Your privacy is important to Wellsource.  This Privacy Policy describes Our policies and procedures on the collection, use, processing, disclosure, and management of Your information that You may provide to Us when You use any of Our Websites or Our Services and tells You about Your privacy rights and how the law protects You.  Please review this Privacy Policy carefully to learn about Our privacy practices and procedures.  This Privacy Policy applies, without limitation, to any individual or entity that visits or uses Our Websites or Our Services, creates an Account with Us, participates in a demo, survey or assessment, or otherwise provides Us with any Personal Data.  We use Your Personal Information to provide and improve Our Services.

By accessing or using OUR WEBSITES OR Services, or otherwise providING Us with any information, You expressly agree to the practices AND PROCEDURES described below, including the collection, use, processing, and management of Your information in accordance with this Privacy Policy, regardless of whether You have an Account with Us.  IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, OR TO ANY CHANGES WE SUBSEQUENTLY MAKE TO THIS PRIVACY POLICY, YOU MUST IMMEDIATELY STOP USING THE WEBSITES OR SERVICES OR OTHERWISE PROVIDING ANY INFORMATION TO US.

Interpretation and Definitions

Interpretation

The words where the initial letter is capitalized have meanings defined below and have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• You (referred to as “You” or “Your” in this Privacy Policy) may mean any of the following:
• Respondent refers to You if You are an individual accessing Websites or using Our Services, or a designated agent, or company, or other legal entity on behalf of which such individual is accessing Websites or using the Services, as applicable, if You have received or are responding to an assessment, survey, form, application, or questionnaire powered by Our Services.

• • Under the General Data Protection Regulation (“GDPR”), You may be referred to as the Data Subject or as the User as You are the individual using the Services.

• Website Visitor refers to You if You are only a visitor to one of Our Websites.
• Customer refers to You if You are a business or legal entity accessing Our Websites or using Our Services under contract, or are collaborating with Us on or reviewing assessments, forms, applications, or questionnaires for Your Account. For the purpose of the GDPR, a Customer may be a Data Controller.
• Company (referred to as the “Company”, “Wellsource”, “We”, “Us” or “Our” in this Privacy Policy) refers to Wellsource, Inc., an Oregon corporation located at 8100 SW Nyberg St, 450, Tualatin, OR 97062, USA operating websites located at the following URLs: Wellsource.com, IV.Wellsuite.com, Engage.Wellsuite.com (collectively, the “Websites”).
• For the purpose of the GDPR, Wellsource may be a Data Controller or a Data Processor, depending on its contractual relationship with the Customer.
• Applications means the software programs provided by Wellsource downloaded or accessed by You on any electronic device, named Wellsuite, Wellcomplete, Wellactivate, or Well4life.
• Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
• Account means a unique account created for You to access Our Services or parts of Our Services.
• Services refers to all the products, services, websites, and applications offered by Wellsource. Our Services are provided by Wellsource, inside of the United States and Ireland, unless otherwise detailed in Your contract. The Services are owned and operated by Wellsource.
• Service Provider means any legal entity that processes the data on behalf of a business and to which the business discloses a consumer’s Personal Information for a business purpose pursuant to a written contract, which may be a third-party company or Wellsource, depending on their roles and responsibilities. It refers to third-party companies / individuals or Wellsource employed by a business (either Wellsource or its Customers) to facilitate the Services, to provide the Services on behalf of Wellsource, to perform services related to the Services or to assist Wellsource or its Customers in analyzing how the Services are used. Wellsource is acting as a Service Provider on a Customer’s behalf if a Customer engages Wellsource to process Your Personal Information or provide the Services to You, and Wellsource shares the Your Personal information with the Customer. Wellsource does not control of any information in this case and You should review the Customer’s privacy policy.
• For the purpose of the GDPR, Service Providers are considered Data Processors.
• Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Services.
• Facebook Fan Page is a public profile named Wellsource, Inc. specifically created by Wellsource on the Facebook social network, accessible from https://facebook.com/wellsource/
• Customer Data is any data that Customers use our Services to collect, including assessment responses, data collected in a form, or data provided on a site hosted by Us.
• Personal Information is any information about You that relates to an identified or identifiable individual that we collect or are acting as custodian.
• For the purposes for GDPR, Personal Information (or Personal Data) means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
• For the purposes of the CCPA, Personal Information means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with You.
• Device means any device that can access the Services such as a computer, a phone, a digital tablet, or a similar device.
• Usage Data refers to data collected automatically, either generated by accessing the Websites, use of the Services or from the Services infrastructure itself (for example, the duration of a page visit).
• Data Controller, for the purposes of the GDPR, refers to Wellsource or its Customers, depending on the contractual relationship, as the legal entity which alone or jointly with others determines the purposes and means of the processing of Personal Data.
• Do Not Track (“DNT”) is a concept that has been promoted by U.S. regulatory authorities, in particular the U.S. Federal Trade Commission (“FTC”), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.
• Business, for the purpose of the California Consumer Privacy Act (“CCPA”), refers to Wellsource as the legal entity that collects Consumers’ personal information and determines the purposes and means of the processing of Consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California.
• Consumer, for the purpose of the CCPA, means a natural person who is a California resident. A resident, as defined in the law, includes (1) every individual who is in the USA for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.
• Sale, for the purpose of the CCPA, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal information to another business or a third party for monetary or other valuable consideration.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

