Effective Date: May 12th, 2020
TMA @ Your Service, LLC, (doing business as “Wellworks For You”) Wellworks For You (“Wellworks For You”, or the “Company”, “We”, “Us”, “Our”) is committed to the individual’s right to privacy.
This Privacy Statement applies to all Affiliates, Websites and Services owned and operated by Wellworks For You and describes our privacy practices for how we collect, use, share and process information relating to individuals (“Personal Data”), and how you can learn about your rights and choices regarding our processing of your Personal Data.
As a global organization, we abide by all applicable data privacy laws, such as the California Consumer Privacy Act (“CCPA”), the European Union’s General Data Protection Regulation (“GDPR”), the US Health Insurance Portability and Accountability Act (“HIPAA”). Each of these laws focuses on transparency and trust.
To learn more information about the following aspects of Wellworks privacy practices, please click on the links below:
- Wellworks and Your Information
- Wellworks For You and Customer Data
- Wellworks For You and CCPA
- Wellworks and GDPR
- Wellworks and Security
- Wellworks and Website Cookies
Wellworks and Communication
At Wellworks, we strive to maintain productive communication with our current and prospective customers. You may manage your preferences by clicking on the “unsubscribe” link located on the bottom of our marketing emails. Please note that customers cannot opt out of receiving transactional emails related to usage of Wellworks Services.
Wellworks Chief Privacy Officer is happy to help with questions or inquiries.
Wellworks For You
70 East Lancaster Ave
Frazer, PA 19355
Wellworks and Change
Wellworks reserves the right to update this Privacy Statement to reflect changes to our practices. We will provide notification of material changes here or directly to our Customers via email prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.
Wellworks and Your Information
When expressing an interest in obtaining additional information about Wellworks services or accessing secure areas of our Websites, we may require you to provide the following personal information such as: full name, company name, email address, mailing address, phone number, portal login ID and password.
As you navigate our Website, Wellworks may collect information using commonly used information gathering tools such as web beacons and cookies. Information collected includes standard information from your web browser such as your Internet Protocol (IP) address, browser type, operating system, referring/exit pages, links clicked, and actions taken while browsing.
Use of Information Collected
Wellworks uses the information collected from our Websites to perform the services requested. For example, we may use this information to:
- Send requested product or service information
- Send product updates
- Respond to customer service requests
- Administer your account
- Send newsletters
- Send marketing communications
- Respond to questions and concerns
- Improve our Web site and marketing efforts
- Conduct research and analysis
Sharing of Information Collected
We will only share your Personal Data with third parties in the ways that are described in this Privacy Statement.
We may provide your Personal Data to companies or their Websites (such as our Customer Service Portal Provider) that provide Services to help us with our business activities such as customer support or billing for our Services. These companies are authorized to use your Personal Data only as necessary to provide these Services to us.
We may also disclose your Personal Data:
- As required by law such as to comply with a subpoena, or similar legal process,
- When we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request,
- If we are involved in a merger, acquisition, or sale of all or a portion of our assets, you will be notified via email and/or a prominent notice on our Website of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data,
- To any other third party with your prior consent to do so.
Public Forums, and Customer Testimonials
Wellworks may provide bulletin boards, blogs, or chat rooms on the Company’s Websites. Any Personal Data you choose to submit in such a forum may be read, collected, or used by others who visit these forums and may be used to send you unsolicited messages. We are not responsible for the Personal Data you choose to submit in these forums.
Wellworks may post lists of Customers and testimonials on the Company’s Websites that contain information such as Customer names and titles. We obtain the consent of each Customer prior to posting any information on such a list or posting testimonials. To request removal of your Personal Data from our blog or forum or to have your testimonials removed, contact us firstname.lastname@example.org.
Your Information on Customer Portals
If you would like to update or change your password, you may click on the “Forgot your password?” link on the login page. After you provide your username, a system generated password will be created and sent to the email address indicated on your profile. The email will contain a link where you can change your password.
Wellworks and Customer Data
Wellworks Customers may electronically submit data or information for hosting and processing Purposes (“Customer Data”). Wellworks will not review, share, distribute, or reference any such Customer Data except as provided in the Wellworks Business Agreement, or as may be required by law. In accordance with the Wellworks Business Agreement, we may access Customer Data only for the Purpose of providing the Services, preventing or addressing Service or technical problems, at a Customer’s request in connection with Customer support matters, or as may be required by law.
Service Providers, Sub-Processors and Third Parties
Wellworks may transfer Personal Data to partners that help us provide our Services. Transfers to third parties are covered by the provisions of our Customer and partner agreements.
To see a list of our sub-processors, please contact us at email@example.com
Wellworks For You will retain your information (including Customer Data we collect on behalf of our Customers) for as long as your or that Customer’s account is active or as needed to provide you Services, and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes.
