Empyrean Benefit Solutions Benefits Administration Platform PRIVACY POLICY

Last modified: March 14, 2025

INTRODUCTION

This is the privacy policy for the Empyrean Benefit Solutions, Inc. benefits platform (“Benefits Platform Privacy Policy”). Empyrean Benefit Solutions, Inc. (“We” or “Our” or “Empyrean”) is the benefits administrator hired by your employer or former employer (“Employer”), or other entity sponsoring your benefit programs (collectively, the “Plan Sponsor”) to administer the health and welfare benefit programs your Plan Sponsor makes available to you. The Empyrean benefits platform (“Benefits Platform”) is ultimately where you can review and enroll in the benefit programs of your Plan Sponsor.

This Benefits Platform Privacy Policy provides information about the data We collect, store, and process on behalf of your Plan Sponsor (and you) as we deliver the benefits administration services (the “Services” including the Benefits Platform) to your Plan Sponsor and to you. It applies to the various component technologies that allow access to the Benefits Platform in different ways. These include Compass (the portion of the platform that is branded to your Plan Sponsor through which you review and/or enroll in your benefit programs); Manager Access Point, “MAP” (the portion of the platform specifically for administrators of the Plan Sponsor and through which they can access Compass); EmpyreanGo (the mobile app where you can access Compass and/or MAP on your mobile phone); and/or BenefitsGO by Empyrean™ (a custom branded desktop and mobile app where you can access Compass and/or MAP if your Plan Sponsor so purchased BenefitsGO as part of its Services).

This Benefits Platform Privacy Policy also applies to those portions of Our Services or Empyrean offerings that do not reference a specific privacy policy. In such cases, this Benefits Platform Privacy Policy will apply to such Services or Empyrean offerings unless a separate privacy policy explicitly states that it is applicable to such Service or Empyrean offering in lieu of this Benefits Platform Privacy Policy. This Benefits Platform Privacy Policy is incorporated by reference into the Empyrean Benefits Platform Terms of Use (“Terms of Use”).

References to “You” or “Your” in this Benefits Platform Privacy Policy mean you and your authorized representatives (if any).

IMPORTANT - Please Read This Benefits Platform Privacy Policy Carefully

UPON YOUR FIRST USE OF OUR BENEFITS PLATFORM, YOU WILL BE REQUIRED TO ACCEPT BOTH THIS BENEFITS PLATFORM PRIVACY POLICY AND THE CORRESPONDING TERMS OF USE. IF YOU CONTINUE USING THE BENEFITS PLATFORM, YOU HAVE AGREED TO THIS BENEFITS PLATFORM PRIVACY POLICY. IF YOU DO NOT AGREE WITH THIS BENEFITS PLATFORM PRIVACY POLICY YOU SHOULD NOT CONTINUE IN ACCESSING THE BENEFITS PLATFORM AND YOU SHOULD CONTACT YOUR PLAN SPONSOR, AS EMPYREAN WOULD NOT BE ABLE TO ADMINISTER YOUR BENEFITS AND OR THE BENEFIT PROGRAMS OF YOUR PLAN SPONSOR AS PERTAINS TO YOU.

WE MAY REVISE THIS BENEFITS PLATFORM PRIVACY POLICY AT ANY TIME AND/OR FROM TIME TO TIME. IF WE MAKE CHANGES TO THIS BENEFITS PLATFORM PRIVACY POLICY WE WILL REFLECT THAT BY REVISING THE DATE AT THE TOP OF THIS BENEFITS PLATFORM PRIVACY POLICY AND WILL POST THE REVISED VERSIONON THE BENEFITS PLATFORM. YOUR CONTINUED USE OF THE BENEFITS PLATFORM MEANS YOU HAVE AGREED TO THE CHANGES MADE IN ANY SUBSEQUENT BENEFITS PLATFORM PRIVACY POLICY. WE ENCOURAGE YOU TO CHECK THIS BENEFITS PLATFORM PRIVACY POLICY PERIODICALLY TO SEE IF IT HAS BEEN UPDATED.