When visiting Our Websites or using Our Services, including entering into a subscription for Our Services, signing up to receive information or Our newsletters or mailing lists on Our Websites, completing an electronic form on Our Website or a paper form provided by Us, interacting with Our sales or customer support team, participating in a demo, or responding to Our surveys or assessments, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You.  Personally identifiable information collected may include, but is not limited to:

• Contact information, including individual’s name, company name, email address, phone number, mailing address, business address, job title
• Log-in and account information, including username, password, portal login ID, unique user ID, and password
• Geolocation data, including location information of Your Device (inferred from Your IP address, not precise GPS co-ordinate locations)
• Network information, including IP addresses, cookie IDs
• Physical characteristics data, including weight, height, body measurements
• Personal details, including gender, place of birth, date of birth, education, employment, employment history
• Biometric Information, including blood pressure, cholesterol, A1C, or other physical patterns, and sleep, health, or exercise data
• Protected classification characteristics, including age, race, color, language, marital status, medical conditions, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), genetic information (including familial genetic information), or other protected classifications
• Usage Data (defined below)

We may also collect additional Personal Information related to Your health if You are responding to an assessment or survey, including, but not limited to, the following categories:

• Physical activity and movement data
• Medications and prescriptions
• Cognitive assessment data
• Health conditions or diseases
• Insurance information
• Eating habits and nutrition

If You are a Respondent to a survey or assessment, We may collect Personal Information that is considered Protected Health Information (“PHI”) as defined and regulated under the U.S. Health Insurance Portability and Accountability Act (HIPAA).  We comply with all applicable HIPAA regulations.

In addition, for Respondents to surveys or assessments, We also collect information about the types of questions You answer.  This data will be aggregated and de-identified / anonymized.

Usage Data

Usage Data is data collected automatically, either generated by the use of the Services or from the Services infrastructure itself, and may include information such as:

• Your Device’s Internet Protocol address (e.g., IP Address), which is the number automatically assigned to Your computer whenever You access the Internet and that can sometimes be used to derive Your general geographic area
• Your browser type and operating system
• Domain names
• Browser or operating system version
• The pages of the Services that You visit or links You click on
• Time and date of Your visit
• Time spent on pages You visit
• Sites You visited before and after visiting the Our Websites
• Your language preferences
• Geolocation information
• Information collected through cookies, web beacons, and other technologies
• Information about Your interactions with email messages, such as the links clicked on and if the messages were opened, sent, or forwarded
• Standard server log information
• Unique device identifiers
• Other diagnostic data

In addition, when You access Our Websites or Services by or through a mobile device, We may collect certain standard information automatically, including, but not limited to, the type of mobile device You use, Your mobile device UUID, the Internet Protocol (IP) Address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers,  and other diagnostic data.  We may also collect information that Your browser sends whenever You visit Our Websites or when You access Our Services by or through a mobile device.

Cookies and Other Tracking Technologies

Wellsource and Our partners may use various common, automated information gathering tools to collect usage data when You visit Our Websites and use Our Services, including cookies, tokens, pixel tags, Web beacons, scripts, and similar tracking technologies (collectively, Tracking Technologies”).  Cookies are small text files stored on Your Device by websites to identify You that contain the details of Your browsing history and enables features and functionality of the Services.

When You access or use Our Websites or Services, including taking a survey or assessment, We and Our partners may use first and third-party cookies and the other Tracking Technologies to automatically collect and track information, analyze and report trends, monitor performance, gather demographic information about Our user base, ensure the functionality of Our Websites and Services, ensure Our Websites and Services are operating appropriately and optimally, administer and improve Our Websites and Services, including authentication, remember Your settings and preferences, enable You to sign-in, ensure Respondents can only take a survey or assessment one time, track completion rates of surveys and assessments, combat fraud, improve security, and provide You with relevant or customized content.  Specifically, Tracking Technologies may collect Personal Information, including:

• IP Addresses
• Unique cookies identifiers, cookies information and information on whether Your device has software to access certain features
• Unique device identifier and device type
• Domain, browser type and language
• Operating system and system settings
• Country and time zone
• Previously visited websites
• Information about Your interaction with Our Website such as click behavior and indicated preferences
• Access times and referring URLs, if any

You can manage cookies on Your browser by instructing Your browser to refuse or delete all or some cookies.  You can do this through Your browser settings on each browser and device by going to the ‘Help’ option on Your browser for instructions.  If You do not accept cookies or turn-off cookies, You may not be able to access all or parts of Our Websites, use or have access to certain features of Our Services.

