Alight Retiree Health Exchange
Privacy Notice

Alight is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Alight is committed to protecting your privacy. This commitment reflects the value we place on earning and keeping the trust of our customers, business partners, and others who share their personal information with us.

This Privacy Statement describes how Alight Retiree Health Exchange (“Alight”, “Us” or “We”) collects, uses, and protects personal information it receives in the course of providing its services.  It also describes the choices available to you regarding your use of personal information and how you can access and update this information.  At Alight, your privacy is very important.  We strive to protect the personal information under our control and to maintain the security and integrity of that information.

What does this Privacy Notice do?
This Privacy Notice ("Notice") explains Alight Retiree Health Exchange’s information processing practices. It applies to any personal information you provide to us and any personal information we collect from other sources. This Notice is a statement of our practices and of your rights regarding your personal information. This is not a contractual document, and it does not create any rights or obligations on either party, beyond those which already exist under data protection laws.

This Notice does not apply to your use of a third party site linked to this website.

If you have a disability and require an alternative format to this privacy notice, please email us at: privacy.info@alight.com so that we may provide you with a more suitable format.

Who is responsible for your information?
Throughout this Notice, Alight refers to Alight Retiree Health Exchange including its affiliated companies and subsidiaries (also referred to as "we", "us", or "our"). Alight is responsible for your personal information (and the controller for the purposes of data protection laws) that we collect from or about you.

When and how do we collect your information?
We collect personal information in the following ways:

Category	Description
Basic Personal Details	Client data about customers, and account set up
Education & Professional Experience & Affiliations	Applicants
Family	Customer provides family information when determining coverage, and paying for coverage
Lifestyle & Social Circumstances	Customer provides family information when determining coverage, and paying for coverage
Financial Details	Customer provided when paying for coverage, client may or may not provide financial support
Photographic, Video & Location information	Outbound calls to customers, plan information sent to customers
Business Activities	Alight and client data, applicants
Health, Welfare & Absence Related	Customer provides family information when determining coverage
Identification Checks & Background Vetting	Applicants and full-time employers are subject to monthly Office of the Inspector General/General Services Administration (OIG/GSA) checks

For specific information on the source for each category of personal information collected, please see the section titled “Categories of personal information we may collected, disclose, and “sell” (as defined under applicable law) below.

What information do we collect?
In general, we collect personal information about you that you provide to us, that we receive from third parties or that we indirectly collect or infer about your activities or usage of our websites, apps or services. The actual personal information we collect about you varies depending upon the nature of the services and our interactions for you.

How Alight Retiree Health Exchange Receives Personal Information?
Generally, "personal information" is information that can be used to identify you. Most of the personal information we receive relates to your interest in and/or enrollment in an individual health insurance plan. There are several ways that we receive personal information:

• You might provide the information directly to Alight by methods such as visiting our websites, entering information into our websites, speaking with a representative or sending mail or faxes to our offices.
• An insurance carrier may provide certain information to us in connection with your enrollment in a health, prescription, dental or vision insurance plan through Alight Retiree Health Exchange.
• If your employer or former employer purchased services for you, your employer or former employer might provide certain information to us, such as your contact information or information about your participation in a Health Reimbursement Account.
• If your employer or former employer purchased services for you, another service provided engaged by your employer or former employer that has a part in administering your employer’s benefit programs might prove information to us.

The types of personal information we receive include:

• Contact Information such as your name, address, phone number, email address and the name of your employer or former employer.
• Other personal information such as a Social Security number or other government-assigned unique identifier, your Medicare status, date of birth, gender, marital status, Internet Protocol (IP) address, income history, military history, health information, health care preferences, your personal preferences regarding health plan coverage and financial information.
• Contact information and other personal information (see previous bullets) for your dependents.
• Benefit program participation such as plan elections, beneficiary information, plan account numbers and date of retirement or loss of group coverage.
• Plan participation and coverage information, which if your employer or former employer purchased services for you, may include information about any Health Reimbursement Account (HRA) that is sponsored by your employer or former employer, HRA contributions, HRA balances or your claim information.

Information you provide to us
When you request services, we ask that you provide accurate and necessary information that enables us to respond to your request. When you provide personal information to us, we use it for the purposes for which it was provided to us as stated at the point of collection or as obvious from the context of collection, for example providing an insurance quote, applying for a position with us or creating a profile on our website or application.

