Empyrean Privacy Statement

Last Modified: August 11, 2023

Welcome to the Empyrean Benefit Solutions, Inc. ("Empyrean") website (the “Site”) that is specific to your employer. Empyrean performs third party administration services related to the health and welfare benefit programs of your employer, former employer and/or plan sponsor (collectively, the “Employer”). We appreciate the opportunity to serve you.

At Empyrean we respect your privacy and this Privacy Policy (“Privacy Policy” or “Policy”) explains how Empyrean collects, uses and discloses information about you when you visit the Site, use Empyrean’s mobile application(s) and other online products and services that link to this Privacy Policy (collectively, the “Services”) or when you participate in any interactive features of the Services or otherwise interact with us (e.g., contact us via telephone or web chat or communicate with us through email). This Privacy Policy is incorporated by reference into the Empyrean Site’s Terms of Use (“Terms of Use”). In addition, in the event we offer a Service that does not reference a privacy policy, this Privacy Policy will apply to such offering unless a separate privacy policy explicitly states that it is applicable to such offering in lieu of this Policy.

If you do not agree to the terms in this Privacy Policy or in the Terms of Use, you should not use the Site, the Services or contact us via the other methods listed in this Policy.

Please keep in mind that we may revise this Privacy Policy at any time and from time to time. If we revise our Privacy Policy, we will notify you by revising the date at the top of this Policy and post the revised policy on the Site. We may also elect to provide additional notice by adding a statement to our Site. We suggest that you review this Privacy Policy whenever you access the Services or otherwise interact with us to stay informed about Empyrean’s information practices and your options.

Definition of Personal Information

We define "Personal Information" as any data or information that can be used to identify you or your dependents or beneficiaries. This information includes but is not limited to name, address, age, date of birth, Social Security Number (or other identifier, such as driver's license or state identification number or employee identification number), bank account information, e-mail address, telephone number or information related to your access of the Site and/or use of the Services which may include but not be limited to browser agent, IP address, internet domain, or date/times you access the Site. We may request Personal Information from you in order to deliver requested materials to you, respond to your questions, or deliver a product or Service(s) to you.

Collecting Personal Information

We collect, store and use Personal Information (defined below) (also referred to as “User Data” in the Terms of Use) so that we can perform the Service(s) for which we have been contracted by your Employer relating to your Employer’s employee benefit programs under which you may be participating or become eligible to participate.

We obtain Personal Information in several ways. Firstly, we obtain Personal Information about you, your dependents and/or your beneficiaries that has been provided to us directly from your Employer. We also collect Personal Information that you voluntarily submit to us whether directly on the Site or via Site interaction (e.g., web chat), or when you otherwise contact us (e.g., by phone or email). For example, when you call us, we record all calls and those calls may be shared with your Employer for the purpose of administering your employer’s health plans. Finally, we will automatically collect your Personal Information when you visit and navigate our Site, use the Services, or otherwise interact with us. Examples include: (i) log information (e.g., browser type, IP address, pages viewed); (ii) location information (e.g., precise location of your device in accordance with device permissions); (iii) device information (e.g., information about the computer or mobile device being used to access the Site or Services, operating system information, unique device identifiers); and (iv) cookies and other tracking mechanisms (further discussed below in ‘Other Information Collected’).

When you voluntarily submit your Personal Information on the Site or through any Site interactive features, over the phone or via email, you are giving your consent to the collection, use and disclosure of your Personal Information in accordance with this Privacy Policy and with our administration agreement with your employer.

Other Information Collected

When you visit our Site, we collect information that does not identify you personally but does provide us with usage data, such as the number of visitors we receive and which pages they visited most often. This data helps us analyze and improve the Service(s) we provide.

Our Site may write and read "cookies" to your web browser. A cookie is an element of data that is stored temporarily or permanently on your computer and can be communicated between the Sites and your browser. We use cookies as unique identifiers to track each user, and use is required for the proper operation of the Site. A cookie is not a computer program and has no ability to read data residing on your computer or instruct it to perform any function. We do not use cookies to store Personal Information about you.

We may also use what is known as "client-side page tagging", which uses code on each page of the Site to write certain information about the page and the visitor to a log when a page is rendered to your browser. This technique is commonly used on commercial websites. "Tagging" does result in JavaScript or other client-side code to be run on your computer, but it is limited to providing information about the page from our Site that you are requesting and the configuration of your browser. It will not read any of the data files on your computer or execute other functions. It does not extract any personal information about you. You can prevent tagging by disabling JavaScript in your browser, but that may prevent you from using some or all of our Site's features.