BENEFITS PLATFORM DATA COLLECTION AND USAGE

Data We Collect

Empyrean collects data and information from your Plan Sponsor and from you when you use the Benefits Platform that identifies you, and/or your dependents, or beneficiaries (“Personal Information”). Examples of Personal Information include name, address, phone number, social security number, employee identification number, email address, date of birth, date of hire and other information about yourself, your dependents, and/or your beneficiaries relevant to administering your benefit programs. Personal Information also includes information related to your access of the Benefits Platform and/or use of the Benefits Platform which may include but not be limited to browser agent, IP address, internet domain, or date/times you access the Benefits Platform. We may request Personal Information from you in order to deliver requested materials to you, respond to your questions, or deliver a product or service(s) to you.

How We Use Your Personal Information

Empyrean collects and uses Personal Information to perform the Services that your Plan Sponsor has contracted with us to provide. These Services are specific to administering your Plan Sponsor health and welfare benefit programs that you are participating in or may become eligible to participate in the future. The chart below provides the brad categories of how we ay use your Personal Information.

How We Collect Your Personal Information

Much of your Personal Information is being supplied to us by your Plan Sponsor as part of your employment relationship with your Plan Sponsor. Empyrean may also collect Personal Information about you, your dependents and/or your beneficiaries from you directly when you use the Benefits Platform and you supply information and/or you contact the service center associated with your Plan Sponsor. For example, when you want to add your dependents to your coverage, you will need to provide us with their Personal Information voluntarily so that we can add them to your coverage.

In addition, Empyrean automatically collects certain information about access and usage when you access the Benefits Platform such as log in information (browser agent IP address, dates and times of access); location information where your device permissions; unique device information related to the computer or mobile device being used to access the Benefits Platform; and/or access and usage information such as automatic data collection technology. The data we automatically collect is used to help us improve the Benefits Platform and create a better user experience for you. Cookies are an example of the automatic data collection technology that Empyrean uses. A cookie is a text file placed on the hard drive of your computer or device browser to automatically store your preferences. The limited information that may be collected through the use of cookies includes the Internet Protocol address automatically assigned to your computer, your browser type, the date and time of your visit, the pages you visit and the amount of time spent on each device.

We Do Not Sell Your Personal Information Or Use Your Personal Information for Marketing

Neither Empyrean nor its subcontractors sell any of your Personal Information. We also do not use your Personal Information for marketing purposes independent of the Services we are contracted to provide to your Plan Sponsor.

Information Sharing with Third Parties

We disclose your Personal Information to third-parties only to carry out the Services we are contracted to provide to your Plan Sponsor. These third-parties may include those that (1) your Plan Sponsor identifies as those we need to share data with (e.g., the benefit plan carrier for the medical plan you elected); and/or (2) Empyrean’s subcontractors that will deliver part of the Services. These subcontracted parties may include without limitation ancillary service providers such as COBRA, spending account service providers, financial service providers, customer support specialists, web hosting companies, print fulfillment companies, data analysis firms, e-mail service providers, back office support providers and the like.

We may also share your Personal Information with partners that are not our subcontractors but who, in being contracted by your Plan Sponsor to provide certain products, help to provide the Services nonetheless. These partners may offer benefit program products and services that, to the extent you are eligible and your Plan Sponsor makes such products and services available to you, you can elect to enroll. When you choose to enroll in such products, Empyrean will share your data with the provider so the Services can be provided. Examples of these partners include, but are not limited to, financial product providers, health savings account bank providers, and/or various insurance carriers who offer voluntary products such as critical illness plans, hospital indemnity plans, supplemental life insurance plans and the like. We encourage you to review the respective privacy policies of such entities and/or discuss such offerings with your Plan Sponsor if you choose to participate in the partner offerings made available to you.

Additional terms and/or consents may be requested of you in order for Empyrean to share your Personal Information with these partners.

