Vitality Privacy Notice
EFFECTIVE JULY, 2024
The Vitality Group, LLC (“Vitality”; “We”; “Us”; “Our”) owns and operates the websites VitalityGroup.com; and PowerofVitality.com (“POV”) (“Websites”); and the mobile applications Vitality Today, Power of Vitality, and Vitality One (“Applications”), which may be referred to collectively as the “Program(s).” Vitality’s Programs are made available to individuals through and on behalf of either your employer; your spouse’s employer; or another provider (“Program Provider”). This Privacy Notice applies to Personal Information (defined below) collected by or received Vitality whether online or offline. By accessing or using Vitality’s Programs, you are aware of the collection, receipt, use, disclosure and retention of your information as described in this Privacy Notice and accept the terms of this Privacy Notice and Our Terms of Use. Should you require that this Privacy Notice be read to you please contact the Vitality Customer Care Team on +1 877-224-7117. This Privacy Notice will address the following:
- From whom or where does Vitality collect personal information about me?
- What types of information does Vitality collect about me?
- Does Vitality Process Special Categories of Personal Information?
- What is Vitality’s Legal Basis for Processing Personal Information?
- How does Vitality use Personal Information it collects about me?
- How is Vitality protecting my Personal Information?
- Who can access my Personal Information at Vitality?
- Outside of Vitality, with whom would Vitality share my Personal Information?
- Do Vitality’s Websites or Applications contain links to third-party websites or apps?
- Does Vitality sell my Personal Information?
- What are Cookies and how does Vitality use them?
- How long will my Personal Information be retained?
- How will I know if this Privacy Notice changes?
- Will Vitality communicate with me directly?
- I receive the Vitality Program in the USA and I reside in California, Virginia, Utah, Colorado, Connecticut, Texas, Florida or Oregon – What are my rights?
- I receive the Vitality Program in Canada – What are my rights?
- I receive the Vitality Program in Costa Rica – What are my rights?
- I reside in and receive the Vitality Program in the European Union or the United Kingdom – What are my rights?
- I receive the Vitality Program in Guatemala – What are my rights?
- I receive the Vitality Program in Honduras – What are my rights?
- I receive the Vitality Program in Nicaragua – What are my rights?
- I receive the Vitality Program in Hong Kong – What are my rights?
- I receive the Vitality Program in Panama – What are my rights?
- International Transfers
- Does Vitality Comply with the EU-US Data Privacy Framework?
- Information for Google Fit Users
- Information for Fitbit Users
- Employer Portal
- How can I contact Vitality with my privacy concerns or inquiries?
1. FROM WHOM OR WHERE DOES VITALITY COLLECT PERSONAL INFORMATION ABOUT ME?
- From your Program Provider: As part of your eligibility for the Program, your Program Provider will provide Vitality the information necessary to verify your identity when you register for the Program and to manage your account on an ongoing basis. If you do not want Vitality to receive this information, please contact your Program Provider and ask them to stop sending Vitality any information about you. Please note that this will make you ineligible to participate in the Program.
- Directly from You, including from your devices: By engaging with the Program, information linked to you and your interactions with the Program (e.g. your physical activity, reward earning events and redemption, and form submission) will be collected or created by Vitality. You can also choose to allow certain devices and mobile applications, such as Garmin, to sync data to a Vitality Application you use. You can modify these permissions at any time through the settings menu of the applicable application.
- From authorized Third-Party Service Providers on behalf of you or your Program Provider: When you or your Program Provider grant authorization Vitality may receive information about your participation with Third-Parties Service Providers. The authorization from your Program Provider is based on the service agreement, or related agreement, it has in place with Vitality.
Additionally, if you engage with Vitality on a social media platform Vitality may respond or contact you through the applicable social media platform.
2. WHAT TYPES OF INFORMATION DOES VITALITY COLLECT ABOUT ME?
For the purposes of this Privacy Notice, Vitality’s definition of Personal Information is any information relating to an identified or identifiable natural person.