Information Collected from Other Sources

Empyrean may also obtain your Personal Information from other sources. For example, we may collect information about you from publicly available sources or from third parties as directed by your Employer in support of our delivery of the Services. In addition, if you log into the Site through a social media site we may have access to information from that site such as your name, account information and other information pursuant to the authorization procedures determined by such social media site.

Use of Personal Information

We may use the Personal Information we collect in accordance with the Terms of Use and this Privacy Policy to deliver, provide, maintain and improve our Service(s). We may use the Personal Information we collect to: (i) provide you with customer support services; (ii) provide you with technical support services; (iii) perform updates to the Site and/or Service(s) and provide related security alerts; (iv) perform analytics related to the Service(s); (v) improve and update the Service(s); (vi) personalize your access to and use of the Service(s); (vii) prevent illegal or fraudulent activities including without limitation, fraud detection, security enhancements, investigate security incidents or other unauthorized access attempts; (viii) provide you with information about Empyrean and its offerings, products, services and events; (ix) provide reports to your Employer; and (x) other legally permissible activities that are related to the Site and Service(s). We may also use information about you in aggregated format that has been otherwise de-identified so that such information cannot be reasonably used to identify you for any legally permissible purposes. Empyrean also may grant third parties with similar use rights that are solely in connection with the services they provide to Empyrean in connection with our delivery and performance of the Service(s).

In addition to the foregoing, the table below provides examples of how we may use your Personal Information and our reasons for such use:

How we may use your Personal Information	Our reasons
To provide services to you or your Employer	For the performance of our agreement with you or your Employer or to comply with your requests
To prevent and detect fraud against you or us	For our legitimate interests or those of a third party, i.e. to minimize fraud that could be damaging for us and for you
Processing necessary to comply with professional, legal and regulatory obligations that apply to our business	To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g. policies covering security and internet use	For our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures, so we can deliver the best service to you
Operational reasons, such as improving efficiency, training and quality control	For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service at the best price
Statistical analysis to help us manage our business, e.g. in relation to our financial performance, customer base, product range or other efficiency measures	For our legitimate interests or those of a third party, such as anonymizing and aggregating data for analytics and reporting
Updating and enhancing customer records	To comply with our legal and regulatory obligations; and for our legitimate interests or those of a third party, e.g. making sure that we can keep in touch with our customers about existing products and services and new products and services

Sharing or Disclosing of Personal Information

Who We Share Your Personal Information With. We do not and will not sell any of your Personal Information to any outside organization. We only disclose your Personal Information to third parties as reasonably necessary to carry out the permitted uses described in this policy. For example, we may share Personal Information with:

third parties we use to help us run our business, such as email automation platforms, technical and customer support contractors, or other service providers who are required to keep the Personal Information confidential and are prohibited from using it other than to carry out their services on our behalf;
with your Employer in connection with the delivery of Service(s);
between Empyrean and its parent, subsidiary or affiliate companies as relates to the administration and support of the Site and delivery of the Service(s);
our successors in the event of a sale, merger, acquisition, or similar transaction affecting the relevant portion of our business; and
legal and governmental authorities or other third parties, to the extent required to comply with a legal order or applicable law.

We may also disclose Personal Information that we collect or you provide as described in this privacy policy:

If we believe disclosure is necessary or appropriate to protect our rights, property, or the safety of our company, our customers, or others;
For any other purpose disclosed by us when you provide the information; or
With your consent.

We may also disclose de-identified information.

In the preceding 12 months, we have not disclosed for a business purpose other than to provide the Services to any third parties the following categories of Personal Information:

Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers);
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual , including, but not limited to, his or her name, signature, address, telephone number, education, employment, and employment history;
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with the Services, or advertisement).

Subcontractors And Partners We May Use

We may retain other companies and individuals to perform services and functions on our behalf to support our delivery of the Service(s) consistent with this Privacy Policy. Examples include, without limitation, customer support specialists, web hosting companies, print fulfillment companies, data analysis firms, e-mail service providers, ancillary service providers such as COBRA or flexible spending accounts, and/or back office support providers. Such third parties may be provided with limited access to your Personal Information as needed to provide their services to Empyrean solely as relates to the delivery of the Service(s) to you in accordance with the Terms of Use and this Policy or pursuant to other written terms and conditions with Empyrean that pertain to the delivery of the Service(s) to you.