Cookies can be first or third-party as follows:

• First party cookies are those set by a website that is being visited by the user at the time.
• Third-party cookies are those set by a website other than the website being visited by the user.

We use both “Persistent” or “Session” cookies, which are:

• Persistent cookies are stored by Your Internet browser and contain basic information about Your Internet use. They remain on Your Device for a period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie and may help to recognize Your Device making it easier for You to interact with Our Services on Your next visit.
• Session cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily and are deleted as soon as You close Your web browser.

Cookies that may be used on Our Websites are categorized as follows:

• Strictly Necessary – These Cookies are necessary to provide You with Our Services available through Our Websites and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts.  They enable users to log in and complete surveys and assessments.  Without these cookies, the Services that You have asked for cannot be provided, and We only use these Cookies to provide You with those Services.  You cannot turn off these cookies as they are necessary for You to access and use the features of Our Websites.
• Performance – These cookies collect information about how You use Our Websites, for example which pages You visit, and if You experience any errors. These cookies do not collect any information that could identify You and is only used to help Us improve how Our Websites works, understand what interests Our users, and measure how effective Our content is.
• Functional – These Cookies are required for basic website functionality and allow Us to remember choices You make when You use Our Websites, such as remembering Your login details, username, or language selection. It also allows Us to prevent users from taking the same survey more than once.  The purpose of these cookies is to provide You with a more personal experience and to avoid You having to re-enter Your preferences every time You use the Websites.  These cookies also help with security issues and conformance to regulations.
• Targeting – These cookies may be set through Our advertising partners. They may be used by those companies to build a profile of Your interests and show You relevant advertisements on other sites.  They do not store directly personal information but are based on uniquely identifying Your browser and internet device.  They target small audience groups based on their web browser behavior and allow companies to display ads throughout a user’s browsing experience once the user has expressed interest on the company’s website.
• Social Media – These cookies collect information about social media usage and offer the possibility to connect You to Your social networks and share content from Our Services through social media. In some cases, these cookies involve the processing of Your Personal Data.
• Advertising – These cookies collect information to help better tailor advertising to Your interests and are used to market Our Services to You on third party websites. In some cases, these cookies involve the processing of Your Personal Data.

In addition to cookies We set when You visit Our Websites, companies that We hire to provide services on Our behalf may also set cookies when You visit Our Websites.  These companies have committed to only use Your Personal Information for the purposes described in this Privacy Policy.

For more information about cookies and similar tracking technologies, how to control or delete them, and how they may affect Your privacy, You can go to  https://www.allaboutcookies.org/.

Web Beacons

We may use single pixel GIF image files known as Web Beacons (a/k/a web bugs or clear GIFS) to enable Us to better manage the content of Our Websites by informing Us about what content is effective.  Web Beacons are tiny clear electronic images with unique identifiers which are embedded invisibly on website pages and are used to track online movements of visitors to a website.  We may use Web Beacons in Our marketing emails to let Us know which emails have been opened by recipients and which links have been clicked.  We may also use information from Web Beacons to provide you with information about Our Services.

Log Data

The data contained in the log files includes information about the nature of each access, such as the originating IP addresses, browser type, internet service providers, files accessed on Our Websites (e.g., HTML pages, graphics, etc.), referring/exit pages, operating system versions, Device type, timestamps, and clickstream data.  We may combine this automatically collected log information with other information We collect about You.  We do this to provide support for Our Services.

Referral Data

If You visit Our Websites or arrive at Our Services from an external source (such as a link on a third party’s website or in an email), We record information about the source that referred You to Us to track the success of such processes.

Data from Third Parties and Integration Partners
We collect and use Your Personal Information from third parties and integration partners to facilitate Customers where You give permission to such third parties to send You surveys or assessments, or to share Your information with Us or where You have made that information publicly available online.

