CareNav+ Privacy Policy Consumer

CareNav+ Privacy Notice

Effective Date: September 21, 2023

Last Updated: September 21, 2023

Introduction

This Privacy Notice (“Notice”) is provided by Evernorth Care Solutions, Inc. (in either case, "Evernorth" "we", "us" or "our") to users of the CareNav+ website or mobile application (“you”). This Notice describes how we collect, use, and disclose your personal information when you use these services or otherwise use or interact with any services that reference this Notice (collectively, the “Services”).

This Notice does not apply to job applicants and candidates who apply for employment with us, or to employees in the context of our working relationship with them. In addition to users of our Services, this Notice applies to California residents who are representatives, employees, or contact persons of our current, prospective, or former business customers, business partners, or service providers.

The applicable disclosures in this Notice vary based on the type of relationship you have with us and the state in which you live. Many of the Services we provide are offered in our capacity as a business associate under the Health Insurance Portability and Accountability Act (“HIPAA”) to employer health plans, which are regulated as covered entities under HIPAA. Identifiable information for individuals who are eligible for benefits through their employers’ health plans will be treated as protected health information (“PHI”) under HIPAA. This Notice does not apply to PHI. Instead, our use and disclosure of PHI will be subject to the particular business associate agreement between us and an employer health plan and the HIPAA Notice of Privacy Practices issued by that health plan. If you are eligible for health benefits through your employer’s health plan, you should consult your health plan’s Notice of Privacy Practices for details on how your PHI can be used and disclosed.

Our Information Practices

Personal Information We Collect

We collect information that describes or relates to you (“Personal Information” or “Personal Data” as defined under applicable state law). Personal Information does not include:

Publicly available information as defined under applicable state law.
De-identified or aggregated information.
Information excluded from the applicable state laws, including but not limited to PHI governed by HIPAA.

In the past 12 months, we have collected the following categories of Personal Information, which we also will collect through the use of our Services:

Identifiers such as name, contact information, online identifiers, and government-issued ID numbers;
Commercial Information related to services we provide such as medical information, insurance information, and financial information;
Characteristics of Protected Classifications under state or federal law such as age, health information, and medical conditions;
Commercial Information such as transaction information and purchase history;
Internet or Network Activity Information such as browsing history and interactions with our website (for more information, see Section 7 titled “How We Use Cookies” below);
Geolocation Data such as device location;
Audio, Electronic, Visual and Similar Information such as call and video recordings; and
Professional or Employment-Related Information such as place of employment and job title.

We collect this Personal Information directly from you and automatically when you use our Services. We also collect this Personal Information from our affiliates, vendors, joint marketing partners, and social media platforms.

How We Use Personal Information

We use the Personal Information we collect for the following purposes:

Services and Support. To provide and operate our Services, communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments and claims, communicate with you about the Services, and for similar service and support purposes.
Analytics and Improvement. To better understand how users access and use the Services, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our Services and business operations, to develop services and features, and for internal quality control and training purposes.
Customization and Personalization. To tailor content we may send or display on the Services, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
Marketing and Advertising. For marketing and advertising purposes. For example, to send you information about our Services, such as offers, promotions, newsletters and other marketing content, as well as any other information that you sign up to receive. We also may use certain information we collect to manage and improve our advertising campaigns so that we can better reach people with relevant content.
Research and Surveys. To administer surveys and questionnaires, such as for market research or member satisfaction purposes.
Infrastructure. To maintain our facilities and infrastructure and undertake quality and safety assurance measures.
Security and Protection of Rights. To protect the Services and our business operations; to protect our rights or those of our stakeholders; to prevent and detect fraud, unauthorized activities and access, and other misuse; conduct risk and security control and monitoring; where we believe necessary, to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use, including our Universal Terms and Site Specific Terms.
Compliance and Legal Process. To comply with the law and our legal obligations, to respond to legal process and related to legal proceedings.
General Business and Operational Support. To consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions.
Business Transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.

We retain the Personal Information we collect only as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection. For example, we will retain your account data for as long as you have an active account with us, as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, comply with our legal obligations.

How We Disclose Personal Information

We may disclose Personal Information for the following purposes:

Operating Services and Sites and Providing Related Support. To provide and operate our Services, communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, and for similar service and support purposes.
Business Transfers. If we or our affiliates are or may be acquired by, merged with, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected from you to the other company. As part of the business transfer process, we may share certain of your Personal Information with lenders, auditors, and third-party advisors, including attorneys and consultants.
In Response to Legal Process. We may disclose your Personal Information to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena.
To Protect You, Us, and Others. We disclose your Personal Information when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use or this Notice, or as evidence in litigation in which we are involved.