More information about the categories of personal information collected for each of our services, together with the purpose and legal basis for collecting the information is provided below.

We will not knowingly collect any sensitive personal information unless this is required.

When you provide us with sensitive personal information, you understand and give your explicit consent that we may collect, use and disclose this information to appropriate third parties for the purposes described in this Notice. If you provide personal information about other individuals such as employees or dependents, you must obtain their consent prior to your disclosure to us.

Information we collect over Alight websites
We may ask you for personal information, such as name and contact information, when you register for events, request services, manage accounts, access various content and features or directly visit our websites. (For purposes of this Notice, "website" includes our mobile applications.)

In some instances, we automatically collect certain types of information when you visit our websites and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, "cookies" and web beacons. Further information about our use of cookies can be found in our Cookie Notice.

Website Log Files
Alight may also log information related to your website visit or mobile site visit. We may link this automatically collected data to other information we collect about you.

This information can include:

• The address (or URL) of the web pages you visit
• The browser and version you used to view our website
• Your internet provider (IP) address
• The type of computer or device you used to view our website
• Any clicks on buttons
• Statistics on website page views

 

Chat
While using the Alight website, you may be provided the opportunity to chat with a Customer Service Associate (CSA) through chat-messaging technology.  If you decide to use this technology to chat with a CSA, you have no obligation to share personal information.  During your chat experience, an alternative communication channel will be offered to you upon request.  Additionally, your chat session will be stored.

Mobile devices
If you access our websites on your mobile telephone or mobile device, we may also collect your unique device identifier and mobile device IP address, as well as information about your device's operating system, mobile carrier and your location information. We may also ask you to consent to providing your mobile phone number (for example, so that we can send you push notifications).

Categories of personal information we may collect, disclose, and “sell” (as defined under applicable law).
The types and categories of personal information we collect about you depends on the nature of the services we provide to you and our interactions with you. Additionally, we may disclose personal information to third parties and services providers for the purposes identified below.

In general, we do not disclose or share personal information to third parties in exchange for their monetary payment to us. However, certain laws including the California Consumer Privacy Act (“CCPA”) define “sale” broadly to include disclosing or making available personal information to third parties in exchange for monetary payment or some other thing of value. For purposes of the CCPA, we may disclose or make available personal information in order to receive some benefit or value (i.e., a “sale” under the CCPA).

The categories of information we may collect, disclose and “sell” are as follows:

Categories of personal information	Specific types of personal information	Category of sources from which this personal information is obtained	Is this personal information collected?	Is this personal information disclosed for business purposes?	Is this personal information sold?
Name, contact and identifiers	Identifiers such as real name postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, or other similar identifiers.	Our Clients, Service Requests, Registration, Application, Contact Us	Yes	Yes	Yes
Customer Records	Paper and electronic customer records containing personal information, such as name, signature, social security number, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, debit card number, or any other financial information, medical information, or health insurance information.	Our Clients, Service Requests, Registration, Application, Contact Us	Yes	Yes	No
Protected Classifications	Characteristics of protected classifications under California or federal law.	Our Clients, Service Requests, Registration, Application, Contact Us	Yes	Yes	No
Purchase history and tendencies	Commercial information including records of products or services purchased, obtained, or considered	Our Clients, Service Requests, Registration, Application, Contact Us	Yes	Yes	No
Biometric Information	Physiological, biological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity, including DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information	Service Requests, Registration, Application, Contact Us	Yes	Yes	No
Usage data	Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.	Our Clients, Service Requests, Registration, Application, Contact Us	Yes	Yes	Yes
Geolocation Data	Precise geographic location information about an individual or device.	Our Clients, Service Requests, Registration, Application, Contact Us	Yes	Yes	No
Audio/Visual Data	Audio, electronic, visual or similar information	Service Requests, Registration, Application, Contact Us	Yes	Yes	No
Employment History	Professional or employment-related information	Our Clients Service Requests, Registration, Contact Us	Yes	Yes	No
Educational Information	Information about education-related history or background	NA	NA	NA	NA
Profiles and Inferences	Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes	NA	NA	NA	NA
“Sensitive data”	Information relating to race or ethnic origin; political opinions; religious or other similar beliefs; trade union membership; physical or mental health; sexual life.	NA	NA	NA	NA

How do we use your personal information?
The following is a summary of the purposes for which we use personal information. More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information will be provided to you below.