The following is a list of the types of information that Vitality may collect through its Program(s). Please note that the types of information collected about you will depend on the particular Program you are using and the activities in which you participate:
- Name
- Gender
- Address
- Contact details
- Date of birth
- Program enrollment or Program registration date
- Reporting classifications (e.g. at which branch location you are employed)
- A unique ID (e.g. your employee ID or SSN)
- Dependents / Spouse / Partner (if applicable)
- Eligibility start and end date data (if relevant)
- Cookies
- Log data including IP address
- Answers to questionnaires about your health and well-being
- Program engagement information
- Survey responses, commentary, or feedback you give on POV or Vitality Applications otherwise provide to Vitality
- Reward partner engagement if authorized
- Devices’ information such as
- the type of device
- operating system
- data that you have synched, which may include health and fitness related information (including physical activity data, body measurements, heart rate data, sleep data, meditation data) and location data if you have consented to this data synching for example where you have consented to data synching from Polar.
- Details of rewards you have earned and your reward redemptions
- Financial information such as transactions and payment details
- Health information including biometrics and medical conditions
- Additional information provided by you through online form submission or by otherwise contacting Vitality
3. DOES VITALITY PROCESS SPECIAL CATEGORIES OF PERSONAL INFORMATION?
Vitality may receive the below Special Categories of Personal Information from your Program Provider or authorized third parties, or directly from you, depending on the particular Program you are using and the activities in which you participate
- Health Data including but not limited to: information which includes your answers to questions about your health and well-being; annual biometric screening results; preventative screening proof; vaccination proof; proof of participation in a qualifying event; activity information collected from a personal device; smoking status.
Vitality receives the above, based on the consent you provided to your Program Provider or authorized third party/ies. If you wish to revoke such consent, please contact your Program Provider or authorized third parties. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent.
In relation to Special Categories of Personal Information which you submit to Vitality on your own, Vitality may request your consent to process such information. If you wish to revoke such consent, please refer to your rights in terms of section 15 to 21 below, as applicable. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent. We do not collect Special Categories of Personal Information without your consent and we will only use such information in accordance with this Privacy Notice.
4. WHAT IS VITALITY’S LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION?
Vitality acts as a Processor/ Operator/ equivalent under applicable law and signs a data protection addendum or data protection clauses or master services agreement (“DPA”) with the Controller/ Responsible Party/ equivalent under applicable law, that is most often the Program Provider. This DPA, provides the legal basis for which Vitality may process Personal Information.
Where the jurisdiction in which you utilize the Program, has data protection laws which do not differentiate between processing roles, Vitality will process your Personal Information in accordance with the DPA as a service provider.
In addition to the above, in instances where Vitality will collect Personal Information from you directly We may rely on the legal basis of consent or the agreement you have entered into with your Program Provider or the DPA. In such instances:
- Vitality will be acting in accordance with the Program Provider’s instructions which are set out in the DPA and will remain a Processor/ service provider; and
- Where Vitality collects your consent, you will be entitled to revoke the provided consent in terms of sections 15 to 21 below, as applicable. Please note that such revocation will make you ineligible to participate in the Program. Please redeem your rewards prior to withdrawing your consent
5. HOW DOES VITALITY USE PERSONAL INFORMATION IT COLLECTS ABOUT ME?
Vitality will use the Personal Information that it collects about you, to facilitate the Vitality Program which may include the use cases specified below. Vitality will only use Personal Information in accordance with this Privacy Notice. For example, Personal Information collected from a mobile application or device, will only be used to facilitate the Vitality Program.