We may disclose the Personal Information that we collect for the purposes described above with the following parties:

Vendors. We may disclose Personal Information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors, and legal counsel.
Our Affiliates. We may disclose Personal Information we collect to our affiliates or subsidiaries.
Our Business Customers. Any Personal Information that we collect and process on behalf of a business client will be disclosed as directed by that business customer.

Government or Public Authorities. We may disclose Personal Information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our Services, (d) to protect the property, rights, and safety of us, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.

Our Use of Tracking Mechanisms

We may use Software Development Kits (SDKs) cookies, tags, and other tracking mechanisms to track information about your use of our Services, and to provide, customize, evaluate, and improve our Services.

Software Development Kits (SDKs) are programming packages that allow programmers to develop mobile applications that are designed to work on or with a specific platform. We use SDKs to track and measure certain data about how users interact with our mobile application.

A cookie is a small alphanumeric identifier that is placed on your website browser when you visit a website. Cookies are transferred to your device’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate and use our Services, while others are used to allow us to track your activities at our Services. Below are descriptions of the cookies and other technologies we use on our Services.

Session Cookies. Session cookies exist only during an online session. They disappear from your device when you close your browser or turn off your device. We use session cookies to allow our systems to uniquely identify you during a session while accessing our Services. This allows us to display content and provide our Services to you while navigating our Services.
Persistent Cookies. Persistent cookies remain on your device after you have closed your browser or turned off your device. We use persistent cookies to track statistical information about user activity.

Third-Party Analytics. We use third-party tools to evaluate usage of our Services. These third-party analytics companies use technologies similar to cookies to provide us with reports and metrics that help us evaluate usage of our Services, improve our Site, and enhance performance and user experiences.

Tracking Choices

If you wish to prevent cookies and other tracking mechanisms from tracking your activity when you use our Services, there are tools you may be able to use to disable such technologies.

Browser Solutions for Disabling Cookies. If you wish to prevent cookies from tracking your activity on our website or visits across multiple websites, you can set your browser to block certain cookies or notify you when a cookie is set. The Help portion of the toolbar on most browsers will tell you how to prevent your device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Services who disable cookies will be able to browse the Site, but some features may not function.
Do-Not-Track. Some web browsers offer a “Do-Not-Track” setting you can activate to signal your preference not to have data about your online browsing activities monitored and collected. Currently, our Services do not recognize “Do-Not-Track” requests. You may, however, disable certain tracking as discussed in this section (e.g., by disabling cookies).

We are not responsible for the completeness, effectiveness, or accuracy of any third-party opt-out options or programs.

State-Specific Disclosures

This section describes how we collect Personal Information and our information practices related to Personal Information when you visit our website, use our mobile applications, or otherwise interact with us (collectively our “Services”), under the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020, (“CCPA”); Colorado Privacy Act (“CPA”); Connecticut Data Protection Act (“CTDPA”); Virginia Consumer Data Protection Act (“VCDPA”); and the Utah Consumer Privacy Act (“UCPA”). To the extent applicable, these laws will be referred to as “applicable state laws” in this Notice. This Notice applies to the Personal Information we collect from residents of these states. If you are a resident of California, Colorado, Connecticut, Virginia, or Utah please refer to the relevant Privacy Rights section below.

California Privacy Rights

Under the CCPA, California residents have the right to receive certain disclosures regarding our information practices related to “Personal Information,” as defined under the CCPA. To the extent you are a resident of California, and we collect Personal Information subject to CCPA, the following applies:

Disclosures to Third Parties

This section relates to our third-party disclosures. We disclose the Personal Information we collect (as described in the “Our Information Practices” section, above) to the following categories of third parties. We also disclose Personal Information to service providers, as described above in this Notice.

Third party analytics providers
Regulators, government entities, and law enforcement
Affiliates and subsidiaries

Additionally, CCPA defines a "sale" as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available Personal Information to a third party for purposes of cross-context behavioral advertising. We do not “sell” or “share” Personal Information for these purposes. We do not sell or share any Personal Information about individuals who we know are under sixteen (16) years old.

