified by HIPAA, all other applicable laws and your Sponsor’s HIPAA Notice of Privacy Practices.
If you do not know who your Sponsor is or would like to receive a copy of your Sponsor’s HIPAA Notice of Privacy Practices, please contact b.well Support through the application or by emailing us at support@icanbwell.com.
D. GRANTING PERMISSIONS FOR OTHERS TO ACCESS YOUR HEALTH DATA
Takeaway: How do I decide to share my Health Data with others?
The app includes tools that let you set permissions for sharing your Health Data with others that you trust. When you set these permissions, you’ll understand exactly what Health Data you’re agreeing to share, and with whom. You can change your permission settings whenever you want.
i. b.well’s Permissions-Based Consent Framework
b.well maintains a permissions framework that is based on the principle of sharing your Health Data with your clear, affirmative and voluntary consent. For b.well, affirmative, informed consent means that you (which may include your lawful representatives or legal guardian) have indicated consent by a deliberate act within the application, and you have been presented with sufficient context to understand the scope of permission you are granting. Voluntary consent means that your use of the b.well application is not conditioned upon your granting this consent. If some features or benefits of the application are not available without consent, we explain these limitations at the time your consent is requested.
ii. Enterprise Sponsors
If the Sponsor of your b.well account is a health plan or health care provider, you have a choice within the application whether or not to grant them access to Health Data that does not originate with them. Unless you give this consent, b.well will not share Health Data from other sources with your health plan or health system Sponsor. If you are employed by a health plan or health system sponsor, we may share your Health Data for permissible treatment, payment and healthcare operations under HIPAA and other applicable laws. Otherwise, b.well does not share your Health Data with employers.
If you decide to share Health Data from other sources with your health plan or health system Sponsor, that Health Data will be treated as PHI by us and by your Enterprise Sponsor. It will be governed by your Sponsor’s HIPAA Notice of Privacy Practices, by contract arrangements with the Sponsor that require us to comply with its HIPAA Notice of Privacy Practices, and by this Privacy Policy and the Terms of Service.
At any time, you can revoke data sharing permissions for your health plan or health system Sponsor, and we will implement that request within a reasonable time period. Because of our obligations as a HIPAA business associate, we may not be able to retroactively revoke a Sponsor’s access to PHI after it has been shared with your consent; however, we would stop sharing new Health Data that you collect through the application.
iii. Other Users (Health Circle)
You can set permissions to automatically share some or all of your Health Data with family members, friends, professional caregivers or other individuals that you identify in your circle of support (your “Health Circle”). You can also set permissions that allow another user to exercise account privileges on your behalf.
Health Circle permissions can be set to “access” or “edit” privileges, according to your preferences. Individuals invited to your Health Circle must first become b.well users. b.well users in your Health Circle to whom you grant access privileges can view your Health Data, but cannot act through the application on your behalf. b.well users in your Health Circle that receive edit privileges from you can view your Health Data, as well as perform some activities through the application on your behalf.
Be advised, Health Data can include genetic or family history information that is relevant to other family members. While we do not require you to obtain their consent from these family members before you share this data with others, you should only share access to your b.well account with individuals you trust, and you accept all responsibility for disclosures that are made to them.
iv. Your Health Care Providers
You can direct b.well within the application to share a copy of your clinical data summary with the health care provider(s) you designate.
v. Your Personal or Legal Representative, or Legal Guardian
Although we strongly discourage sharing your credentials with someone, should you choose to do so, we deem these individuals to be acting with your consent. We have established procedures for verifying the authority of a personal or legal representative or legal guardian that contacts us about your b.well account in accordance with applicable state laws.
If you are a verified personal representative, legal representative or legal guardian for another person (a minor child, for example), you may be given access to their Health Data through your b.well account, and privileges to decide how that Health Data is used and shared. You accept all responsibility for actions you take using this data. For more information, read Personal Representatives, Legal Guardians and “Proxy” Account Access.