- To administer and manage your account
- Creating and maintaining your profile
- Generating goals, activities, and/or targets
- Recommending activities and engagements
- Applying rewards earned
- Making Program features available to you
- Fulfilling purchase orders you make through the Program
- Tracking your progress through the Program
- To resolve any complaints or inquiries you may have
- Registering complaints and inquiries
- Managing and resolving complaints and inquiries
- For management of any debts owed to Vitality, if applicable
- Tracking and administration of payment installments (if any)
- Recovery of unpaid debts or reimbursement of damages under a contract
- To prevent, detect, and investigate fraud or security incidents
- Investigating suspicions of fraud
- Prosecuting fraud
- Investigating security incidents
- For Vitality company and management information purposes and internal analysis of products and services
- Accounting and financial records; analysis and reporting
- Audit requirements
- System security and effective operation
- Program quality assessments, improvements, and developments
- Conduct internal research to develop or improve the Program
- For training purposes: to improve your customer experience
- Assessing customer experiences
- Developing and improving your customer experience
- To fulfill legal obligations
- Reporting necessary information to your Program Provider for benefit administration
- Complying with any applicable law, regulation, subpoena, or legal process, or responding to any governmental requests and cooperating with law enforcement, if we believe such action is required or permitted by law
- Enforcing our Terms and Conditions
- Creating De-identified or Aggregated Data Sets
- De-identified data sets are data sets that contain member-level information, without identifiers that can be used to link the information back to a particular individual.
- Aggregated Data Sets are data sets that contain only aggregated information which cannot be decompiled or reverse engineered to identify any individual whose data may be included.
- De-identified and Aggregated Data Sets are not Personal Information; subject to any applicable laws or other restrictions, Vitality may use and disclose De-identified and Aggregated data sets for any purpose.
- Vitality will not attempt to re-identify de-identified data or Aggregated Data Sets
Vitality may also seek to use your Personal Information in a way not described above, such as in using a testimonial you have written on our website or in our marketing materials. Before using your Personal Information in this way, Vitality will first seek your voluntary and explicit consent.
6. HOW IS VITALITY PROTECTING MY PERSONAL INFORMATION?
Personal Information that you share on the website is kept strictly confidential and fully secure. Your encrypted (encoded) Personal Information is protected using "Secure Socket Layers (SSL)" as it passes between your browser and this website. We follow generally accepted industry standards to protect the Personal Information we receive, both during transmission and upon receipt. Personal Information collected by the Program, for example Personal Information received from Apple Health, will be stored securely in accordance with accepted industry standards.
No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee absolute security.
7. WHO CAN ACCESS MY PERSONAL INFORMATION AT VITALITY?
Your Personal Information is accessible by Vitality employees, including employees of Vitality affiliates, only on a need-to-know basis for the provision of services and support. Only such authorized persons are permitted to access your Personal Information. All authorized persons must abide by security, privacy, and confidentiality agreements, rules and laws.
8. OUTSIDE OF VITALITY, WITH WHOM WOULD VITALITY SHARE MY PERSONAL INFORMATION?
Your Program Provider: Vitality may share with your Program Provider (or a third party that assists and is authorized by your Program Provider) the necessary information for them to administer your incentives and for analytics purposes. Administration incentives can include: calculation of health plan premium discounts, health club dues subsidies, applicable taxation, reward redemption, or other arrangements for which such information is relevant. Such information may be shared via the employer portal.
Your Program Provider’s authorized Third-Party Service Providers: Your Program Provider may make additional incentives available to you that are provided by Third-Party Service Providers this could include your Program Provider’s inhouse service provider such as your Program Provider’s in house coaching service. In order to administer this benefit, Vitality relies on the service agreement in place with your Program Provider, and/or any related agreement, to share your Personal Information with the Third-Party Service Provider to the extent necessary to make the offering available to you. Vitality has also entered into agreements with the Third-Party Service Providers.
Service Providers to Vitality: There are instances when Vitality may disclose your Personal Information to our agents, service providers, third-party partners, affiliates and subsidiaries to enable them to perform functions or provide services on our behalf. These service providers are only permitted to share, store and/or use Personal Information for contracted business purposes.