We may also partner with entities that are not our subcontractors but who provide benefit related products and services that you may, at your option, choose to receive to the extent your Employer makes such products and services available to you, if eligible. Examples of these partners include, but are not limited to, financial product providers such as SAVVI, health savings account bank providers such as Optum or HSA Bank, and/or various insurance carriers who offer voluntary products. These third parties will have a direct contractual relationship with either you and/or your Employer and are also obligated to protect your data in accordance with that contractual relationship. We encourage you to review their respective privacy policies and/or discuss such offerings with your Employer if you choose to participate in their offerings as applicable.

Depending on whether such partner products are made available to you by your Employer, additional terms and/or consents may be requested of you in order for Empyrean to share your Personal Information with them.

Residents of the European Economic Area

If you are a resident of the European Economic Area (“EEA”), you have certain rights and protections under the law regarding the processing of your personal data.

Legal Basis for Processing

If you are a resident of the EEA, when we process your personal data we will only do so in the following situations:

• We need to use your personal data to perform our responsibilities under our contract with you or your Employer (e.g., providing the Services that have been requested on your behalf).

• We have a legitimate interest in processing your personal data. For example, we may process your personal data to send you marketing communications, to communicate with you about changes to our Services, and to provide, secure, and improve our Services.

• You have consented to the processing of your personal data for one or more specific purposes.

Data Subject Requests

If you are a resident of the EEA, you have the right to access personal data we hold about you and to ask that your personal data be corrected, erased, or transferred. You may also have the right to object to, or request that we restrict, certain processing. If you would like to exercise any of these rights, please contact Empyrean through the Contact Us process outlined below.

Questions or Complaints

If you are a resident of the EEA and have a concern about our processing of personal data that we are not able to resolve, you have the right to lodge a complaint with the data privacy authority where you reside.

For contact details of your local Data Protection Authority, please see:

http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm .

Residents of California

California consumers have the right to request any of the following information from Empyrean regarding personal information collected about you during the preceding 12 months:

The categories of personal information collected about you.
The categories of sources from which the personal information is collected.
The business or commercial purpose for collecting or selling personal information.
The categories of third parties with whom we share personal information, if any.
The specific personal information collected about you.
For personal information sold or disclosed to a third party for a business purpose, you have a right to know the categories of personal information about you that we sold and the categories of third parties to whom the personal information was sold; and the categories of personal information that we disclosed about you for a business purpose.

We will provide this information free of charge up to two (2) times in any twelve (12) month period within 45 days of receiving your verifiable request (including verification of your identity and your California residency), subject to delays and exclusions permitted by law. Specific personal information about you or your account that is categorized as sensitive or confidential may be redacted.

As a California resident, you have the right to request that we delete any personal information that we have collected about you. We will honor this request subject to the range of exclusions permitted by law. For example, we are not required to delete personal information if it is necessary to complete a transaction or reasonably used for an ongoing business relationship or if it is used internally in a lawful manner that is compatible with the context in which the consumer provided the information.

As a California resident, you also have the right to opt out of the sale of your personal information to third parties. We do not sell your personal information. However, we are permitted to share your personal information with a service provider.

We will not discriminate against you if you choose to exercise any of these rights.

Please note that California consumer privacy laws do not apply to, among other things:

Information that is lawfully made available from federal, state, or local government records;
Consumer information that is deidentified or aggregated;
Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information (PHI) (as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)) that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (HHS), Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act (Public Law 111-5);
A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by HHS, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as medical information or PHI as described in the paragraph above.

Empyrean’s Decision Support Tool:Personalized Precision Benefits

Personalized Precision Benefitsis Empyrean’s benefit plan decision support tool. If your Employer chooses to make the enhanced version of Personalized Precision Benefits available to you, you will be prompted to review a Personalized Precision Benefits specific privacy policy and terms of use. If you are provided access to the standard version of Personalized Precision Benefits (i.e., not the enhanced version) this Privacy Policy applies to your use of the standard version of Personalized Precision Benefits.

Data Storing and Transferring

All data that we collect, use, and/or may transfer to any subcontractor is processed and stored here in the United States where Empyrean is based and not transferred outside of the United States unless otherwise agreed with your Employer. Empyrean and its service providers may transfer your information to, or store or access it in, jurisdictions that may not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your Personal Information receives an adequate level of protection in the jurisdictions in which we process it. For example, all stored data while at rest remains encrypted. Your data will be retained for a long as our agreement with your Employer requires us or the maximum time we are permitted to retain your records under applicable laws, whichever is longer. Any data that is not destroyed upon termination of our agreement with your Employer will be protected in accordance with applicable laws and consistent with our Privacy Policy.