Parents as Personal Representatives of Minors: In most cases, parents have access and edit privileges for Health Data of their minor children through Health Circle. However, we may be required to deny a parent’s access to a minor’s Health Data according to applicable state law. For minor children above the age of consent for specific services under applicable state law, Health Data related to those services may not be accessible to parents. Also, once minor children reach the age of majority, b.well automatically terminates a parent’s access to Health Data in their child’s account through Health Circle. To regain access, the majority-age child can set permissions through Health Circle.
E. NO MARKETING TO MINORS
Takeaway: Can I use b.well if I’m under 13 years old?
Usually not. Instead, we give parents or legal guardians the ability to create accounts for minors under 13 years old.
We do not knowingly market to or solicit Personal Data from children under the age of 13. We do not knowingly permit anyone under the age of 13 to have their own b.well account without first obtaining clear, verifiable consent from their parent or legal guardian. If we obtain actual knowledge that we have collected Personal Data from a user under thirteen (13) years of age without their legal representative’s consent, we will use reasonable efforts to refrain from further using such Personal Data, and take steps to disable further use or access in a retrievable form.
F. USAGE DATA AND TRACKING TECHNOLOGIES
Our Cookies Policy describes how tracking technologies can be used and machine identifiers can be collected by us and others, when you use the internet and/or your mobile device to access or use any of our Services. It also describes some measures you can take to limit the ability of tracking technologies to collect Usage Data from you.
2. HOW B.WELL USES DATA
Takeaway: How does b.well use my data?
We use it to operate and improve our service. The data may also be used to help your b.well account sponsor (the organization that gave you access to the application) perform population health activities, deliver personalized health management solutions, and engage in other permitted treatment, payment, and healthcare operations activities. These activities must be consistent with the laws applicable to them and their respective HIPAA Notice of Privacy Practices.
We use your Personal Data to:
● Match your Personal Data from multiple sources, and to correctly identify and link accounts and records that contain your Health Data, including your PHI
● Verify your identity and authenticate access to your account (and if applicable, the account of another user)
● Facilitate your access to and use of the Services
● Create Non-Personal Data, algorithms, data models and other works to support the business purposes described in this Privacy Policy
● Help our Enterprise Sponsors perform population health activities, deliver personalized health management solutions and engage in other permitted treatment, payment and healthcare operations activities under HIPAA, consistent with laws applicable to them and their respective HIPAA Notice of Privacy Practices
● Carry out our obligations arising from the terms you have accepted
● Personalize the Services
● Send you communications and provide you with customer service and technical support
● Evaluate service performance and user behavior
● Notify you of new Service features or new Services that we provide
● Notify you of other benefits that your health care providers, health plan or any of our partners may provide
● Bill and collect payment for Services, if applicable
● Take action that helps us to maintain the security of our Services and the privacy of your Personal Data, obey laws and help prevent fraud and abuse
● Update any hardware, software or other tools that we provide in conjunction with the Services
● Take actions to enforce our agreements and policies
We use Personal Data to create Non-Personal Data. We use and share Non-Personal Data to support the legitimate business purposes described above for Personal Data. We may use Non-Personal Data instead of Personal Data when Non-Personal Data allows us to reduce the risk of unauthorized access, use or sharing of Personal Data. We do not sell or trade Non-Personal Data to other third parties, or use it for other purposes. We implement safeguards to reduce the risk that Non-Personal Data we disclose to Enterprise Sponsors can be re-associated with you or members of your family or household, unless they have a legitimate legal basis for accessing and using the underlying Personal Data. These safeguards include selective disclosure of Summarized Data, Pseudonymized Data or fully Anonymized Data based on the business purpose and the risk of re-identification for a given disclosure. Enterprise Sponsors are required to implement roles-based policies that limit access to PHI, which we implement on their behalf as their HIPAA business associate. Enterprise Sponsors are restricted by applicable HIPAA or workforce discrimination laws from taking steps to re-associate Non-Personal Data that we share with them.