Wellworks and CCPA
This section supplements the information contained in the rest of our Privacy Statement and applies to all Consumers residing in the state of California according to “The California Consumer Privacy Act of 2018” (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (“CCPA”) and is effective upon the date that the CCPA enters into operation. Consumers are referred to below as “you”, “your”, “yours”, and, for such Consumers, these provisions supersede any other possibly divergent or conflicting provisions contained in the Privacy Statement. This part of the Privacy Statement uses the terms “Consumer”, “Personal Information”, “Sale” and “Business Purpose” as they are defined in the CCPA. All other capitalized terms in this section of the Privacy Statement are intended to have the same meaning as in the CCPA.
The CCPA regulates the online collection of Personal Information from children under the age of 16. Our Services are not directed to or used by children, and we do not knowingly collect Personal Information from children under the age of 16.
Collection of Personal Information
As of the effective date, our Disclosures for a Business Purpose include:
- Auditing related to a current interaction with the Consumer and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
- Debugging to identify and repair errors that impair existing intended functionality;
- Performing services on behalf of Wellworks or a Customer, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying Consumer information, marketing services, providing analytic services, or providing similar services on behalf of Wellworks or a Customer;
- Undertaking internal research for technological development and demonstration;
- Undertaking activities to improve, upgrade, enhance, verify or maintain the quality of Wellworks Services;
- Disclosure to a Third Party, that is bound not to further disclose such information and is prohibited from Selling such information;
- Consumer Identity Verification Information or Authorized Agent designation and identity verification; and
- Compliance with law.
Verifiable Consumer Requests
You can make requests related to your rights under the CCPA by using the links at the end of this Privacy Statement.
If you are a Consumer, you have the right to request that we disclose to you (i) the categories of Personal Information we Collected about you and the Categories of Sources from which we Collected such information; (ii) the specific pieces of Personal Information we Collected about you; (iii) the Business or Commercial Purpose for Collecting Personal Information about you; and (iv) the categories of Personal Information about you that we shared or Disclosed and the Categories of Third Parties with whom we shared or to whom we Disclosed such information in the preceding 12 months. You also have the right to request that we delete Personal Information we Collected from you subject to certain exceptions explained below.
You also have the right to not be discriminated against in pricing and services because you exercise any of your rights under the CCPA. Wellworks does not offer Financial Incentives or Price or Service Differences to Consumers in exchange for the retention or Sale of a Consumer’s Personal Information.
You may only make a Verifiable Consumer Request for access or data portability twice within a 12-month period. The Verifiable Consumer Request must:
- Provide sufficient information that allows us to reasonably Verify you are the Consumer about whom we Collected personal information or an Authorized Agent (i.e., a person registered with the California Secretary of State that you authorize to act on your behalf). You may be required to submit proof of your identity. Only you or your Authorized Agent may make a Verifiable Consumer Request regarding your Personal Information.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We will confirm receipt of your Verifiable Consumer Request promptly and aim to respond to your request within 45 days of its receipt. Should we need more time, we will explain to you the reasons why and how much more time we need to complete the request. Please note that we may need to take up to 90 days to fulfill your request.
We will not charge a fee to process or respond to your Verifiable Consumer Request unless we reasonably determine it is excessive, repetitive, or manifestly unfounded. As such, if we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will respond to your request consistent with the CCPA requirements, which do not apply to certain information excluded from the scope of the CCPA, such as publicly available information from government records; De-identified information, Aggregated Consumer Information, and information excluded from the CCPA’s scope, including health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.
We will review the information related to your Verifiable Consumer Request that you provide and may request additional information from you to help ensure we are interacting with the correct individual. If you have an online account with us, you may be required to log-in to your account for identity verification. If you do not have an account with us, other information to Verify your identity may be required by law before we may take action upon such a request. This other information may vary depending on the nature of your request and/or the nature of the information about which your request relates. We may also be required by law to obtain a signed declaration under penalty of perjury from you. If we suspect fraudulent or malicious activity, we will delay taking action on your request until we can appropriately Verify your identity and the request as authentic.
By law, we are not required to Collect Personal Information that we otherwise would not Collect in the ordinary course of our business, retain Personal Information for longer than we would otherwise retain such information in the ordinary course of our business, or reidentify or otherwise link information that is not maintained in a manner that would be considered Personal Information. If we have not requested specific information from you to Verify your request, please do not send such information.