Peer: Where you sign up for a challenge limited personal information may be shared with a peer who is also participating in a challenge.
Additionally, We may share your Personal Information when We believe that such action is necessary to:
- Fulfill an enforceable government request;
- Conform with the requirements of the law or legal process;
- Protect or defend Our legal rights or property, Our Websites or Applications, or other users; or
- Protect your health and safety or the health and safety of this website's users or the general public.
- Respond to lawful request by public authorities, including to meet national security or law enforcement requirements.
With your express authorization and consent, We may share your Personal Information for a specific purpose not provided above. Agreeing to the terms and conditions and privacy notice is not your express authorization for such uses. When appropriate, while you are logged into POV or a Vitality Application, you will be presented with a specific electronic authorization form on which you may or may not provide your consent. You may revoke such authorization at any time by navigating to your My Accounts page within the Power of Vitality website.
9. DO VITALITY’S WEBSITES OR APPLICATIONS CONTAIN LINKS TO THIRD-PARTY WEBSITES OR APPS?
Vitality’s Power of Vitality portal and its mobile applications, Vitality Today and Vitality One, may contain links to other websites that are not owned or controlled by Us or our clients (i.e., your Program Provider). We provide these links to other websites or mobile applications for your convenience to participate. If you choose to submit Personal Information while visiting these websites or using these mobile applications, please be aware your rights will be governed by the third parties’ privacy policies. We strongly encourage you to carefully read the privacy policies of any website or mobile application you visit or use.
10. DOES VITALITY SELL MY PERSONAL INFORMATION?
No. Vitality will never sell, rent, or lease your Personal Information.
11. WHAT ARE COOKIES AND HOW DOES VITALITY USE THEM?
A cookie is a file containing an identifier that is automatically sent by Us to your browser or mobile device and is stored by the browser or mobile device. The identifier is then sent back to the server each time the browser or device requests a page from the server. This information might be about you, your preferences or your device and is mostly used to make the Website or Application work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized experience.
Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Vitality uses different categories of cookies for certain purposes:
- Strictly Necessary: These cookies are necessary for the Website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling out forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. These cookies do not store any personally identifiable information.
- Performance: These cookies allow Us to count visits and traffic sources so We can measure and improve the performance of Our site. They help us to know which pages are the most and least popular and see how users move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, We will not know when you have visited Our Website and will not be able to monitor its performance.
- Functional: These cookies enable the Website to provide enhanced functionality and personalization. If you do not allow these cookies, then some or all of these services may not function properly.
- Cookies used by our third-party service providers: We use Google Analytics to analyze the use of Our Website. The information gathered relating to Our Website is used to create reports about the use of Our Websites. Additionally, We use MaxMind to assist in determining from where Our Program is being accessed.
You can find more information about the cookies Vitality uses by reading our Cookie Notice - or cookies in general by visiting www.allaboutcookies.org including how to disable certain cookies. If you use different computers or devices to access the Websites, you will need to ensure that each browser is adjusted to suit your cookie preferences. If you restrict Our Websites and Applications from setting cookies, you may worsen your overall user experience and/or lose the ability to access the Programs. Doing so may also stop you from saving customized settings.
12. HOW LONG WILL MY PERSONAL INFORMATION BE RETAINED?
Unless otherwise specified herein, Personal Information will only be retained for as long as is required for Us to administer the Program, subject to: legislative or regulatory retention periods; requirements by the Program Provider; or as required for Our legitimate business reasons - after which any Personal Information will be anonymized, archived or destroyed.
13. HOW WILL I KNOW IF THIS PRIVACY NOTICE CHANGES?
Vitality reserves the right to update this Privacy Notice from time to time. If We decide to change this website's privacy policies, We will post those changes to this Privacy Notice, the homepage, and other places that We deem appropriate so that you are aware of what information is being collected, how the information is being used, and under what circumstances, if any, the information may be disclosed. You should therefore refer to this Privacy Notice each time you make use of the Program.