3. HOW WE MAY DISCLOSE DATA TO OTHERS
Takeaway: When can b.well disclose my data without my consent?
b.well may need to disclose data to deliver its services or operate its business – for example, with service providers that help b.well to deliver its services. Here are a few key points:
● b.well does not sell your Personal Data to third parties or let others use it to market their services to you. We may disclose data to vendors whose services you choose to access through our platform.
● If we have a legal or law enforcement request to disclose data, we scrutinize these requests, minimize the data we share, and notify you when we can.
● b.well does not have any affiliates. If we do in the future, they will not receive your data without a binding agreement to comply with b.well’s Privacy Policy. If we sell our business, we will not transfer your data to the successor entity without an agreement that they maintain our Privacy Policy commitments.
● We don’t control the data practices of consumer health apps that you choose to connect to our services, or of online technology platforms that track your online activities.
We consider your Personal Data and Non-Personal Data of our users to be confidential. We do not sell your Personal Data or Non-Personal Data to third parties (other than in connection with a Business Transfer). Nor do we knowingly share your Personal Data or Non-Personal Data with third parties for marketing purposes.
A. THIRD PARTY SERVICE PROVIDERS
To deliver our Services, we use a variety of third party service suppliers of technology, internet service hosting, payment processing, technical integration, marketing, analytics, customer service, and customer service and support. We share the minimum necessary Personal Data and Non-Personal Data with these third parties for them to provide their services to us. These companies are acting on our behalf and are required, by contract with us, to keep Personal Data and Non-Personal Data confidential, and are only authorized to use it for specified purposes, which are consistent with this Privacy Policy.
B. ENTERPRISE SPONSORS
We share Personal Data and Non-Personal Data with Enterprise Sponsors, as detailed more fully under Granting Permissions for Others To Access Your Health Data — Enterprise Sponsors and How b.well uses Data.
C. AUTHORIZED SUPPLIERS OF DIGITALLY ENABLED SERVICES
If b.well allows you to connect to services offered by authorized suppliers through your b.well account (as defined in the Terms under Data and Service Connections, we present you with service-specific terms, including additional privacy notices. If you consent to these service-specific terms, we will share Personal Data and Non-Personal Data with these suppliers according those terms.
D. OTHER B.WELL USERS
We share Personal Data with for other b.well users, as detailed more fully under Granting Permissions for Others To Access Your Health Data — Other Users (Health Circle).
E. YOUR HEALTH CARE PROVIDERS
We share Personal Data with your health care providers, as detailed more fully under Granting Permissions for Others To Access Your Health Data — Your Health Care Providers.
F. LAW ENFORCEMENT AND REGULATORY AUTHORITIES
We do not disclose Personal Data to law enforcement or regulatory authorities unless we determine it is necessary to do so under law to comply with a valid court order, subpoena, or search warrant. We closely scrutinize all law enforcement and regulatory requests. If we determine that we must comply with a valid law enforcement or regulatory request, we first determine if we can comply after receiving your explicit authorization to make the disclosure. Otherwise, we attempt to comply by limiting disclosure to Non-Personal Data, or by redacting information so that only the minimum necessary Personal Data is disclosed. We also attempt to receive adequate assurances from the requesting law enforcement or government agency that it will protect the Personal Data to the highest degree possible, and will not disclose it in violation of applicable federal or state confidentiality laws. While we cannot offer assurance that these efforts will be successful, we will maintain a detailed record of all disclosures we make in response to law enforcement and regulatory requests. Also, if permitted by applicable law, we will notify you of the disclosure by certified mail to any home address that you have disclosed in your account profile.
G. CIVIL PROCEEDINGS
If b.well is a party to a legal proceeding with you, we may disclose your Personal Data to the court or arbitrator for purposes of resolving a civil dispute. If b.well is not a party to a legal proceeding, we may be required by law to disclose your Personal Data pursuant to a valid subpoena, discovery request or other lawful process. Even if additional protections are not required by applicable laws, we use our reasonable best efforts to obtain your authorization or seek a qualified protective order to protect Personal Data, before disclosing it in a civil proceeding. We also use reasonable best efforts to limit disclosures of Personal Data to the minimum necessary to accomplish their intended purpose.