We generally will aim to avoid requesting additional information from you for the purposes of verification. However, if we cannot reasonably Verify your identity or more information is needed for security or fraud-prevention purposes, we may consider any of the following factors, alone or in combination, in requesting additional information:
- The type, sensitivity, and value of the Personal Information Collected and maintained about the Consumer, as applicable law requires a more stringent verification process for sensitive or valuable Personal Information;
- The risk of harm to the Consumer posed by any unauthorized access or deletion;
- The likelihood that fraudulent or malicious actors would seek the Personal Information;
- Whether the Personal Information to be provided by the Consumer to Verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated;
- The manner in which we interact with you as the Consumer;
- Available technology for verification; and
- Other factors that may be reasonable in the circumstances, are consistent with industry practice, are recommended by California government officials, or which may be required by law or regulation following the effective date of this Privacy Statement.
If your request is regarding household information, the same verification steps above are required before we can provide you with aggregate household information. For us to process a request for access to or deletion of specific pieces of information regarding your household, all members of the household must make the request, and we must be able to Verify each household member.
In some cases, we may not have sufficient information about you or your household to be able to Verify your identity or sufficiently differentiate you from another consumer or household to the degree of certainty required by law, in which case, we will not be able to act upon your request. In such cases, it may be unlikely that we would be able to identify you or your household in the future without Collecting significantly more information or seeking to reidentify De-identified information. At this time, we do not intend to take such steps in response to a request made pursuant to this Privacy Statement and applicable law does not require that we do so. If, in the future, we determine a reasonable method to identify you or your household absent such steps, we will provide an update to you through this Privacy Statement and in response to any such request at that time.
Information that you submit for the purpose of allowing us to verify your identity in furtherance of an individual Consumer-related or household-related request pursuant to California law will only be used by us, and our Service Providers if any, for that purpose and no other. Except where we are required by law to maintain such information for record-keeping purposes, we will take steps to delete any new Personal Information Collected for the purpose of verification as soon as practical after processing your request.
Please also be aware that making any such request does not ensure complete or comprehensive removal or deletion of Personal Information or content you may have posted. When we receive a deletion request, it may be necessary for us to flag certain Personal Information and suppress any future processing or sharing of that information in order to ensure proper fulfillment and implementation of the deletion request on an ongoing basis. In addition, there may be circumstances in which the law does not require or allow us to fulfill your request, including, for example, where retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we Collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with any Consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
To exercise your rights:
- If you are an EU resident, you may exercise your data subject rights under Articles 15 to 22 of the GDPR by contacting firstname.lastname@example.org
- For all other privacy requests, contact email@example.com
Please note that we cannot accept or process requests through any other means (such as via fax or social media).
For questions regarding this Privacy Statement, please contact firstname.lastname@example.org
Wellworks and GDPR
This section supplements the information contained in the rest of our Privacy Statement and applies in respect of data subjects and processing of personal data subject to the GDPR For Wellworks Customers: Wellworks’s data processing commitments to all Customers comply with the GDPR and other applicable data protection laws.
For Individuals: This section provides specific information about how Wellworks complies with the EU General Data Protection Regulation (“GDPR”) as a data processor and provides the fair processing information required by Article 13 and 14 of the GDPR. It supplements the information contained in the rest of our Privacy Statement and applies to all data subjects residing in the European Union. Pursuant to Article 28 of the GDPR, a controller of personal data (subject to the GDPR) is required to have certain mandatory provisions in its contract with processors. These are seen in GDPR addendums and would have clauses covering these items. For a copy of our GDPR addendum with our processor please contact email@example.com.
Our EU Data Protection Officer and Information Security Officer have assessed our obligations as a Processor of our Customers for Wellworks data products. Operating in a way that fosters trust and transparency, we appreciate the GDPR benefits of improving our business, becoming more efficient and creating better relationships with our customers and those whose data they collect.
Our EU Data Protection Officer can be contacted via email on firstname.lastname@example.org.
Information Wellworks process
Please refer to the section titled “Wellworks and Your Information” for details of the categories of personal data processed by Wellworks.
How Wellorks collects information
Please refer to the section “Wellworks and Your Information” for information as to how Wellworks collects personal data.
Purposes for using your information
Please refer to the section “Use of Information Collected” for details of how Wellworks use your information.
If Wellworks intends to further process the personal data for a purpose other than that for which the personal data were collected, we will provide you, prior to that further processing, with information on that other purpose and with any relevant further information.
Legal basis for using your information
Our processing of your personal information is necessary:
- for the performance of contracts to which you will be a party to and in order to take steps at your request prior to you entering into those contracts
- for the purposes of legitimate interests pursued by us
- in order to comply with a legal obligation to which we are subject
In relation to any processing of special categories of personal information such as information about your health, we will generally rely on obtaining specific consent from you or one of our customers providing us with your consent at the time unless there is otherwise a legal requirement for us to process such information.