14. WILL VITALITY COMMUNICATE WITH ME DIRECTLY?
As a Vitality member, We aim to provide you with a fully invested experience and dedication to your wellness journey. Depending on your particular Program, We will deliver marketing, status updates, or other informational emails to you via the email address you provide on your My Account page. If you choose, you may opt out of receiving these emails at any time by adjusting the settings on your account on POV or the Application you use. If you use a Vitality Application, push notifications and triggered communication may be sent to you through the App. These notifications can be turned off at any time by adjusting the application’s settings on your device.
Certain communications are necessary and cannot be turned off; these include; transactional emails, such as order confirmations, emails relating to payment processing activities, and reward redemptions; communications from our Customer Care team in response to contacts initiated by you; or other important updates like security and fraud notices or change in services.
If you send questions or comments to an email address listed within a Program or via a contact form provided within a Program, We will share your correspondence with a Vitality associate most capable of addressing your questions and concerns. We will retain your communications until we have done our very best to provide you with a complete and satisfactory response. Ultimately, We will either discard your communication or, in some cases, archive it. We will not keep your email address for secondary purposes. All information and correspondence you share with us will be handled in the strictest confidence.
We may agree that email has become a standard communication tool used by many different parties. Unfortunately, by design standard Internet email is not secure. For that reason, please do not use unsecured email to communicate information to us that you may consider to be confidential.
15. I RECEIVE THE VITALITY PROGRAM IN THE USA AND I RESIDE IN CALIFORNIA, VIRGINIA, UTAH, COLORADO, CONNECTICUT, TEXAS, FLORIDA or OREGON – WHAT ARE MY RIGHTS?
Rights Of California Residents
Under California Civil Code Section 1798.83 California residents have the right to request from companies conducting business in California a list of all third parties to which the company has disclosed certain personally identifiable information as defined under California law during the preceding year for third party direct marketing purposes. You are limited to one request per calendar year. Note that Vitality does not disclose any Personal Information to third parties for their direct marketing purposes.
The Personal Information fields under section 2 are the fields that Vitality has processed in the last 12 months, provided that you have engaged with the Program during this period.
Under the California Consumer Privacy Act (“CCPA”), if you are a California Consumer, or an authorized representative of a California Consumer as defined by the CCPA, you have the following rights regarding your Personal Information collected during the 12 months before your request:
- The right to request disclosure of the categories of Personal Information collected about you;
- The right to correct inaccurate Personal Information
- The right to request deletion of Personal Information collected about you;
- The right to request disclosure of the categories of sources from which your Personal Information is collected;
- The right to request disclosure of the business or commercial purpose for collecting or selling your Personal Information. Note that We do not sell Personal Information We collect about you; however third-party cookies are used as described above. If you do not wish to permit such cookies, please visit https://optout.aboutads.info/
- The right to request the categories of third parties with whom the business shares your Personal Information;
- The right to request a copy of the specific Personal Information collected about you; and/or
- The right not to be discriminated against because you have exercised any of these rights
- The right to limit use and disclosure of Sensitive Personal Information
Rights of Virginia Residents
Under the Virginia Consumer Data Protection Act (CDPA), if you are a Virginia Consumer, you have the following rights
- The right to request confirmation whether we are processing your personal data and to access such personal data;
- The right to request us to correct your personal data;
- The right to request to delete your personal data;
- The right to request a copy of your personal data.