H. AFFILIATES
b.well does not have any subsidiaries, is not controlled by a parent entity and is not under common control with any other affiliated entity. If we have affiliates in the future, b.well will not share your Personal Data or Non-Personal Data with them unless they sign an agreement with b.well to keep disclosed information confidential and to limit their use of information to the purposes permitted in this Privacy Policy.
I. BUSINESS TRANSFERS
If we enter into a merger, acquisition, or the sale of all or part of our assets, your Personal Data and any Non-Personal Data derived from your Personal Data will likely be part of the assets transferred. If this happens, we will attempt to notify you, using the e-mail address you have provided in your account profile. We will use our reasonable best efforts to ensure that the successor entity maintains commitments that are consistent with this Privacy Policy; otherwise, we will disable your b.well account and dispose of your Personal Data, as specified under Data Retention and Account Changes.
J. ADVERTISING NETWORKS, CROSS-DEVICE LINKING AND DO NOT TRACK SIGNALS
Third parties, like advertising networks, web analytics companies and social media and networking platforms, may collect information about your online activities over time and across multiple web and mobile platforms. Their use of Tracking Technologies when you access our Services may be used to predict or determine a likely association or relationship between two or more devices, or to help them serve you content on other websites and social media platforms. We are not responsible for third party tracking technologies used by these third parties, or for the targeted advertisements they may cause to be served to you on other platforms. We encourage you to check the privacy policies of these third parties to learn more about their privacy practices, and use internet and portable device technologies from third parties that you trust when you access and use our Services.
4. EMAIL, TEXT MESSAGES AND PUSH NOTIFICATIONS
Takeaway: How does this Privacy Policy apply to emails, text messages, or in-app notifications from b.well?
You can choose to receive communications from us via email, text message, and push notifications. By default, we only include generalized health information in these communications. If given the option to receive more personalized messages, be aware that these communications are not secure, and they may be visible to others with access to your devices.
Within the application, you can choose to receive personalized communications from b.well via email, text message and push notifications. By default, we only include Account Information (user name, contact information) and generalized health information in these communications. Under Settings, you can change communication modalities. You may be given the option to specify more Personal Data to be displayed. When selecting these preferences, keep in mind that email and SMS text messages are not encrypted. Also, communications you receive may be visible to others who can view your device screen. You agree and accept full responsibility for disclosures of Personal Data to others due to your communications preferences.
If you correspond with us by e-mail or using Web forms available through our services, you should be aware that your transmission might not be secure from access by unauthorized parties. We have no liability for disclosure of your information due to errors or unauthorized acts of third parties during or after transmission.
5. DATA RETENTION AND ACCOUNT CHANGES
Takeaway: How long does b.well hold on to my data?
We’ll retain your data for as long as you keep using your account. We follow an established data retention policy for deleting the Personal Data of dormant accounts after 10 years and closed accounts after 30 days. Exceptions occur when we are lawfully required to retain data for longer time periods.
Takeaway: How can I close my b.well account?
Contact our support team if you want to close your b.well account. We first suspend your account for 30 days in case you change your mind, and to give you time to securely download your Health Data. After that, we permanently delete your Health Data, subject to our data retention policy.
Takeaway: What happens if b.well decides to suspend access or close my b.well account?
b.well reserves the right to terminate services, or close your account. Before closing your account, we suspend it and let you know using the e-mail address provided in your account profile. We reserve the right to deny access or notice if you violate our Terms, if required by law, or if we believe suspension is reasonable to prevent or mitigate harm.
Data Retention. In general, we retain Personal Data and Non-Personal Data for as long as your account is active or as needed to provide you with Services. We delete the Personal Data of dormant accounts after 10 years, and delete the Personal Data of permanently disabled (closed) accounts after 30 days. We may retain Non-Personal Data indefinitely.