Empyrean may also disclose your Personal Information in connection with legal processes (e.g., to comply with a court order or subpoena), billing and collections (e.g., in connection with your Plan Sponsor’s agreement with Empyrean), or law enforcement (e.g., to detect, prevent or address fraud or other illegal activities).

Examples of Personal Information that Empyrean has disclosed in the prior 12 months

In the last 12 months, we may have disclosed Personal Information in connection with the Benefits Platform only for the business purposes described in this Benefits Platform Privacy Policy and the table below:

Links to Third Party Websites

The Benefits Platform may contain links to or from third-party websites. Please be aware that Empyrean is not responsible for and does not have any liability for the privacy practices of third-party websites or third-party service providers.

You should review third-party privacy policies posted on any of the third-party websites before you consent to providing Personal Information to them.

How We Protect Your Personal Information

Empyrean has implemented industry standard operational, administrative and technical measures that are designed to secure your Personal Information from unauthorized access, use, alteration, and disclosure.

For example, your Personal Information is encrypted while stored on secure servers behind security firewalls.

Empyrean requires the use of a password known only to you to access the Benefits Platform. You are responsible for keeping your password confidential. Notify Empyrean promptly if you believe your password has been breached or is otherwise being used without your authorization.

Privacy Information Of Minors

The Benefits Platform is designed for and directed to adults. It is not directed to children or minors under the age of 18.

If Empyrean is notified that we have collected Personal Information of a minor under the age of 18, except in connection with such minor being a Dependent in connection with a benefit program to which you have enrolled them in or they are required to be enrolled in pursuant to a Qualified Domestic Relations Order, we will promptly delete such information. If you submit Personal Information relating to a minor, you are consenting to allow us to process that information for purposes of administering the Services.

Parents or guardians of children under the age of 18 may mail or fax us a request that allows them to review any information collected about their child/children, have this information deleted, and/or request that there be no further collection or use of their child’s information. Such access and directives will be subject to authenticating the parental/guardian identity and status. If you believe we might have any information from or about a child under 18 that was not obtained voluntarily from the child’s parent or legal guardian or the Plan Sponsor of the child’s parent or legal guardian in connection with the administration of benefit programs provided by your Plan Sponsor and administered by Empyrean, please contact us at Compliance_Privacy@goempyrean.com.

Keep Your Personal Information Updated

It is important to keep your Personal Information updated. You can update the Personal Information you have voluntarily given us through the features in the Benefits Platform or by contacting the service center for your Plan Sponsor.

Please note that if you wish to update or change any Personal Information that has come to us from your Plan Sponsor in connection with our agreement with them, you will need to contact your Plan Sponsor directly to support your request.

Deactivating or Deleting Your Personal Information

Should you wish to delete or deactivate your account, you should contact your Plan Sponsor for assistance. If you alternatively contact Empyrean for assistance through the “Contact Us” process described in this Benefits Platform Privacy Policy, we will coordinate with your Plan Sponsor in regard to your request. There may be legitimate and legal reasons that your account and/or Personal Information may not be deleted.

Mobile Push Notifications/Alerts and Emails

When you use the Benefits Platform you provide Empyrean with consent to send you non-promotional, benefits related, push notifications or alerts to your mobile device.

You can deactivate these push notifications and alerts at any time by changing the notification settings on your mobile device.

Empyrean may send you non-marketing emails for various related business purposes that include, without limitation, account administration and information about your use of the Benefits Platform. You will continue to receive such emails as long as you use the Benefits Platform.

State Privacy Rights

Some states provide consumers with additional privacy rights in respect of their Personal Information. Please refer to the attached Empyrean State Privacy Law Supplement to Empyrean Privacy Policies for additional state privacy law information.

International Privacy Rights

Empyrean is based in the United States and does not have operations outside of the United States.

Empyrean does not process or store your Personal Information outside of the United States. Empyrean also will not transfer your data outside of the United States unless otherwise directed to by your Plan Sponsor.