Use of Your Personal Data

Wellsource may use Personal Information for the following purposes:

• Troubleshoot, improve, and maintain Our Services to Customers: To maintain and provide Our Services, including fulfilling contractual obligations, improving and troubleshooting functionality and experiences, analyzing performance, fixing errors, monitoring usage, improving the usability and effectiveness of Our Services, tracking and examining patterns, behavior, and preferences of Respondents’ responses at the aggregate/anonymous level to identify and understand trends in the various interactions with Our Services and the industry, improving Respondent completion rates, generating analytical reports, providing training, and developing new services, features, and content.
• To manage Our business and Services: To manage Our business internally, including internal corporate reporting, business administration, contract enforcement, ensuring adequate insurance coverage for Our business, ensuring the security of Our facilities, research and development, and to identify and implement business efficiencies.
• To manage Your Account: To manage and administer Your account.
• For the performance of a contract: To carry out Our obligations arising from a contract between You and Wellsource, including, but not limited to, the development, compliance, and undertaking of the contract for the Services.
• Analyze assessment use and responses: To analyze survey and assessment response data, activity, and behavior, once We have aggregated and anonymized such data to ensure the anonymity of Respondents, in order to identify trends, build features, and improve user experience, response rates and Our Services.  We do not sell or share individual response data, identify Respondents, or contact Respondents unless requested by You or if required by law.
• To identify and contact You: To identify the parties with whom We are interacting and contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding a survey or assessment
• To provide You with information, recommendations, and personalization: To provide You with updates, including security updates when necessary or reasonable for their implementation, news, special offers, and general information about functionalities, features, services, and events which We offer that are similar to those that You may have already used, purchased, or inquired about unless, where You have consented (or not opted out, as applicable) to receive such information, identify Your preferences, or personalize Your experience with Our Services. You can opt out of such communications at any time by clicking on the “unsubscribe” link in them.
• To manage Your requests: To attend and manage Your inquiries, issues, preferences, or requests to Us.

If You have consented to or not opted out, as applicable, We may add Your information to Our databases to contact You through future emails, postal mailings, and SMS text-messaging regarding site updates, upcoming events, and new services.  We do not currently use geolocation for purposes of tracking Your location when You use Our Website, but We reserve the right to do so in the future in order to better target service offerings and other information to You.

We may share Your personal information in the following situations:

• With Our Customers: We may share Your personal information with Our Customers in order to provide Our Services under contract, manage sales and support, or to measure the performance of email messaging and to learn how to improve email deliverability and open rates.  In general, responses to Our surveys or assessments are controlled and managed by Our Customers or the party who sent or deployed that survey or assessment to You.  In these cases, We are processing such responses on behalf of the Customer.  If You are a Customer that is part of a partner plan using Our Services, We may share Your account information and data with the primary administrator(s) of such plan, and Your survey or assessment data may also be visible to other members in such plan with whom You share Your assessments and surveys or with whom You collaborate.  Your administrator(s) will be able to view Your account data, change your passwords, suspend, transfer, or terminate Your account or restrict your settings.  Please refer to the internal policies or contracts of Your plan or company if You have questions, as applicable.
• With Third-Parties: We may share Your personal information in order to facilitate Our email collectors for sending surveys by email to Respondents, to deliver and track marketing and advertising content, to help Us track website conversion success metrics, or to manage Our support services.  Such third parties are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws, and are limited in their ability to use Your personal information only to provide services on Our behalf, unless expressly permitted in writing by Us.
• With Third-Party Service Providers: We may share Your personal information with third-party service providers to monitor and analyze the use of Our Services, to show advertisements to You to help support and maintain Our Service, to contact You, to advertise on third party websites to You after You visited Our Website, or for payment processing, if applicable.
• For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Wellsource assets, financing, or acquisition of all or a portion of Our business to another company.
• With Affiliates: We may share Your information with Our affiliates, in which case We will require those affiliates to honor this Privacy Policy.  Affiliates may include any other subsidiaries, joint venture partners, or other companies that We control or that are under common control with Us.
• With business partners: We may share Your information with Our business partners to offer You certain products, services, or promotions for business development purposes.
• With other users: When You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside.  If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see Your name, profile, pictures and description of Your activity.  Similarly, other users will be able to view descriptions of Your activity, communicate with You, and view Your profile.

Retention of Your Personal Data

As a general rule, Wellsource will retain Your Personal Information only for as long as is necessary to fulfill the purpose(s) for which We collected it and as set out in this Privacy Policy.  We will retain and use Your Personal Information to the extent necessary to comply with Our legal obligations (for example, if We are required to retain Your data to comply with applicable laws), resolve disputes, and enforce Our legal agreements and policies.

We will also retain Usage Data for internal operational and analysis purposes.  Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Services, or We are legally obligated to retain this data for longer time periods.

Storage of Your Personal Information

The secure servers on which We operate are located in the United States and Ireland.  Your Personal Information will be stored in one of these countries, depending on the country in which You reside.  We also use third party cloud storage providers, including Amazon Web Services (“AWS”) located in the United States and Ireland to store the Personal Information that You provide to Us, to perform of any contract We enter into with You, and for disaster recovery services.  We may transfer Your Personal Information to one of Our secure servers located outside of Your home country.