These data retention policies may be overridden in our sole discretion if we are required to retain your Personal Data to comply with our legal and contractual obligations, to resolve disputes or to enforce our agreements with you. For example, we cannot delete Health Data that your Enterprise Sponsor is required to maintain under applicable laws, like HIPAA.
Closing Your Account. You can close your b.well account at any time and for any reason. To close your b.well account, please contact us through the application under Support. When you ask us to delete your b.well account or Personal Data in full, we will first suspend your b.well account for 30 days. During this suspense period, you will retain direct access to data in your account so you can securely download your Health Data. You can also change your mind and request that your suspended account be re-activated. After the suspense period expires without a request from you to reinstate your account, we permanently disable your account and delete your Personal Data as described above. Permanently disabling your account means that you will no longer have access to your Personal Data through your b.well account.
Suspending or Terminating Services. We may suspend or terminate your access to your b.well account or to one or more Services, at our sole discretion, at any time and without notice to you. For example, we may suspend or permanently disable accounts that have not been authenticated, or which you don’t access for a prolonged period of time. Before permanently disabling your account, we will attempt to notify you using the e-mail address you have provided in your account profile. However, we are not obligated to notify you in advance in some cases (for example, if we have a reasonable belief that you have repeatedly and flagrantly violated the Terms of Service, by court order, or if we have a reasonable suspicion that the privacy or confidentiality of others Personal Data may be compromised, or that your access poses a danger to other users).
Be advised, given the complexity of our production environment and the security measures in place to safeguard the confidentiality, integrity and availability of all Personal Data, it is not feasible for us to destroy or erase all electronic copies of your Personal Data, particularly those created pursuant to our standard electronic backup and archival procedures. However, the personnel with access to these retained copies is curtailed and monitored; access is limited to that reasonably necessary for the performance of their information technology duties (e.g., for purposes of system recovery) or legal duties. All Personal Data that is not destroyed as permitted remains subject to the Privacy Policy in effect at the time of your request for deletion, for as long as we retain your Personal Data.
6. INFORMATION SECURITY
Takeaway: Tell me about b.well’s information security measures?
We take data security seriously. Our system of physical, technical, and administrative safeguards are independently reviewed to ensure that we meet industry-leading standards. Even so, there is always a risk of data breach, and you accept that risk. We have protocols in place to notify you and help you through next steps if your data is compromised.
We implement industry-leading safeguards to protect your Personal Data from unauthorized access, disclosure, use, modification and loss. Information security measures include: secure storage, encryption of digital records in transit and at rest, periodic log reviews, and system backups. We regularly review our data protection practices to consider appropriate new technological and other safeguards. Designated officers are responsible for ensuring that our data practices and security measures are consistent with this Privacy Policy, the Terms and applicable laws. Our system of security and privacy controls are evaluated by independent assessors against industry-recognized information security frameworks. We maintain a formal training program to ensure our workforce is familiar with common and emergent security and privacy risks, and their responsibilities for safeguarding consumer information and to report concerns to their immediate supervisors. Despite these and other measures, we cannot and do not guarantee that your Personal Data will be absolutely safe from interception or intrusion during transmission or while stored on our systems, or otherwise. You acknowledge and agree that you create, collect and maintain your Personal Data with b.well at your own risk.
If we believe that the security of your Personal Data may have been compromised, we will notify you about the breach using the email provided in your Account Profile. The notification will include the following information: (a) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (b) A description of the types of unsecured Health Data that were involved in the breach; (c) Steps individuals should take to protect themselves from potential harm resulting from the breach; (d) A brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate harm, and to protect against any further breaches; and (e) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.
We will provide this notice to you using the email address you provide to us in your Account Profile. If you prefer that we notify you by first class mail, please let us know by contacting b.well Support through the application or by emailing Support@icanbwell.com. You can also request a print copy, at no charge, of any electronic notice that we may have sent to you about the incident.