Performing services for our clients
We process personal information which our clients provide to us in order to perform our professional consultancy and risk based advisory services. This may impact you, for example, where you are the employee of our client, or the member of a client's pension scheme. The precise purposes for which your personal information is processed will be determined by the scope and specification of our client engagement, and by applicable laws, regulatory guidance and professional standards. It is the obligation of our client to ensure that you understand that your personal information will be disclosed to Alight (or to service providers).

The categories of information we use to perform our services include name, contact and identifiers, customer records, protected classifications, purchase history and tendencies, biometric information, usage data, geolocation data, audio/visual data, employment history, profiles and inferences, or sensitive data.

Administering our client engagements
We process personal information about our clients and the individual representatives of our corporate clients in order to:

• carry out "Know Your Client" checks and screening prior to starting a new engagement;
• carry out client communication, service, billing and administration;
• deal with client complaints;
• administer claims.

The categories of information we use to administer our client engagements include name, contact and identifiers, geolocation data, employment history, profiles and inferences, and some sensitive data.

Contacting and marketing our clients and prospective clients

We process personal information about our clients and the individual representatives of our corporate clients in order to:

• contact our clients in relation to current, future and proposed engagements;
• send our clients educational and marketing communications;

The categories of information we use to contact and market to our clients and prospective clients include name, contact and identifiers, geolocation data, employment history, and some sensitive data.

Conducting data analytics

We are an innovative business, which relies on developing sophisticated products and services by drawing on our experience from prior engagements. We are not concerned with an analysis of identifiable individuals, and we take steps to ensure that your rights and the legitimacy of our activities are ensured through the use of aggregated or otherwise de-identified data. The categories of information we use to conduct data analytics include Google Analytics.

Google Analytics
We may use a tool called "Google Analytics" to collect information about use of this website. Google Analytics collects information such as how often users visit this site, what pages they visit when they do so, and what other sites they used prior to coming to this site. We use the information we get from Google Analytics only to improve this site. Google Analytics collects only the IP address assigned to you on the date you visit this site, rather than your name or other identifying information. We do not combine the information collected through the use of Google Analytics with personally identifiable information. Although Google Analytics plants a permanent cookie on your web browser to identify you as a unique user the next time you visit this site, the cookie can only be used by Google Analytics.  Google Analytics’ ability to use and share information collected about your visits to this site is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognizing you on return visits to this site by disabling cookies on your browser.

If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected for, we will request your consent. In all cases, we balance our legal use of your personal information with your interests, rights, and freedoms in accordance with applicable laws and regulations to make sure that your personal information is not subject to unnecessary risk.

Legal basis
All processing (i.e. use) of your personal information is justified by a "lawful basis" for processing. In the majority of cases, processing will be justified on the basis that:

• the processing is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract (e.g. where we help an employer to fulfil an obligation to you under an employment contract in relation to the delivery of employee benefits);
• the processing is necessary for us to comply with a relevant legal obligation (e.g. where we are required to collect certain information about our clients for tax or accounting purposes, or where we are required to make disclosures to courts or regulators); or
• the processing is in our legitimate commercial interests, subject to your interests and fundamental rights (e.g. where we use personal information provided to us by our clients to deliver our services, and that processing is not necessary in relation to a contract to which you are a party).

In limited circumstances, we will use your consent as the basis for processing your personal information, for example, where we are required to obtain your prior consent in order to send you marketing communications.

Before collecting and/or using any personal information, or criminal record data, we will establish a lawful basis which will allow us to use that information. This basis will typically be:

• your explicit consent;
• the establishment, exercise or defense by us or third parties of legal claims; or
• a context specific exemption provided for under local laws of EU Member States and other countries implementing the GDPR, such as in relation to the processing of personal data for insurance purposes, or for determining benefits under an occupational pension scheme.

Do we collect information from children?
This site is not intended for children. We do not market any products or services to children under the age of 13. If we become aware that information is or has been submitted by or collected from a child under the age of 13, we will delete the information from our files within the time required by law.