Transfer of Your Personal Data

Your information, including Personal Data, may be processed in and transferred or disclosed in the United States and countries where the parties involved in the processing are located.  It means that this information may be transferred to — and maintained on — computers or servers located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

Wellsource will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy.  We will not allow transfer of Your Personal Information to an organization or a country unless these organizations offer the same or similar level of Personal Information protection as utilized by Wellsource and there are adequate controls in place including the security of Your Personal Information.  Such transfers are governed by contracts containing clauses to guarantee a similar level of protection as that of Your home country.

Disclosure of Your Personal Data

Business Transactions

If Wellsource is involved in a reorganization, merger, asset sale, joint venture, assignment, transfer, change of control, or other disposition of any of Our business, Your Personal Information may be transferred or shared with third parties for the purpose of facilitating and completing the transaction.  In this case, We will provide notice before Your Personal Information is transferred and becomes subject to a different Privacy Policy.

Law Enforcement

Wellsource may disclose Your Personal Information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

Compliance with Other Legal Requirements or Protection of Rights

Wellsource may disclose Your Personal Information in the good faith belief that such action is necessary to:

• Comply with a legal obligation,
• Protect and defend the rights or property of Wellsource,
• Prevent or investigate possible wrongdoing or crime, such as fraud or identity theft, in connection with the Services,
• Protect the personal safety of Users of the Services, Our staff, Customers, or the public, or
• Protect against legal liability.

Security of Your Personal Data

The security of Your Personal Information is important to Us.  We have implemented and maintain physical, electronic, and procedural safeguards that meet or exceed industry standards to protect the privacy, security, and integrity of Your Personal Data.  We use encryption when transmitting Your Personal Data, and We employ firewalls and intrusion detection systems to help prevent unauthorized access to Your Personal Data.  Access to Personal Information is restricted to Our authorized employees and partners who need to know this information for limited purposes or permitted business functions, and are not permitted to use Personal Information in any other way or for any other reason.  These authorized employees and partners are bound by written confidentiality agreements and/or data processing agreements.

While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security from unauthorized entry or use, hardware or software failure, or other circumstances outside of Our control and We assume no liability for any of these actions, occurrences, or their results.

Detailed Information on the Processing of Your Personal Data

Service Providers have access to Your Personal Information only to perform their tasks on Our behalf and are obligated not to disclose or use Your Personal Information for any other purpose.

Analytics

We may use third-party analytics service providers to evaluate the use of Our Services and support Our data processing activities.  These third-party analytics service providers may compile aggregate measurement reports on activity, collect demographic data, analyze performance metrics, and collect and evaluate other information related to the Services to help Us improve Our Services and user experiences.  Some of this data is anonymous and/or de-identified.  We use Matomo as Our web analytics service provider.  You can visit their Privacy Policy page here: https://matomo.org/privacy-policy.  By using Our Websites, You consent to the processing of data about You by Matomo.

Remarketing

We may partner with remarketing agencies to serve ads and/or collect information when You visit Our Websites.  These remarketing firms may use cookies or Web beacons to collect non-personally identifiable information such as IP Address, pages viewed, and if a conversion occurred during Your visit to Our Websites in order to help show advertisements on other websites likely to be more interesting to You.  To learn more about this “behavioral advertising” practice or to opt-out of this use of Your anonymous information, You can visit www.networkadvertising.org.

Email Marketing

We may use Your Personal Information to contact You with newsletters, marketing, or promotional materials and other information that may be of interest to You.  You may opt-out of receiving any, or all, of these communications from Us by following the “unsubscribe” link or instructions provided in any email We send or by contacting Us.

We may use Email Marketing Service Providers to manage and send emails to You.

General Data Protection Regulation – Privacy Notice for European Union Residents

This General Data Protection Regulation (“GDPR”) Privacy Notice applies to citizens of the European Economic Area (“EEA”), including those based in the United Kingdom and Switzerland, and the processing of Personal Data of Data Subjects.

Wellsource complies with the European Union’s GDPR as it relates to the collection, use, and retention of Personal Data from Our Customers, Respondents, advertisers, and business partners in the European Union (“EU”) member countries, the United Kingdom (“UK”), and Switzerland where EU, UK, or Swiss data controllers use Wellsource as a data processor in connection with the Services.  Wellsource provides the fair processing information as required by the GDPR.

Transferring Information Outside of the EU

Wellsource utilizes the European Commission-approved Standard Contract Clauses (“SCCs”) adopted by the EU Commission and relies on the European Commission’s adequacy decisions about certain countries, as applicable, for any transfers or storage of Personal Data from the EU to a non-EU country.  These clauses are contractual commitments between parties transferring Personal Data, which bind them to protect the privacy and security of the data.