7. INTERNATIONAL DATA TRANSFERS
Takeaway: Does b.well transfer my Personal Data outside the U.S.?
We can transfer your Personal Data outside the U.S. if we determine we can do so without violating this Privacy Policy or the Terms. We do so with appropriate consideration for the data protection laws of the country where we may transfer your data.
If you are located in the United States, we may transfer your Personal Data outside of the United States if we determine that we can do so without violating this Privacy Policy and the Terms. If we transfer Personal Data across borders without your consent, we consider the scope and enforceability of data protection requirements applicable to such transfers. If you access your Personal Data from another country, or direct us to share your Personal Data with someone located in another country, the country from which you access your Personal Data or to which your Personal Data may be transferred will have different data protection laws from the country where the Personal Data was first collected.
8. ACCESSIBILITY
Takeaway: Where can I get more information if I have more questions about my data or b.well’s data practices?
We’re an open book about our data practices, in English and Spanish. If you can’t find answers here or in the app to questions about your data, ask our support team. It might take a couple days at first. We do our best to resolve questions in 30 days or less.
We use editorial content and graphical design to help you understand our data practices in appropriate context within the application, and this Privacy Policy can be accessed from our website and the application. This Privacy Policy is also available to read in Spanish. If you still have a question, you can ask for further clarification by contacting b.well Support through the application or by emailing Support@icanbwell.com. We do our best to acknowledge your request within 2 days, and respond within 30 days. Responses may be delayed if we cannot verify your identity or your legal authority to receive requested data. If you feel that any of your privacy concerns have not been addressed, please let us know by contacting Support within the application or by emailing Support@icanbwell.com.
9. USERS IN THE EUROPEAN ECONOMIC AREA: YOUR PRIVACY RIGHTS
Takeaway: Does Europe’s General Data Protection Regulation apply to b.well?
While our app is intended for users in the U.S., this Privacy Policy incorporates some of the data practice standards adopted by countries in the European Economic Area. Some of these practice standards are described in this section and cross-referenced to relevant sections of this Privacy Policy.
The Services that link to this Privacy Policy are intended for users located in the United States, and we only store Personal Data in our control in data centers located in the United States. For these reasons, we do not self-certify under the E.U.-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield to comply with data protection requirements when transferring Personal Data from the European Economic Area (EEA) to the United States.
That said, if you create a b.well account and reside in the EEA, the data protections specified by the EEA’s General Data Protection Regulation (GDPR) may be applicable to you. In consequence, the following chart discloses our legal basis for collecting and using your Personal Data and the rights guaranteed to you as an EEA resident with respect to your Personal Data. As applicable, the chart includes links to relevant sections of this Privacy Policy that give effect to GDPR requirements. Be advised: The GDPR represents a minimum set of data protection standards that the individual nations within the EEA are required to implement: The actual laws of the nation of the EEA where you reside may confer additional rights to you, which are not included in this comparison chart.
A. LEGAL BASIS FOR PROCESSING
Our legal basis for collecting and using your Personal Data depends on the personal information concerned and the specific context in which we collect it. We always seek your explicit consent before collecting and using your Health Data for the Services. In some cases, we also may have an independent legal basis for collecting and using some or all of your Health Data. For example, we can collect and process Health Data on behalf of Enterprise Sponsors as their HIPAA business associate, including Health Data from third party sources that you consent to share with b.well and your Sponsor.
We collect and process Health Data and Other Personal Data for the purposes listed in How b.well Uses Data. These purposes are subject to overriding individual rights guaranteed under the GDPR, listed below. If we are unable to deliver Services and simultaneously help you exercise these rights to the fullest extent, we will let you know the reasons why. At that point, you can decide either to Close your b.well account, or withdraw your request to exercise these rights.
In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person. An example is if we need to verify your identity or authority to access Health Data to fulfill a data request.