Sale of Your Personal Information

Neither we nor our subcontractors will sell any of your Personal Information to any outside organization.

Your E-Mails to Us

We welcome e-mails from you, and, within the Site, there may be e-mail boxes for your questions and comments. You may also send us email directly outside of the Site. We may share the information you send to us via email with our Service Center Representatives, other employees capable of addressing your questions and concerns, certain third parties, as necessary, or your employer when required, to assist you.

Please note that non-encrypted internet e-mail sent by you may be accessed and viewed by unintended third parties without your knowledge and permission while in transit to us. If you elect to use e-mail to communicate information to us that you consider confidential you do so at your own risk, and you acknowledge and agree that Empyrean is not responsible for unauthorized access, losses, security incidents, or data breaches to the extent arising out of or otherwise related to such e-mail communications.

Your Rights

You may have certain rights concerning your Personal Information in accordance with applicable law. These rights may include:

Right to access your Personal Information;
Right to amend your Personal Information;
Right to an accounting of your Personal Information;
Right to receive your Personal Information in a useable electronic format;
Right to data portability and transmittal of your Personal Information to a third party;
Right to request validation or other proof of prior authorizations or consents provided to us to perform the collection and processing of your Personal Information;
Right to correct or rectify your Personal Information maintained by Empyrean;
Right to erase your Personal Information;
Right to restrict our use or disclosure of your Personal Information;
Right to object our use or disclosure of your Personal Information;
Right to revoke the consent or authorization given by you for the processing of your Personal Information; or
Right to file a complaint with your local data protection authority or other applicable governmental regulatory authorities.

You understand and acknowledge that your decision to exercise any or all of such rights may impact our ability to deliver the Service(s) to your Employer that pertain to you, your dependents and/or your beneficiaries and that the law may not require our support of such right as relates to our Services.

If you have questions about such rights you may contact Empyrean through the Contact Us process described below.

Children Under 13 and Parental/Guardian Access

The Site is designed and directed to adults; it is not directed to children under the age of 13. We do not knowingly collect Personal Information from children under the age of 13, although we use and disclose your dependent children's Personal Information we have obtained voluntarily from you, your Employer, or other third parties in connection with the administration of your benefit programs. If you are under the age of 13, you are not permitted to submit information to this Site. If Empyrean is notified that we have collected personal information of a child under the age of 13, as defined under the Children’s Online Privacy Protection Act (“COPPA”), we will promptly delete such information.

Parents or guardians of children under the age of 13 may print out and mail or fax us a signed form that allows them to review any information collected about their child/children, have this information deleted, and/or request that there be no further collection or use of their child’s information. Such access and directives will be subject to authenticating the parental/guardian identity and status.

Links

The Site and our Service(s) may contain links to or from other websites. Please be aware that we are not responsible for the privacy practices of other websites. This Privacy Policy applies only to the Personal Information we collect as described in this Policy. If you submit Personal Information to any of these third-party sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policies of any website you visit or link to or from our Site or Services.

Security

We implement various reasonable security measures to protect your Personal Information from theft, misuse, unauthorized access, disclosure, loss, alteration and destruction.

Updating Your Information or Account Deactivation

If you wish to change any Personal Information that has come to us from your Employer, you will need to contact your Employer directly to support your request. However, you have the ability to review, change and/or correct the Personal Information you provide directly to us by contacting us. If you are a registered user, you can also review, change or correct your Personal Information at any time by using the features within the Site or submitting a written request through the Contact Us process described below. You may request that we deactivate your account by contacting us. Please note, however, that we may retain certain Personal Information as required by law or for legitimate business purposes. We may also retain cached or archived copies of your Personal Information for a certain period of time.

Mobile Push Notifications/Alerts

We may, with your consent, send promotional and non-promotional push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device.

Promotional Communications

You may opt out of receiving promotional communications from Empyrean by following the instructions in those communications or by emailing us at the Contact Us information provided below. If you opt out, we may still send non-promotional emails, such as those about your account or our ongoing business relations.

Contact us

If you have any questions about this Policy or how we collect, use, share or protect the security of your Personal Information, please see the Contact Us page on our Site or you can submit your questions or requests in writing to Empyrean at:

Compliance and Privacy Official

Empyrean Benefit Solutions, Inc.

3010 Briarpark Drive, Suite 8000

Houston, TX 77042

E-mail: Compliance_Privacy@goempyrean.com

Phone: 866- 915-4945

Questions related to your benefits, or how to access the Site should be directed to the customer service number previously given to you that is connected with your employer.