Legal Basis for Processing Personal Data under GDPR

We may process Personal Data under the following conditions:

• Consent: You have given Your consent for processing Personal Data for one or more specific purposes, such as marketing.
• Performance of a contract: Processing Personal Data is necessary to perform Our contractual obligations, such as the provision of Our Services to You.
• Legal obligations: Processing Personal Data is necessary for compliance with a legal or regulatory obligation to which Wellsource is subject.
• Vital interests: Processing Personal Data is necessary in order to protect Your vital interests or of another natural person.
• Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in Wellsource.
• Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by Wellsource, such as sending You updates to this policy or Our Services, preventing fraud, promoting safety and security, improving, marketing, researching, or developing Our Services or new products.

For the processing of special categories of Personal Data, such as Your health-related information, Wellsource will rely on obtaining consent from You or Our Customers providing Us with Your consent, as applicable.

In any case, Wellsource will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Your Rights under the GDPR

Wellsource undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights.

At any time, You have the right under this Privacy Policy and by law if You are within the EU, to:

• Request access to Your Personal Data. The right to access, update, or delete the information We have on You. Whenever made possible, You can access, update, or request deletion of Your Personal Data directly within Your account settings section.  If You are unable to perform these actions Yourself, please contact Us to assist You.  This also enables You to receive a copy of the Personal Data We hold about You.
• Request correction of the Personal Data that We hold about You. You have the right to have any incomplete or inaccurate information We hold about You corrected.
• Object to processing of Your Personal Data. This right exists where We are relying on a legitimate interest as the legal basis for Our processing and there is something about Your particular situation, which makes You want to object to Our processing of Your Personal Data on this ground.  You also have the right to object where We are processing Your Personal Data for direct marketing purposes.
• Request erasure of Your Personal Data. You have the right to ask Us to delete or remove Personal Data when there is no good reason for Us to continue processing it.
• Request the transfer of Your Personal Data. We will provide to You, or to a third-party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format.  Please note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You.
• Withdraw Your consent. You have the right to withdraw Your consent on using Your Personal Data.  If You withdraw Your consent, We may not be able to provide You with access to certain specific functionalities of the Service.

Exercising of Your GDPR Data Protection Rights

You may exercise Your rights of access, rectification, cancellation, and opposition by contacting Our Data Protection Officer at well@wellsource.com – please provide details about the reason You are contracting Our Data Protection Officer in Your email message and provide an alternate email address to contract You.  Please note that We may ask You to verify Your identity before responding to such requests, including asking for specific information from You to help Us confirm Your identity.  If You make a request, We will try Our best to respond to You as soon as possible.

You will not have to pay a fee to access Your Personal Data or to exercise any of Your rights listed above, unless Your request is clearly unfounded, repetitive, or excessive.

Please contact Our Data Protection Officer at well@wellsource.com  if You have any concerns or complaints of any nature.

California Consumer Privacy Act – Privacy Notice for California Residents

If You are a California resident, Wellsource will process Your Personal Information in accordance with the California Consumer Privacy Act (CCPA). This CCPA section of Our Privacy Policy contains information required by the CCPA and forms part of Our main Privacy Policy.

Your Rights under the CCPA

Under this Privacy Policy and by law if You are a resident of California, You have the following rights:

• The right to notice. You must be properly notified which categories of Personal Information are being collected and the purposes for which the Personal Information is being used.
• The right to access / the right to request. The CCPA permits You to request and obtain from the Company information regarding the disclosure of Your Personal Information that has been collected in the past 12 months by the Company or its subsidiaries to a third-party for the third party’s direct marketing purposes.
• The right to say no to the sale of Personal Data. We do not sell the personal information of consumers, as those terms are defined under the California Consumer Privacy Act.
• The right to know about Your Personal Data. You have the right to request, up to two times per year, and obtain from the Company information regarding the disclosure of the following:
• The categories of Personal Information collected;
• The sources from which the Personal Information was collected;
• The business or commercial purpose for collecting or selling the Personal Data;
• Categories of third parties with whom We share Personal Data; and
• The specific pieces of Personal Information we collected about you.
• The right to delete Personal Data. You also have the right to request the deletion of Your Personal Information that have been collected in the past 12 months. As described in more detail in Our Privacy Policy, there are some reasons We will not be able to fully address Your deletion request, such as if We need to detect and protect against fraudulent and illegal activity, to exercise Our rights, or to comply with a legal obligation.
• The right not to be discriminated against. You have the right not to be discriminated against for exercising any of Your rights under the CCPA, including by:
• Denying goods or services to You;
• Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties;
• Providing a different level or quality of goods or services to You; or
• Suggesting that You will receive a different price or rate for goods or services or a different level or quality of goods or services.

We will not discriminate against You for exercising Your CCPA rights.

Disclosures

Categories of Personal Data, as established by the CCPA, which We may collect or may have collected from You, how We may use Your Personal Data, the categories of sources from which We may collect Personal Data, and the third parties with whom We may share Your Personal Data, depending on which Services You use and how You interact with Us are summarized below.