If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our Services, to communicate with you about our Services and for other legitimate commercial interests, like those listed in How b.well Uses Data. We may have other legitimate interests and if appropriate we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us by email to Support@icanbwell.com subject line: GDPR Privacy.
B. INDIVIDUAL RIGHTS OF EEA USERS
i. Access
You may request access to your Health Data through the application. For Other Personal Data, contact b.well Support through the application or by emailing Support@icanbwell.com.
ii. Correction
You can correct inaccurate/incomplete Personal Data that originates in our Services by editing information in your Account Profile. Health Data that originates from other sources must be corrected at the source.
iii. Object to, Limit, or Restrict Use of Data
You can ask us to stop using all or some of your Personal Data or to limit some or all of our uses of it by changing your data sharing permissions in the application. If you wish to limit or restrict use of your Personal Data further, we may not be able to deliver Services. If that is the case, your remaining option is to Close your b.well account.
iv. Deletion
In certain circumstances, you can request a right “to be forgotten” (this is a right to have your information deleted or our use of your data restricted). We will honor these requests unless we have to retain this information to comply with a legal obligation or unless we have an overriding interest to retain it. Please read Data Retention and Account Changes.
v. Portability
In certain circumstances, you can exercise the right to data portability (this is a right to obtain a transferable version of your Personal Data to transfer to another provider). Please read Granting Permissions for Others to Access Your Health Data – Your Health Data Providers.
10. CALIFORNIA RESIDENTS: YOUR CALIFORNIA PRIVACY RIGHTS
Takeaway: Does b.well comply with California’s consumer privacy laws?
If you are a consumer with a b.well account and you live in California, California law may provide you with rights in addition to those detailed elsewhere in this Privacy Policy. This section helps you understand what these rights are, and directs you to applicable provisions of this Privacy Policy.
Notices for California Residents
| California Privacy Act Notice. Under California Civil Code Sections 1798.83-1798.83 | |
| California residents are entitled to ask us, once per year, for a notice identifying the categories of information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for these affiliates and/or third parties. Requests will apply to information provided during the previous calendar year (for example, if your request information in 2020, you will receive information regarding 2019). | b.well does not currently have any affiliates. Also, b.well does not knowingly share any Personal Data with third parties for marketing purposes. |
| California Consumer Privacy Act (CCPA) Notice. California Civil Code Sections 1798.100-1798.198 and their implementing regulations | |
| This Privacy Policy must be made available in the languages we use in the ordinary course of disclosing contracts, disclaimers, and other information to consumers. | This Privacy Policy is available in Spanish. Please do not hesitate to contact b.well Support by email Support@icanbwell.com or telephone at (855) 972-9355 if you experience difficulty with accessing the application or our Services. We would like to learn from your feedback to make our Services more accessible. |
| This Privacy Policy must be accessible in print form | You should be able to print a copy of our Privacy Policy from most web browsers. You can also email or print the Privacy Policy from the application. |
| California residents can request a disclosure in machine-readable format of the categories and specific pieces of personally identifiable information that we have collected about you and your household during the 12 months preceding our receipt of a verifiable consumer request (limit two times per 12-month period). You can also ask where this information came from, and what we use it for. | Within the application, you can securely download a machine readable copy of your Health Data. To request a machine-readable copy of all categories and specific pieces of Personal Data about you and your household during the preceding 12 month period – and the sources of this Personal Data – please contact b.well Support through the application or by emailing Support@icanbwell.com. |
| California residents have the right to opt out of any sale of their personal information, unless the business does not sell personal information, and states in its privacy policy that it does not and will not sell personal information. Also businesses subject to the CCPA that sell the personal information of California residents must disclose additional information about the personal information they’ve sold in the preceding 12 months. | b.well does not knowingly sell Personal Data to any third party. For this reason, provisions in the CCPA that give California residents to opt out of these sales, and receive an accounting of disclosures related to these sales, do not apply to b.well. |
| Businesses subject to the CCPA must give notice to California residents when they offer financial incentives – or vary their service terms – in exchange for selling their personal information. | b.well does not offer financial incentives or vary our service terms as a way to induce you or other users to permit us to sell your Personal Data. |
| Businesses subject to the CCPA must honor requests that enable California residents to request that their personal information be deleted. | See Data Retention and Account Changes |
11. CHANGES TO THIS PRIVACY POLICY
Takeaway: Will this Privacy Policy change?