If you are using the Benefits Platform and you reside outside of the United States, by using our Benefits Platform you are consenting to your Personal Information being transmitted, collected, stored and processed in the United States in connection with your use of our Benefits Platform.

Cross Boarder Data Transfers and Data Storage

Empyrean will not send your Personal Information outside of the United States unless directed by your Plan Sponsor and doing so is required for the Services. Otherwise, Empyrean has no need and does not engage in cross boarder data transfers (however please see the section below “Empyrean Participation in the Data Privacy Framework”).

Empyrean stores your Personal Information only within the United States, and all data is encrypted while stored.

Empyrean Participation in the Data Privacy Framework

Empyrean complies with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF (the “UK DPF Policy”) as set forth by the United States Department of Commerce. Empyrean has certified to the United States Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “DPF Principles”) with regard to the processing of Personal Data (as defined by and within the scope of the DPF Principles) received from the United Kingdom in reliance on the DPF Program. To read more about Empyrean’s participation in the Data Privacy Framework, please review our Data Privacy Framework Supplement to the Empyrean Benefits Administration Platform Privacy Policy (“DPF Supplement”) attached.

Contact Us

If you have any questions about this Benefits Platform Privacy Policy, or how we collect, use, share or protect the security of your Personal Information you may contact us via the information below. Please be sure to include your name, phone number, email address and employer when contacting us.

Empyrean Benefit Solutions, Inc.
2103 City West Blvd., Suite 200
Houston, TX 77042
Attn: Compliance and Privacy Official
E-mail: Compliance_Privacy@goempyrean.com
Toll-Free Contact Number: 866-915-4945

State Privacy Law Supplement to Empyrean Privacy Policies

Last modified: March 14, 2025

This State Privacy Law Supplement to Empyrean Privacy Policies (the “State Supplement”) is incorporated by reference into the privacy policies of Empyrean Benefit Solutions, Inc. (“Empyrean”, “We” or “Our”) as referenced in such policies. This State Supplement provides supplemental information for residents of U.S. states with comprehensive privacy legislation that require provision of a privacy notice, including California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia through both online and offline interactions with you and how you can exercise your privacy rights under each state’s comprehensive privacy legislation (collectively, “U.S. Privacy Laws”). Some portions of this State Supplement only apply to residents of particular states. In those instances, we have indicated that such language only applies to those residents.

It is also important to note that even though the state where an individual resides may have enacted a U.S. Privacy Law, such law may not be applicable to Empyrean’s services if the Personal Information processed by Empyrean is exempt under the applicable U.S. Privacy Law.

A. Definitions – For purposes of this State Supplement the following definitions apply:

• “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Personal Information also includes “Sensitive Personal Information” that we specifically describe in this State Supplement and applicable Empyrean privacy policies.
• “Third Party” means any non-affiliated person that is not a Subcontractor.
• “Subcontractor” means a third party whom we have contracted with to help provide our services and who may collect, store, or otherwise process Personal Information for us, being bound by contractual obligations to use your Personal Information only as directed by Empyrean.

Other terms used in this State Supplement that are defined terms under U.S. Privacy Laws shall have the meanings afforded to them by the U.S. Privacy Laws, whether or not capitalized, unless the context indicates otherwise. As there are some variations between such definitions across the U.S. Privacy Laws, the definitions applicable to you are those provided in the statute for the U.S. state in which you are a consumer. For example, if you are a California consumer, terms used in this State Supplement that are defined terms in the California Consumer Privacy Act (“CCPA”) shall have the meanings afforded to them in the CCPA as this State Supplement applies to you.