How long do we retain your personal information?
How long we retain your personal information depends on the purpose for which it was obtained and its nature. According to the Center for Medicare & Medicaid Services (CMS), enrollment application data is retained for 10 years. We will keep your personal information for no more than the time required to fulfil the purposes described in this privacy notice unless a longer retention period is permitted by law. We have implemented appropriate measures to ensure your personal information is securely destroyed in a timely and consistent manner when no longer required.

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Do we disclose your personal information?
Within Alight

We may share your personal information with other Alight entities, brands, divisions, and subsidiaries to serve you, including for the activities listed above.

We do not rent, sell or otherwise disclose personal information with unaffiliated third parties for their own marketing use. We do not share your personal information with third parties except in the following circumstances discussed below.

Business Partners

We disclose personal information to business partners who provide certain specialized services to us, or who co-operate with us on projects. These business partners operate as separate controllers, and are responsible for their own compliance with data protection laws. You should refer to their privacy notices for more information about their practices.

Examples include:

• Employer groups – Employers transitioning their retirees no longer covered due to the Affordable Care Act (ACA) partner with us to provide information regarding health care and potential funding for Health Reimbursement Accounts (HRA).
• Data storing and maintenance – Partners used for programming that allows for maintaining personal information, brokering educational and marketing appointments, and completing enrollments requests. Supporting the customer through all steps of the process can also be handled by the programs used to operate the business

The categories of information shared with our business partners include name, contact and identifiers, customer records, protected classifications, purchase history and tendencies, biometric information, usage data, geolocation data, audio/visual data, employment history, profiles and inferences, and some sensitive data.

Authorized Service Providers, Health Insurance Carriers and Ancillary Partners

We may disclose your information to service providers we have retained (as processors) to perform services on our behalf (either in relation to services performed for our clients, or information which we use for its own purposes, such as marketing). These service providers are contractually restricted from using or disclosing the information except as necessary to perform services on our behalf or to comply with legal requirements. These activities could include any of the processing activities that we carry out as described in the above section, ‘How we use your personal information.’

Examples include:

• IT service providers who manage our IT and back office systems and telecommunications networks;
• marketing automation providers;
• contact center providers.

These third parties appropriately safeguard your data, and their activities are limited to the purposes for which your data was provided.

The categories of information shared with our authorized service providers include name, contact and identifiers, customer records, protected classifications, purchase history and tendencies, biometric information, usage data, geolocation data, audio/visual data, employment history, profiles and inferences, and some sensitive data.

Legal Requirements and Business Transfers

We may disclose personal information (i) if we are required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request. (ii) in response to law enforcement authority or other government official requests, (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (iv) in connection with an investigation of suspected or actual illegal activity or (v) in the event that we are subject to a merger or acquisition to the new owner of the business, or in the event of the dissolution of our business. Disclosure may also be required for company audits or to investigate a complaint or security threat.

Do we transfer your personal information across geographies?

International Transfers
If you are located outside the United States, your personal information may be maintained by us in the U.S. or in other countries. Even if these countries do not have privacy or data protection laws, we always assure adequate protection for your personal information in compliance with applicable laws.

Due to the laws that govern the Medicare and Medicaid programs, your data is not legally shared nor accessible outside of the United States.

Do we have security measures in place to protect your information?
The security of your personal information is important to us and we have implemented reasonable physical, technical and administrative security standards to protect personal information from loss, misuse, alteration or destruction. We protect your personal information against unauthorized access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorized individuals access your personal information, and they receive training about the importance of protecting personal information.

Our service providers and agents are contractually bound to maintain the confidentiality of personal information and may not use the information for any unauthorized purpose.

What choices do you have about your personal information?
We offer certain choices about how we communicate with our customers and what personal information we obtain about them and share with others. When you provide us with personal details, if we intend to use those details for marketing purposes, we will provide you with the option of whether you wish to receive promotional email, telephone calls and postal mail from us. You can access the Communication Permissions pages at retiree.alight.com. Set up your account or register today. At any time, you may opt out from receiving interest-based marketing and communications from us by visiting your account set-up page or by calling.

You may also choose not to receive marketing communications from us by clicking on the unsubscribe link or other instructions in our marketing emails, visiting the My Account section on our website, or contacting us as noted below.

How can you update your communication preferences?
We take reasonable steps to provide you with communication about your information. You can update your communication preferences in the following ways.