It may, but if we change it, we will notify you in the application and via email. The notification will include a link to the privacy policy being replaced and a summary of changes – like this summary. If the changes are significant, we will give you time to consider the changes before they become effective. Your consent to Privacy Policy updates is required to continue using the application. But if you decide not to consent, you can still obtain your Health Data.
Sometimes, we might supplement this Privacy Policy with an additional notice. This allows us to add conditions for a specific feature in the application without having to change the Privacy Policy.
We reserve the right to change this Privacy Policy. When we change it, we will notify you in the application and by email to the address you have provided us in your b.well account. These notifications will include a link to the updated Privacy Policy, as posted on https://www.icanbwell.com/legal/privacy-policy. The updated Privacy Policy will indicate its effective date, and include links (i) to the privacy policy it is replacing and (ii) a summary of changes.
To continue using the application, you will be required to accept the updated Privacy Policy. If we make significant changes (for example, a new use or disclosure of Personal Data that we have already collected and stored), we will give you a reasonable amount of time to consider the changes before they become effective. If you do not accept the updated Privacy Policy, you will be blocked from accessing your b.well account. If you are blocked from your b.well account, please contact support@icanbwell.com for assistance with closing your account and getting a machine-readable copy of your Health Data.
12. ADDITIONAL PRIVACY NOTICES
Takeaway: How will my Personal Data be used by my employer asks me to use b.well’s COVID-19 symptom tracker and daily check-in?
Your employer may ask you to use b.well’s COVID-19 symptom tracker and complete a daily survey. Your responses generate a recommendation to go to work or stay home, which is shared with your employer’s HR teams and your supervisors. The underlying responses are only shared with your employer’s COVID-19 health team, if required by your employer’s COVID-19 policies.
COVID-19 Return-to-Work Privacy Supplement
Effective Date: August 3, 2020
In response to the COVID-19 public health emergency, b.well has added a daily check-in experience for employers that choose to implement employee screenings in the b.well application, as part of their efforts to help minimize the risk of COVID-19 exposures at their worksites.
If you are an employee of an employer that has implemented the COVID daily check-in, you will be presented with a daily survey, which you will be asked to answer questions about symptoms you’re feeling. You will also be asked whether you or anyone close to you has either tested positive for COVID-19, come in close contact with someone who has, or been instructed to isolate or quarantine by a local health department. Your responses will generate a preliminary indicator of whether you should return to work at an onsite location.
If you do not receive a “healthy” indicator for work onsite, you will be asked to contact your employer’s COVID-19 health teams for further evaluation. In turn, they may decide whether to refer you for testing or clinical evaluation.
To implement this COVID-19 daily check-in, we have to change some of the data practices we describe elsewhere in this Privacy Policy. The table below provides an illustration of these new data practices:
| Personally Identifiable Information (Category / Example) | Purposes | Shared with Your Employer’s COVID-19 Health Team? | Shared with Your Supervisor or Employer’s HR Team? | |
| App Usage | Have you downloaded the b.well app? (Yes or No) | COVID-19 Worksite Safety | Yes | Yes |
| COVID-19 Daily Check-In Usage | Have you completed your daily check-in? (Yes or No) | COVID-19 Worksite Safety | Yes | Yes |
| Cleared for Work Indicator | Based on responses, are you “healthy” enough to work onsite? (Yes or No) | COVID-19 Worksite Safety Medical Triage / Care Navigation | Yes | Yes |
| Self-Reported Data | Symptoms, test results, close contacts | Medical Triage / Care Navigation Public Health Reporting | Yes | No |