B. Collection & Processing of Personal Information

1. Collection of Personal Information. We, and/or our Subcontractors, collect and have collected in the past 12 months, the following categories of Personal Information about consumers (for more information, please see the corresponding section of the applicable Empyrean Benefits Platform Privacy Policy):
   • Identifiers, such as name, alias, postal address, unique personal identifier such as SSN, online identifiers, Internet Protocol address, email address, account name, signatures, physical characteristics or description, telephone number, or other similar identifiers.
   • Financial Information, including bank account number, credit card number, debit card number, or any other financial information that does not allow access or withdrawal of funds.
   • Insurance Information, including insurance policy number or health insurance information.
   • Characteristics of Protected Classifications under state or federal law, such as age, gender, and marital status.
   • Internet or Other Network Information, such as browsing history, search history, information regarding your interactions with our websites or advertisements.
   • Professional or Employment-Related Information, such as work history and prior employer.
2. Collection of Sensitive Personal Information. One of Our Subcontractors, collects and has collected in the past 12 months, the following categories of Sensitive Personal Information about consumers:
   • Health Information, collected via claims information at your present and past health carriers but only when you choose to use, if made available to you, the claims driven version of our Precision Benefits tool and you specifically authorize the use of your claims information.
3. Children’s Personal Information. We generally do not knowingly collect or process Personal Information of children under 13 years of age. If and when we do so, it is in connection with a child’s status as your dependent or beneficiary and in such instances, we comply with the Children’s Online Privacy Protection Act (“COPPA”). For more information, please see the “Privacy Information of Minors section of the applicable Empyrean Benefits Platform Privacy Policy.
4. Sources of Personal Information. The sources from which this Personal Information is collected from may include (based upon the offering as reflected in the applicable Benefits Platform Privacy Policy): (i) direct communication with you, (ii) your health plan (as authorized by you), (iii) your employer or Plan Sponsor, (iv) from you via our service offerings.
5. Purposes for Collection, Processing, and Disclosure of Personal Information. We and our Subcontractors, collect, process, and disclose, and in the past 12 months have collected, processed, and disclosed, the Personal Information listed in Section B.1, excluding Sensitive Personal Information, in order to perform the functions listed below (more information can be found in Empyrean Benefits Platform Privacy Policy):
   • Operate, manage, and maintain our business;
   • Provide, develop, improve, repair, and maintain our products and services;
   • Conduct research, analytics, and data analysis;
   • Conduct risk and security controls and monitoring;
   • Detect and prevent fraud;
   • Perform identity verification;
   • Perform accounting, audit, and other internal functions, such as internal investigations;
   • Comply with law, legal process, and internal policies;
   • Maintain records;
   • Exercise and defend legal claims; and
   • Otherwise accomplish our business purposes and objectives.
6. Sale, Sharing, & Processing for Purposes of Targeted Advertising. We do not sell, share, or process Personal Information for targeted advertising, and have not done so in the past 12 months. Further, we do not have actual knowledge that we sell or share Personal Information of California Consumers under 16 years of age.
7. Retention of Personal Information. We will retain each category of Personal Information we collect for the time needed to fulfill our legitimate and lawful business purpose and comply with applicable laws and regulations.

C. Data Subject Rights

Residents who reside in states with U.S. Privacy Laws have the following rights regarding our collection and use of Personal Information, subject to certain exceptions. Note that some rights vary by state, if applicable.

1. Rights. You may exercise the data subject rights below by contacting our privacy office at the below contact information and submitting details regarding your request. You may also authorize an agent to make data subject requests on your behalf. In such instances, authorized agents may use the same methods as you to submit the requests on your behalf. To verify your identity and protect your Personal Information, we may ask the requestor to provide information that will enable us to verify your identity in order to comply with your data subject request, such as asking your agent to provide proof of signed permission from you, or ask you to confirm with us directly that you provided the agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.

      (i) Right to Know: You have the right to receive details about our privacy practice at or before the point of collection. We have provided such information in the applicable Empyrean Benefits Platform Privacy Policy for the goods and services you requested and this State Supplement. You may also request that we provide you with information about the following aspects of how we have handled your Personal Information specifically in the 12 months preceding your request:

   • The categories of Personal Information we have collected about you;
   • The categories of sources from which we collected such Personal Information;
   • The business or commercial purpose for collecting, selling, or sharing Personal Information about you (as applicable);
   • The categories of Personal Information about you that we disclosed and the categories of Third Parties to whom we disclosed such Personal Information;
   • The categories of Personal Information about you that we sold, shared, or used for targeted advertising purposes (as applicable), and the categories of Third Parties with whom we sold or shared such Personal Information (as applicable);
   • If we collect Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is sold or shared (as applicable); and
   • The length of time we intend to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

      (ii) Right to Deletion: You may request that we delete certain Personal Information about you we that we collected from you.