Categories and examples of Personal Information We collect may include:

• Identifiers, may include contact information such as, first and last name, phone numbers, postal and email address, date or place of birth, unique personal identifier, online identifier, Internet Protocol (IP) address, usernames, account name
• Personal Information listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) if You participate in an online survey or assessment and choose to provide it, may include education, employment, employment history, name, signature, address, telephone number, insurance policy number, and physical characteristics / descriptions, including weight and height, medical information, such as health, age, prescription meds, insurance / medical claims, or health insurance information (policy numbers)
• Characteristics of Protected Classifications if You participate in an online survey or assessment and choose to provide it, may include Age, race, color, language, marital status, medical conditions, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), genetic information (including familial genetic information), or other protected classifications
• Biometric Information if You participate in an online survey or assessment and choose to provide it, may include: Medical biometrics including blood pressure, cholesterol, A1C, or other physical patterns, and sleep, health, or exercise data
• Internet or Other Network or Device Activity Information (such as browsing history or application usage), may include browsing history, search history, content interaction information with the Services
• Geolocation Data, may include location information of Your Device (inferred from your IP address)
• Professional or Employment related Data, may include name of current or past employer
• Non-public educational Information, if You participate in an online survey or assessment or application and choose to provide it; may include education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records
• Survey or assessment responses

We will not collect additional categories of Personal Information or use the Personal Information We collect for materially different, unrelated, or incompatible purposes without providing You prior notice.

Personal Information does not include:

• Publicly available information from government records.
• Deidentified or aggregated Consumer information.
• Information excluded from the CCPA’s scope, such as certain health or medical information and other categories of information protected by different law.

The categories of Personal Information that We collect about You are collected from these categories of sources:

• You, including through Your use of Our Services
• Your Device(s), automatically collected from You
• Third parties, including Customers through use of Our Services

If you are a California resident using Our Services as a Respondent, all of Your response data is owned by the party that sent or directed You to the assessment or survey (the Customer) and We recommend You contact the Customer about their practices under the CCPA.

Collection and Use of Personal Information

Please review the Collecting and Using Your Personal Data section of this Privacy Policy for details about the collection and use of Your Personal Information.

Disclosures of Personal Information for a Business Purpose

As of the effective date of this Privacy Policy, Our disclosures for a Business Purpose have been to:

1. Provide, improve, or enhance Our Services;
2. Conduct internal research;
3. Promote safety, integrity, and security;
4. Provide measurement, analytics, advertising, and other business services; and
5. Comply with applicable laws.

Exercising Your CCPA Data Protection Rights

In order for California residents to exercise any of their rights under the CCPA, You can email or call Us, or write to Us at the postal address in the Contact Us section of this Privacy Policy.  We may need additional information from You to verify Your identity for security purposes before processing Your request.

We will disclose and deliver the required information for the 12 months preceding the verifiable request, free of charge within 45 days of receiving Your verifiable request.  The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.  Our written response will be delivered by mail or email, as You request, in a portable and readily-usable format, as applicable.  We will provide an explanation with Our response if We cannot comply.

Sales of My Personal Information

We do not sell your Personal Data; therefore, We do not offer an opt-out to the sale of personal data.  We will provide You with the opt-out / opt-in rights as required the CCPA if We anticipate selling Your Personal Information in the future.

However, the Service Providers We partner with (such as Our advertising partners) may use technology on the Services that “sells” personal information as defined by the CCPA law.  If You wish to opt out of the use of Your personal information for interest-based advertising purposes and these potential sales as defined under CCPA law, You may do so by following the instructions below.

Please note that any opt out is specific to the browser You use.  You may need to opt out on every browser that You use.

Mobile Devices

Your mobile device may give You the ability to opt out of the use of information about the apps You use in order to serve You ads that are targeted to Your interests:

• “Opt out of Interest-Based Ads” or “Opt out of Ads Personalization” on Android devices
• “Limit Ad Tracking” on iOS devices

You can also stop the collection of location information from Your mobile device by changing the preferences on Your mobile device.

If You have additional questions about this notice or how We exercise Your rights under the CCPA, please contact Our Data Protection Officer at https://go.wellsource.com/contact  – please provide details about the reason You are contracting Our Data Protection Officer in Your email message and provide an alternate email address to contract You.

“Do Not Track” Signals

We do not recognize or respond to browser-initiated Do Not Track signals.

Children’s Privacy

Our Websites and Services are not intended for and may not be used by children under the age of 18.  We do not knowingly collect personally identifiable information from children under the age of 16.  If You are a parent or guardian and You are aware that Your child under the age of 16 has provided Us with Personal Information without Your consent, please contact Us as soon as possible at well@wellsource.com so that We may take appropriate action.  If We become aware that We have collected Personal Information from anyone under the age of 16 without verification of parental consent, We will take steps to comply with data protection legislation, including if appropriate, deleting the information from Our servers.  If We receive Personal Information about individuals under the age of 16 from a parent or guardian, We will process, store, and disclose the Personal Information in compliance with all applicable laws.