Rights of Colorado Residents
Under the Colorado Privacy Act (CPA), if you are a Colorado resident, you have the following rights
- The right to confirm whether we are processing your personal data and to access such personal data;
- The right to request us to correct your data;
- The right to request to delete your personal data;
- The right to request a copy of your personal data;
Rights of Utah Residents
Under the Utah Consumer Privacy Act of 2022 (UCPA), if you are a Utah resident, you have the following rights
- The right to confirm whether we are processing your personal data and to access such personal data;
- The right to opt-out of the processing of your personal data for purposes of targeted advertising or sale of personal data;
- The right to request to delete your personal data;
- The right to request a copy of your personal data;
Rights of Connecticut Residents
Under the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), if you are a Connecticut resident, you have the following rights
- The right to confirm whether we are processing your personal data and to access such personal data;
- The right to request us to correct your data;
- The right to request to delete your personal data;
- The right to request a copy of your personal data;
Rights of Texas Residents
Under the Texas Data Privacy and Security Act (TDPSA), if you are a Texas resident, you have the following rights in general
- The right to confirm whether we are processing your personal data and to access such personal data;
- The right to request us to correct your data;
- The right to request to delete your personal data;
- The right to request a copy of your personal data;
- The right to opt out for the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in the furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
Rights of Florida Residents
Under the Florida Digital Bill of Rights, if you are a Florida resident, you have the following rights in general
- The right to confirm whether we are processing your personal data and to access such personal data;
- The right to request us to correct your data;
- The right to request to delete your personal data;
- The right to request a copy of your personal data;
- The right to opt out for the processing of personal data for purposes
- Targeted advertising;
- The sale of personal data;
- Profiling in the furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
- The right to opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data.
- The right to opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
Rights of Oregon Residents
Under the Oregon Consumer Privacy Act, if you are a resident of Oregon, you have the following rights in general:
- The right to confirm whether we are processing your personal data and to access such personal data;
- Request a list of specific third parties to which a Controller has disclosed your personal data or any personal data;
- The right to request us to correct your data;
- The right to request to delete your personal data;
- The right to request a copy of your personal data;
- The right to opt out for the processing of personal data for purposes of
- Targeted advertising;
- The sale of personal data;
- Profiling in the furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
How to Exercise my Rights
In order to exercise rights enumerated above, please contact Vitality in one of the following ways depending on the Vitality Program you use.
- If you use the Power of Vitality Website or the Vitality Today Application, please contact Vitality through our Contact Us page.
- If you use the Vitality One Application, please submit a request through the Application’s Contact Us feature located in the Support menu.
- If you are not a current Vitality member or one of the above options does not work for you, please contact Vitality through the following link: https://www.vitalitygroup.com/contact-us/.
- Alternatively, you may submit your request by calling Us at +1 312-224-7100.
Once a request is submitted, Vitality may first contact your Program Provider to inform them of the request and then work with them to complete the request.
Vitality will attempt to verify your request by using information related to your account, but in some cases additional information may be required. Subject to certain exceptions that may apply, if We are able to verify your request, We will accommodate your request in accordance with the CCPA.
16. I RECEIVE THE VITALITY PROGRAM IN CANADA – WHAT ARE MY RIGHTS?
Under Personal Information Protection and Electronic Documents Act (PIPEDA), You have certain rights to access, update, correct and withdraw Personal Information we have collected from you or received from your Program Provider or authorized third party, in order to provide the Program to you.
In order to exercise rights enumerated above, please initiate your request with your Program Provider, and they will make this request to Vitality. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page or the details set out at the end of this Privacy Notice.
Where you submit a request directly to Vitality, We may first contact your Program Provider to inform them of the request and then work with them to complete the request.
Please note that the following terms used in this Privacy Notice will have the corresponding meaning as set out in PIPEDA:
- Special Categories of Personal Information shall mean Sensitive Personal Information.
17. I RECEIVE THE VITALITY PROGRAM IN COSTA RICA – WHAT ARE MY RIGHTS?
Under the Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 and Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968 as amended by Decree No. 40008-JP, you have the following rights regarding your Personal Information collected by Vitality:
- The right of access
- The right to rectification
- The right to erasure
In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page or the details set out at the end of this Privacy Notice.
Where you submit a request directly to Vitality, We may first contact your Program Provider to inform them of the request and then work with them to complete the request.