      (iii) Right to Correction: You may request that we correct any inaccurate Personal Information we maintain about you. Please note that this right does not apply to Iowa and Utah residents.

      (iv) Right to Access Specific Pieces of Personal Information and Data Portability: You may ask to obtain the specific pieces of Personal Information we have collected about you in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the Personal Information to another entity without hindrance. You may not exercise this right more than two times in a calendar year.

      (v) Right to Opt-Out of Sale: You have the right to opt out of the sale of your Personal Information with Third Parties, as defined under U.S. Privacy Laws. However, we do not sell your Personal Information, so no opt out is needed. Note that we are permitted to share your Personal Information with our subcontractors and partners with whom you choose to enroll in their products.

      (vi) Right to Opt-Out of the Use of Your Personal Information for Targeted Advertising: You have the right to opt-out of the use of your personal Information for targeted advertising purposes. However, we do not use your Personal Information for targeted advertising, so no opt out is needed.

      (vii) Right to Opt Out of the Sharing of Your Personal Information or Revoke Consent for or Limit the Use of Your Sensitive Personal Information: You have the right to opt-out of the Sharing of your Personal Information. You also have the right to revoke consent for or limit the use of your Sensitive Personal Information to only that which is necessary to perform the services or provide the goods reasonably expected by an average Consumer or for specific business purposes defined by U.S. Privacy Laws. Empyrean already limits the use of your Personal Information to only that which is necessary to perform the services we have been hired to perform by your Employer or Plan Sponsor. To the extent you elect to exercise either of these data subject rights, such election will impact the ability for Empyrean and its subcontractors to deliver the goods and services as you have requested.

      (viii) As described above, we do not engage in profiling or automated decision making that have legal or similarly significant effects. But if we did, you would have the right to opt out of the profiling of data in furtherance of solely automated decisions that have legal effects or similarly significant effects concerning consumers.

2. Opt-Out Preference Signals. We recognize opt-out preference signals that we are required to recognize for compliance with applicable law. Where required by U.S. Privacy Laws, and applicable to our business, we treat such opt-out preference signals as a valid request to opt-out of sharing and processing for purposes of targeted advertising, as applicable, for the browser or device through which the signal is sent and any consumer profile we have associated with that browser or device, including pseudonymous profiles. Further, if we know the identity of the consumer from the opt-out preference signal, we will also treat the opt-out preference signal as a valid request to opt out of sharing for such consumer. Consumers may use opt-out preference signals by downloading or otherwise activating them for use on supported browsers and setting them to send opt-out preference signals to websites they visit.
3. Non-Discrimination. We will not discriminate against you for exercising your data subject rights. For example, we will not deny products or services to you, charge you different prices or rates, or provide a different level of quality for products or services as a result of you exercising your data subject rights.
4. Appeals. Residents of certain states have the right to appeal our decisions on their data subject requests. This section does not apply to California or Utah residents, or to residents who reside in other states where the applicable U.S. Privacy Law does not give them the right to appeal Controllers’ decisions regarding data subject rights. To appeal our decision on your data subject requests, you may contact our Privacy Office at the below contact information. Please enclose a copy of or otherwise specifically reference our decision on your data subject request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.

D. Other Disclosures

1. Residents Under Age 18. If you are under the age of 18 and a registered user of our website you may request and obtain removal of content or information you have publicly posted. To make such a request, please send an email to the below contact information with a detailed description of the specific content or information to Empyrean. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.
2. Disclosure for California Residents

      (i) Direct Marketing. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Information to other entities for their direct marketing purposes in the preceding calendar year. To make such a request, please send an email to the below contact information with the subject “Shine the Light Request.” Again, however, neither Empyrean nor its Subcontractors directly market to you.