Links to Other Websites

Our Websites may contain links to other websites that are not operated by Us.  If You click on a third-party link, You will be directed to that third party’s site.  Any information You provide to third-party websites will be governed under the terms of each website’s privacy policy and We encourage You to investigate and ask questions before disclosing any information to the operators of third-party websites.  We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no liability or responsibility for the content, actions, privacy policies or practices of any third-party sites or services.  The inclusion of third-party websites on Our Websites in no way constitutes an endorsement of such websites’ content, actions, or policies.

Blog

Our Websites may offer publicly accessible blogs.  You should know that any information You provide in these areas may be read, collected, and used by others who access them.  To request removal of Your Personal Information from Our blog, contact Us at well@wellsource.com.  In some cases, We may not be able to remove Your Personal Data, in which case We notify You and provide an explanation why We cannot do this.

Testimonials

Wellsource displays personal testimonials of satisfied Customers on Our Website in addition to other endorsements. With Your consent, Wellsource may post Your testimonial along with Your name and company logo, if applicable.  If you wish to update or delete Your testimonial, You can contact us at well@wellsource.com.

Social Media Widgets

Our Websites may include Social Media Features, such as the Facebook Like button and Widgets or interactive mini-programs that run on Our Websites.  These features may collect Your IP Address, which page You are visiting on Our Websites, and may set a cookie to enable the feature to function properly.  Social Media Features and Widgets are either hosted by a third-party or hosted directly on Our Websites.  Your interactions with these features are governed by the privacy policy of the company providing it.

Intellectual Property Rights

We maintain Our Websites for Your information, education, and convenience.  You may only download material displayed on Our Websites for legitimate, authorized purposes and must retain all copyright, trademark and other proprietary notices contained in the material.  It is strictly prohibited to modify, transmit, distribute, reuse, re-post, “frame,” or use the content of Our Websites for public or commercial purposes including the text, images, audio, and/or video without Our prior written permission.

The trademarks, logos, and service marks (the “Trademark(s)”) displayed on Our Websites, unless otherwise specified, are either the registered and unregistered trademarks of Wellsource or used under license or permission of the owner.  Nothing contained in Our Websites should be construed as granting, by implication or otherwise, any license or right to use any Trademark displayed in Our Websites without the written permission of Wellsource or any third party that may own the Trademarks displayed on Our Websites.  Your misuse of the Trademarks displayed on Our Websites, or any other content on Our Websites is strictly prohibited.

Everything You see or read on Our Websites about Wellsource® products is copyrighted by Wellsource.  Images of people or places displayed on Our Websites are either the property of Wellsource or licensed for Wellsource’s use.  The use of these images by You, or anyone authorized by You, is prohibited unless You secure the necessary permission from the rights holder.  Any unauthorized use of the images may violate copyright laws, trademark laws, the laws of privacy and publicity.

Accuracy

While We use reasonable efforts to include accurate and up-to-date information on Our Websites, We make no warranties or representations as to its accuracy, nor do We assume any liability or responsibility for any errors in the content of Our Websites.

Compliance with Export Control Laws

United States export laws require that no software or goods shall be exported 1) into (or to a national or resident of) any country to which the United States has embargoed goods; or 2) to anyone on the United States Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Table of Deny Orders.  By requesting a demo, You represent and warrant that You are not located in, under the control of, or a national or resident of any such country or on any such list.

Changes to this Privacy Policy

We reserve the right to update or modify Our Privacy Policy at any time, without prior notice, to reflect changes in Our practices.  We will provide notification of any material changes by posting the revised Privacy Policy on this page and updating the “Last Updated” date at the top of this Privacy Policy.  Your continued access to Our Websites or use of Our Services following the posting of changes constitutes Your acceptance of such changes.  You are advised to review this Privacy Policy periodically for any changes.  Changes to this Privacy Policy are effective when they are posted on this page.

Information Specific to Other Services

Wellsuite and Well4life

Wellsuite.com (“Wellsuite”) and Well4life.com (“Well4life”) are Our online applications that collect information and administer health risk assessments for Respondents and Customers.  Our Privacy Policy applies to Wellsuite and Well4life, except where the Privacy Policy may specify a section that is applicable only to Our Wellsource.com site or if information in this section distinguishes Our treatment of data and information in the case of Our Wellsuite and Well4life services, in which case this section takes precedence.

Contact Us

If You have any questions, complaints, or concerns about this Privacy Policy, or wish to exercise Your rights related to Your Personal Data, You can contact us:

• By email: well@wellsource.com
• By phone number: 800.533.9355
• By mail: Attn: Privacy and Data Protection Officer, 8100 SW Nyberg St., Tualatin, OR 97062