18. I RESIDE IN AND RECEIVE THE VITALITY PROGRAM IN THE EUROPEAN UNION OR THE UNITED KINGDOM – WHAT ARE MY RIGHTS?
Your Program Provider will indicate to Vitality whether a member has rights under the General Data Protection Regulation or the UK’s Data Protection Act (collectively referred to as “GDPR”). If you believe that you are entitled to the rights of GDPR, please contact your Program Provider to ensure that they have made this indication to Vitality.
Under the GDPR, you have the following rights regarding your Personal Information collected by Vitality:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page or the details set out at the end of this Privacy Notice.
If you are not a current Vitality member or one of the above options does not work for you, please contact Vitality through the following link: https://www.vitalitygroup.com/contact-us/.
Alternatively, you may submit your request by calling Us at +1 312-224-7100.
Once a request is submitted, Vitality may first contact your Program Provider to inform them of the request and then work with them to complete the request.
In the first instance We ask that you notify your Program Provider and/or Us of any concerns you have about how we handle your Personal Information but if you are still unhappy you can contact your applicable Supervisory Authority, the details of which can be found using this link https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
19. I RECEIVE THE VITALITY PROGRAM IN GUATEMALA – WHAT ARE MY RIGHTS?
Under the Constitution of Guatemala, you have the following rights regarding your Personal Information collected by Vitality:
- The right to access
- The right to rectification
- The right to erasure
- The right to object/opt out
In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page or the details set out at the end of this Privacy Notice.
Where you submit a request directly to Vitality, We may first contact your Program Provider to inform them of the request and then work with them to complete the request.
20. I RECEIVE THE VITALITY PROGRAM IN HONDURAS – WHAT ARE MY RIGHTS?
Under the Constitutional Justice Law of Honduras, you have the following rights regarding your Personal Information collected by Vitality:
- The right of access
- The right to rectification
- The right to object/opt out
In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page or the details set out at the end of this Privacy Notice.
Where you submit a request directly to Vitality, We may first contact your Program Provider to inform them of the request and then work with them to complete the request.
21. I RECEIVE THE VITALITY PROGRAM IN NICARAGUA – WHAT ARE MY RIGHTS?
Under the Law on Personal Data Protection No. 787 of 21 March 2012, you have the following rights regarding your Personal Information collected by Vitality:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure
- The right to object/opt out
In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page or the details set out at the end of this Privacy Notice.
Where you submit a request directly to Vitality, We may first contact your Program Provider to inform them of the request and then work with them to complete the request.
22. I RECEIVE THE VITALITY PROGRAM IN HONG KONG-WHAT ARE MY RIGHTS?
Under the Personal Data (Privacy) Ordinance 1996 as amended in 2012 (Cap.486) you have the following rights regarding your Personal Information Collected by Vitality:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to object/Right to opt out
- Right to data portability
- Right not to be subjected to automated decision making.
In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contract Vitality through our Contact Us page of the details set out at the end of this Privacy Notice.
Where you submit a request directly to Vitality, We may first contract your Program Provider to inform them of the request and then work with them to complete the request.
23. I RECEIVE THE VITALITY PROGRAM IN PANAMA – WHAT ARE MY RIGHTS?
Under the Law No. 81 on Personal Data Protection 2019, you have the following rights regarding your Personal Information collected by Vitality:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to object/opt out
- The right to data portability
- The right not to be subjected to automated decision making.
In order to exercise rights enumerated above, please initiate your request with your Program Provider, as they are the Controller, and they will make this request to Vitality as their Processor. If you would like Vitality to support you in making this request, please contact Vitality through our Contact Us page or the details set out at the end of this Privacy Notice.
Where you submit a request directly to Vitality, We may first contact your Program Provider to inform them of the request and then work with them to complete the request.