Where our processing is based on the legitimate interest grounds described above, those legitimate interests are: (i) collecting personal information to provide you with a smooth and efficient customer experience; (ii) running our business; (iii) to provide the products and services you have requested; (iv) to prevent fraud; and (v) for our own marketing, research and product development.
Recipients or categories of recipients of the personal data
Please refer to the section titled “Sharing of Information Collected” for Wellworks practices regarding sharing of personal data.
Transferring information outside of the EU
The information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfillment of your order, the processing of your payment details and the provision of support services.
When we, or our permitted third parties, transfer your information outside the European Economic Area, we or they will impose obligations on the recipients of that data to protect your information to the standard required in the EEA or otherwise require the recipient to subscribe to international frameworks intended to enable secure data sharing. In the case of transfers by us, we will put in place appropriate safeguards to ensure that your information remains adequately protected.
Data Subject Rights
At any time, you have the right:
- to request access to or a copy of any information which we hold about you;
- to rectification of your information, if you consider that it is inaccurate;
- to ask us to delete your information, if you consider that we do not have the right to hold it;
- to withdraw consent to our processing of your information (to the extent such processing is based on previously obtained consent);
- to ask us to stop or start sending you marketing messages as described below in the marketing section;
- to restrict processing of your information;
- to data portability (moving some of your information elsewhere) in certain circumstances;
- to object to your information being processed in certain circumstances; and
- to not to be subject to a decision based on automated processing and to have safeguards put in place if you are being profiled based on your information.
You may exercise your data subject rights set out above by contacting email@example.com. Wellworks will provide information on action taken on such a request to you without undue delay and in any event within one month of receipt of the request. We will comply with our legal obligations as regards your rights as a data subject. We aim to ensure that the information we hold about you is accurate at all times. To assist us in ensuring that your information is up to date, do let us know if any of your personal details change.
If we need to extend by two further months where necessary, taking into account if the complexity and number of the requests that require more time, then Wellworks will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If you make the request by electronic form means, we will provide the information to you by electronic means where possible, unless otherwise requested by you.
If Wellworks does not take action on your request, we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on your possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Wellworks Software Solutions
For our Software Solutions, Wellworks is a Processor (as defined in the GDPR) of EU Personal Data under the direction of our Customers who are Controllers (as defined in the GDPR). If you are a customer of one of our Customers and would no longer like to be contacted by one of our Customers that use our Services, please contact the Customer that you interact with directly. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct queries to the appropriate Wellworks Customer (the Controller). If a Wellworks Customer requests our assistance in the removal of data, Wellworks will respond to such requests within 20 business days.
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
How long Wellworks keeps information
Please refer to the section titled “Data Retention” for information as to how long Wellworks will keep your information.
How To Contact Us
Questions, comments and requests regarding this policy are welcomed and should be addressed to firstname.lastname@example.org
Changes To This Policy
Security and Infrastructure
Data security is paramount for Wellworks and our customers. Wellworks protects customer data with world-class physical, network, application, and data-level security. In addition, Wellworks invests in the most advanced and modern infrastructure available to provide an innovative, scalable, global, predictable, and secure environment.
Wellworks maintains a comprehensive security program to ensure the confidentiality, integrity, and availability of customer data. Information that you share on the website is kept strictly confidential and fully secure. Your encrypted (encoded) information is protected using “Secure Socket Layers (SSL)” as it passes between your browser and this website. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. Wellworks is committed to ensuring our services are available for operation and use at times set forth in service-level agreements, protected against unauthorized physical and logical access – including key entry authentication and 24/7/365 onsite monitoring – and that our system processing is complete, accurate, timely, and authorized.
SERVICE ORGANIZATION CONTROLS
Wellworks regularly passes rigorous third-party compliance audits of our robust security, confidentiality, and availability controls. Wellworks publishes a Service Organization Controls 2 (SOC 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Wellworks data centers and service providers also publish SSAE16 SOC1 Type II and HITRUST) reports. These reports confirm that Wellworks delivers fully secure and reliable, high quality operating standards in its data center operations, including provisioning, management and monitoring of the hardware, network, and firewall. All of these reports are for limited distribution and shared under confidentiality agreement (CDA). Please direct all requests through your Wellworks Account Executive or Customer Service Representative.
Wellworks leverages the most advanced cloud infrastructure to provide an innovative, scalable, global, predictable, and secure environment.
Wellworks uses Expedient as its primary cloud infrastructure provider to meet Wellworks customers’ growing needs.
Expedient is HITRUST CSF certified and has entered into the EU Model Clauses and a Business Associate Agreement (HIPAA) with Wellworks. To ensure conformance with local regulations, application data resides and is backed-up in key geographic regions — U.S. (East Coast),