Your CCPA Rights

To the extent you are a resident of California, you may have the following rights to your Personal Information:

Right to Access: With respect to the Personal Information we have collected about you in the prior 12 months, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of Personal Information about you we have collected; (ii) the sources from which we have collected that Personal Information; (iii) our business or commercial purposes for collecting, selling, or disclosing that Personal Information; (iv) the categories of third parties to whom we have disclosed that Personal Information; and (v) a copy of the specific pieces of your Personal Information we have collected.
Right to Correct: You have the right to request that we correct inaccuracies in your Personal Information.
Right to Delete: Subject to certain conditions and exceptions, you may have the right to request deletion of Personal Information that we have collected about you.
Right to Opt-Out of Sale/Sharing: You may have the right to opt-out of the “sale” or “sharing” of your Personal Information. We do not “sell” or “share” Personal Information as those terms are used in the CCPA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of the rights described in this section.
Authorized Agent: You may designate someone as an authorized agent to submit requests and act on your behalf. To do so, you must provide us with written permission to allow the authorized agent to act on your behalf.

To make a request for the rights described above, please contact us at Privacy@evernorth.com or mail us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office.

Please indicate you are making a request pursuant to your “California Privacy Rights.” You must provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your request or, where necessary, to process your request. If we are unable to adequately verify a request, we will notify the requestor. If we are unable to adequately verify a request, we will notify the requestor.

Colorado Privacy Rights

Under the CPA, Colorado residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the CPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Colorado, and we collect Personal Data subject to applicable Colorado law, the following applies.

Right to Access: You have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You have the right to delete the Personal Data provided to us by you.
Right to Data Portability: You have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the CPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Colorado residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. You have the right to contact the Colorado Attorney General if you have concerns about the result of the appeal.

Connecticut Privacy Rights

Under the CTDPA, Connecticut residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the CTDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a Connecticut resident, and we collect Personal Data subject to applicable Connecticut law, the following applies.

Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the CTDPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition, and we do not engage in “targeted advertising” as that term is used in the CTDPA. Connecticut residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

Virginia Privacy Rights

Under the VCDPA, Virginia residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the VCDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Virginia and we collect Personal Data subject to applicable Virginia law, the following applies.

Right to Access: To confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right of Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller or business where the processing is carried out by automated means.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete Personal Data provided by or obtained about you.
Right to Opt-Out of Sale: Under the VCDPA, a “sale” includes disclosing or making available Personal Information to a third party in exchange for money. We do not “sell” Personal Information under this definition.
Right to Opt-Out of Targeted Ads and Significant Profiling: You may have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling, and we do not engage in targeted marketing as that term is used in the VCDPA. To opt out of targeted marketing, please click on the Opt-Out Link on the bottom of the website homepage.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@evernorth.com or mail us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Virginia Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. Please note, we may deny your request if (1) we are not reasonably capable of associating your request with the Personal Data or it would be unreasonably burdensome for us to associate your request with the Personal Data; (2) we do not use the Personal Data to recognize or respond to you specifically or associate the Personal Data with other Personal Data about you; and (3) we do not sell the Personal Data to any third party or otherwise voluntarily disclose the Personal Data to any third party other than a processor, except as otherwise permitted under Virginia law.

Utah Privacy Rights (Effective December 31, 2023)

Under the Utah Consumer Privacy Act (“UCPA”), Utah residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under UCPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Utah, and we collect Personal Data subject to applicable Utah law, the following applies.

Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of UCPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation. We do not “sell” Personal Information under this definition. We also do not engage in “targeted advertising” under the UCPA. Utah residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, please click on the Opt-Out Link on the bottom of the website homepage.

External Links

Our Services may contain links to unaffiliated websites. Any access to and use of such linked websites is not governed by this Notice, but instead is governed by the privacy policies of those websites. We are not responsible for the information practices of such websites, including their collection of your personal information or PHI. You should review the privacy policies and terms for any third parties before proceeding to those websites or using those features.

Children

Our Services are not designed for children under thirteen (13). Accordingly, we do not knowingly collect information online from children under 13. If we discover that a child under 13 has provided us with information, we will delete such information from our systems.

Changes to our Practices

The Notice is current as of the date set forth above. We may change, update, or modify this Notice from time to time, so please be sure to check back periodically. We will post any updates to this Notice here. If we make any changes that materially affect our practices regarding our use of the personal information we previously collected, we will endeavor to provide you with notice, such as by posting prominent notice on our Site or App.

Changes to our Practices

Contact Information

Contact Us

If you have any questions or concerns regarding this Notice or our privacy practices, you may contact us at Privacy@evernorth.com or mail us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office.