24. INTERNATIONAL TRANSFERS
Vitality will process the Personal Information and Special Categories of Personal Data set out in this Privacy Notice, in the United States of America, and other countries where Vitality has entered into to the required agreements. Such information will be subject to foreign laws and may be disclosed to foreign authorities under such law. Where the GDPR applies, Vitality and the Program Provider have entered into the Standard Contractual Clauses, issued by the European Commission, to make provision for the applicable transfer. In terms of other jurisdictions which laws require consent or a DPA to be in place for the cross-border transfer of Personal Information, Vitality relies on the consent you provide to your Program Provider and/or the DPA for the transfer.
25. DOES VITALITY COMPLY WITH THE EU-US DATA PRIVACY FRAMEWORK?
Yes. Vitality complies with the EU-US Data Privacy Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Information from European Union member countries. The Vitality Group, LLC, including and on behalf of its affiliate Vitality Group International, Inc., have certified adherence to the Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. In the event that Vitality makes an Onward Transfer of any information received under the Privacy Shield, it will maintain responsibility for the processing of personal information. If there is any conflict between the policies in this Privacy Notice and the Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework, and to view Data Privacy Framework list, please visit https://www.dataprivacyframework.gov/s/.
Vitality acknowledges that it is subject to the investigatory and enforcement powers of the Federal Trade Commission, the U.S. Department of Transportation and other U.S authorized statutory bodies. In compliance with the EU-US Data Privacy Framework Principles, The Vitality Group commits to resolve complaints about your privacy and Our collection or use of your Personal Information. European Union individuals with inquiries or complaints regarding this Privacy Notice should first contact The Vitality Group at:
The Vitality Group, LLC
Attn: Data Privacy Officer
120 S. Riverside Plaza, Suite 400
Chicago, IL 60606
US_Privacy@vitalitygroup.com
+1 312-224-7100
The Vitality Group has elected the panel established by EU Data Protection Authorities (DPAs) as its independent dispute resolution body to address complaints and provide appropriate recourse free of charge. The Vitality Group commits to cooperate and comply with the above body’s advice with regards to matters concerning our handling of Personal Information in terms of the EU-US Data Privacy Framework
Under limited circumstances, an arbitration option is available to an individual to determine, for residual claims, whether The Vitality Group has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied.
26. INFORMATION FOR GOOGLE FIT USERS
Vitality complies with the Google API Services User Data Policy including the Limited Use requirements. Vitality will only receive the below device data from Google Fit where you allow your mobile application to sync data to the Vitality Application you use. You can modify these permissions at any time through the settings menu of the applicable application.
If you have consented to data synching, the device data that Vitality will collect through the Program includes:
- physical activity data (including meditation data)
- body measurements,
- heart rate data,
- sleep data
The above device data will only be used to facilitate the Vitality Program in accordance with section 5 above.
Vitality may disclose your device data, to our agents, service providers, third-party partners, affiliates and subsidiaries to enable them to perform functions or provide services on our behalf. These service providers are only permitted to share, store and/or use such data for contracted business purposes.
Vitality will protect your device data in accordance with section 6 of this Privacy Notice.
27. INFORMATION FOR FITBIT USERS
The use of information received from Fitbit APIs and/or Developer Tools will adhere to the Fitbit Platform Developer and User Data Policy (https://dev.fitbit.com/legal/platform-developer-and-user-data-policy/), including the Limited Use requirements.
28. Employer portal
In the event that you are a Program Provider and you use any Personal Information set out in this Privacy Notice in the employer portal, you shall ensure that such Personal Information is processed in accordance with the Privacy Notice.
29. HOW CAN I CONTACT VITALITY WITH MY PRIVACY CONCERNS OR INQUIRIES?
Individuals with inquiries or complaints regarding the privacy of their Personal Information at Vitality or this Privacy Notice should first contact The Vitality Group at:
The Vitality Group, LLC
Attn: Data Privacy Officer
120 S. Riverside Plaza, Suite 400
Chicago, IL 60606
US_Privacy@vitalitygroup.com