      (ii) Financial Incentives for California Residents. We do not provide financial incentives to California residents who allow us to collect, retain, sell, or share their Personal Information. We will describe such programs to you if and when we offer them to you.

3. Disclosure for Nevada Residents. We do not sell “Covered Information” as defined under Nevada law, but we generally disclose or share “Personal Information” as defined under Nevada law for commercial purposes. Under Nevada law, you have the right to direct us to not sell your Covered Information to third parties, as defined under Nevada law. To exercise this right, if applicable, you or your authorized representative may contact us at the below contact information.

E. Changes and Contact Information

1. Changes to our State Supplement. We reserve the right to amend this State Supplement in our discretion and at any time. When we make material changes to this State Supplement, we will notify you by posting an updated State Supplement on our website and listing the effective date of such updates.
2. Contact Us
   If you have any questions about this State Supplement, or how we collect, use, share or protect the security of your Personal Information, or to appeal our decisions on data subject requests, you may contact us via the information below. Please be sure to provide your name, phone number, email address and employer when contacting us.
   
   Empyrean Benefit Solutions, Inc.
   2103 City West Blvd., Suite 200
   Houston, TX 77042
   Attn: Compliance and Privacy Official
   E-mail: Compliance_Privacy@goempyrean.com
   Toll-Free Contact Number: 866-915-4945

Data Privacy Framework Supplement to the Empyrean Benefits Administration Platform Privacy Policy

Last modified: March 14, 2025

This Data Privacy Framework Supplement (the “DPF Supplement”) applies to the Empyrean Benefits Administration Platform Privacy Policy (the “Benefits Platform Privacy Policy”) in respect of Empyrean’s processing of Personal Data, as defined below, that Empyrean receives from users of the Benefits Platform residing in the United Kingdom (“UK”).

This DPF Supplement is incorporated by reference into the Benefits Platform Privacy Policy of Empyrean Benefit Solutions, Inc. (“Empyrean”, “We” or “Our”) as referenced in such Benefits Platform Privacy Policy. Defined terms shall have the meaning set forth in the Benefits Platform Privacy Policy if not otherwise defined in this DPF Supplement. The term “Personal Data” is intended to have the same meaning as “Personal Information” as set forth in the Benefits Platform Privacy Policy.

A. United Kingdom Data Transfers

Empyrean complies with the EU-U.S. Data Privacy Framework (the “Framework”) and the UK Extension to the EU-U.S. DPF (the “UK Extension”) as set forth by the United States Department of Commerce (collectively, the “DPF Program”).

Empyrean complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, set forth by the U.S. Department of Commerce. Empyrean has certified to the U.S. Department of Commerce that it adheres to the EUU. S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/. This DPF Supplement only applies to Personal Data within the scope of the Empyrean’s Data Privacy Framework certification.

B. Conflicting Terms and Governmental Requests

If there is any conflict between the terms in this DPF Supplement and the DPF Principles, the Principles shall govern. Further, Empyrean may be required to disclose Personal Data to law enforcement, regulatory or other government agencies, or to other third parties, in each instance to comply with legal, regulatory, or national security obligations or requests.

C. DPF Supplement Principles and Notice

The DPF Supplement reflects the privacy principles of the DPF Program and has been integrated into Empyrean’s data privacy framework of its Benefits Platform. Further, the DPF Supplement supports Empyrean’s commitment to safeguarding and protecting the transfer and processing of Personal Data within the scope of the DPF Program that Empyrean receives from users of the Benefits Platform.

Empyrean provides users of the Benefits Platform with notice, including through this DPF Supplement and the Benefits Platform Privacy Policy how Empyrean collects and uses Personal Data in connection with their use of the Benefits Platform. Such notice also includes information on how to contact Empyrean with questions or concerns regarding Empyrean’s privacy practices.