Profile
If you have created a profile or account on one of our websites, you can update your contact information after you log into your account.

Email
Contact us as noted below. If you request electronic communications, you will be able to unsubscribe at any time by following the instructions included in the communication. Please include your current contact information, the information you are interested in accessing and your requested changes.

If we do not provide you with access, we will provide you with the reason for refusal and inform you of any exceptions relied upon.

Other rights regarding your data
Data protection laws vary among countries, with some providing more protection than others. Subject to certain exemptions, and in some cases, particularly if you reside in a jurisdiction with applicable privacy laws, dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information.

Right to Access
You have right to access personal information, and the categories thereof, which we hold about you. If you have created a profile, you can access that information by visiting your account or making a request online or by phone (as provided below).

Right to Rectification
You have a right to request us to correct your personal information where it is inaccurate or out of date.

Right to be Forgotten (Right to Erasure)
You have the right to request under certain circumstances to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data. Furthermore, record will be made of this request, and maintained where legally required on behalf of the CMS.

Right to Restrict Processing
You have the right to restrict the processing of your personal information, but only where:

• its accuracy is contested, to allow us to verify its accuracy; or
• it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
• you have exercised the right to object, and verification of overriding grounds is pending.

Right to Data Portability
You have the right to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.

Right to Object to Processing
You have the right to object the processing of your personal information at any time, but only where that processing has our legitimate interests as its legal basis. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

Do-Not-Sell
In the preceding twelve (12) months, Alight has sold the following categories of personal information:
Name, contact and identifiers and usage data.

We sell your personal information to the following categories of third parties:
Third-party cookies used to track activity and deliver targeted ads. Further information about our use of cookies and how to opt-out of the sale of your personal information by turning off cookies can be found in our Cookie Notice.

If applicable, how do you exercise these rights?
You can exercise your rights by contacting us at privacy.info@alight.com or by calling +1.877.384.4276 (toll free). Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfill your request.

To verify your identity, please be prepared to offer the following information: you name, address, and telephone number. We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you.

You may also be able to designate a power of attorney to make a request regarding these rights on your behalf. If you would like to do so, please have your power of attorney use the contact email or number above and state within their request they are your power of attorney. If needed, Alight will inform the power of attorney of any additional verification data needed to process such request at that time.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Personal Information Sales Opt-Out and Opt-In Rights
You have the right to direct us to not sell your personal information at any time (the "right to opt-out" of sales). The CCPA defines a “sale” as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration. While we do not disclose personal information to third parties in exchange for monetary compensation, we do disclose or make available personal information to third parties in order to receive certain services or benefits from them. Opt-out rights can be exercised by going to our Cookie Notice. We do not sell personal information about California residents who we know are younger than 16 years old without opt-in consent. The personal Information disclosed may fall into the following category: Identifiers and Internet and other Similar Network Activity.

To exercise the right to opt-out, you may indicate your cookie preferences by visiting the following Internet Web page link: "Do Not Sell My Personal Information"

Discrimination: If consumers exercise their rights under CCPA, businesses may not discriminate against them, such as by denying or providing a different level or quality of goods or services or charging or suggesting that a business will charge different prices or rates or impose penalties (unless doing so is reasonably related to the value received from the consumer personal information).

Disclosure of Incentives: If businesses offer any financial incentives for the collection, sale or deletion of their personal information, consumers have the rights to be notified of any financial incentives offers and their material terms, as well as the to not be opted into such offers without prior informed opt-in consent and to be able to opt-out of such offers at any time. Businesses may not offer unjust, unreasonable, coercive or usurious financial incentives. We do not offer any incentives at this time.

Contact Us
If you have any questions, would like further information about our privacy and information handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about a breach of the law or this Privacy Notice, please contact the Privacy Officer: privacy.info@alight.com or call +1.877.384.4276 (toll free). Alternatively, you have the right to contact your local Data Protection Authority.

If you have any questions relating to this Notice, please contact us at the Alight Global Privacy Office, 200 E. Randolph, Chicago, Illinois 60601 or privacy.info@alight.com.

Changes to this Notice
We may update this Notice from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page.

We encourage you to periodically review this Notice so that you will be aware of our privacy practices.
This Notice was last updated on December 9, 2019.