Additional information regarding the type of Personal Data that Empyrean collects, the purposes for such Personal Data collection and uses by Empyrean, and the categories of third parties to whom such Personal Data may be disclosed when the Benefits Platform is used, is available in the Benefits Platform Privacy Policy or by contacting Empyrean at the contact information specified below.

D. Transfers to Third Parties

To the extent Empyrean determines it is necessary to transfer Personal Data to third parties for processing in connection with the performance of the Services on the Benefits Platform, Empyrean is responsible for such Personal Data and will do so in accordance with the Benefits Platform Privacy Policy. Empyrean will limit such transfer to the minimum amount of Personal Data necessary and obtain assurances from such third parties to protect and safeguard such Personal Data consistent with the Benefits Platform Privacy Policy. Note that our certification does not cover any disclosure of your Personal Data to a third party who processes such Personal Data for its own purposes when the disclosure is made at your request.

E. Security

Empyrean uses appropriate measures to protect Personal Data in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction including the use of encryption of Personal Data at rest and in transmission. Our security measures take into account the nature of the Personal Data and the risks involved in its processing, as well as best practices in the industry for security and data protection.

F. Data Use and Quality

Empyrean will use Personal Data in accordance with its intended use as reflected in the Benefits Platform Privacy Policy.

G. Access to Personal Data

Empyrean will provide users of the Benefits Platform with reasonable access to their Personal Data in the possession of Empyrean consistent with applicable law; further, Empyrean will permit such users to request that their Personal Data be corrected, amended, or deleted to the extent such requests pertain to Personal Data that is inaccurate or incomplete and over which Empyrean has control of the accuracy of that Personal Data. Such requests should be made through the user’s Plan Sponsor or employer or to Empyrean through the contact information below. Empyrean may request verification of the requestor’s identify and authorization to submit such request.

H. Regulatory Enforcement

Empyrean is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (“FTC”) in regard to the Personal Data received by Empyrean or transferred pursuant to the DPF Program.

I. Dispute Resolution

In furtherance of Empyrean’s commitment to comply with the principles of the DPF Program, Empyrean is committed to resolving any complaints about Empyrean’s collection or use of your Personal Data received in reliance of the DPF Program. Empyrean will strive to resolve your concerns and respond within forty-five (45) days after its receipt of your inquiry or complaint. UK individuals with questions or complaints regarding this DPF Supplement should contact Empyrean via the contact information set forth below. Note that if Empyrean is not able to satisfactorily resolve your concerns, Empyrean commits to refer unresolved complaints concerning our handling of Personal Data received in reliance of the DPF Program to the America Arbitration Association’s International Centre for Dispute Resolution (“ICDR-AAA) an alternative dispute resolution provider based in the United States. If Empyrean has not timely provided you with an acknowledgement of your DPF Program related complaint, of if we have not addressed your DPF Program related complaint to your satisfaction, you have the opportunity to invoke binding arbitration by delivering notice to Empyrean of such and following the procedures provided by the ICDR-AAA. Please visit ICDR-AAA DPF IRM Service | ICDR.org, for more information or to file a complaint. The services of ICDR-AAA are covered by Empyrean and are at no cost to you.

Further, in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, with regard to European and UK employees, Empyrean commits to cooperate in investigations by and comply with the advice of the competent EU and UK authorities, including the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO), with regard to unresolved complaints concerning our handling of EU/UK human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

J. Changes to the DPF Supplement

We reserve the right to amend this DPF Supplement in our discretion and at any time. When we make material changes to this DPF Supplement, we will notify you by posting an updated DPF Supplement on our website and listing the effective date of such updates.

K. Contact Us

If you have any questions about this DPF Supplement, or how we collect, use, share or protect the security of your Personal Data, you may contact us via the information below. Please be sure to include your name, phone number, email address and employer when contacting us.

Empyrean Benefit Solutions
2103 City West Blvd., Suite 200
Houston, TX 77042
Attn: Compliance and Privacy Official
E-mail: Compliance_Privacy@goempyrean.com
Toll-Free Contact Number: 866- 915-4945