Evernorth App and Website Privacy Notice

Effective Date: April 25, 2024

Last Updated: April 25, 2024

Version 1.2

Introduction

This Privacy Notice (“Notice”) is provided by Evernorth Health, Inc. ("Evernorth" "we", "us" or "our") to users of the Evernorth Mobile Application (“Evernorth App”) or associated website on which this Notice is posted (“you”). This Notice describes how we collect, use, and disclose your personal information when you use these services or otherwise use or interact with any services that reference this Notice (collectively, the “Services”).

By using our Services and/or providing us your personal information, you acknowledge our practices and agree that your use of the Services will comply with our Terms of Use and any Supplemental Terms of Use, as applicable.

This Notice does not apply to job applicants and candidates who apply for employment with us, or to employees in the context of our working relationship with them. In addition to users of our Services, this Notice applies to California residents who are representatives, employees, or contact persons of our current, prospective, or former business customers, business partners, or service providers.

The applicable disclosures in this Notice vary based on the type of relationship you have with us and the state in which you live. Many of the Services we provide are offered in our capacity as a business associate under the Health Insurance Portability and Accountability Act (“HIPAA”) to employer health plans, which are regulated as covered entities under HIPAA. Identifiable information for individuals who are eligible for benefits through their employers’ health plans will be treated as protected health information (“PHI”) under HIPAA. This Notice does not apply to PHI. Instead, our use and disclosure of PHI will be subject to the particular business associate agreement between us and the health plan. Health plans are responsible for providing their members with HIPAA Notice of Privacy Practices, which includes information about how PHI may be used and disclosed. If you are eligible for health benefits through your employer’s health plan, please consult your health plan’s Notice of Privacy Practices for information about use and disclosure of PHI.

Our Information Practices

Personal Information We Collect

We collect information that describes or relates to you (“Personal Information” or “Personal Data” as defined under applicable state law). Personal Information does not include:

Publicly available information as defined under applicable state law.
De-identified or aggregated information.
Information excluded from the applicable state laws, including but not limited to PHI governed by HIPAA.

In the past 12 months, we may have collected the following categories of Personal Information, which we also will collect through the use of our Services, and may continue to collect these categories through our Services:

Identifiers such as name, contact information, online identifiers, and government-issued ID numbers;
Commercial Information related to services we provide such as medical information, insurance information, and financial information;
Characteristics of Protected Classifications and Sensitive Information under state or federal law such as age, health information, medical conditions, “sensitive personal information,” and “consumer health data” as defined by the Washington My Health My Data Act and described more fully below;
Commercial Information such as transaction information and purchase history;
Internet or Network Activity Information such as browsing history and interactions with our website (for more information, see Section 7 titled “How We Use Cookies” below);
Geolocation Data such as device location;
Audio, Electronic, Visual and Similar Information such as call and video recordings; and
Professional or Employment-Related Information such as place of employment and job title.

We collect this Personal Information directly from you and automatically when you use our Services. We also collect this Personal Information from our affiliates, vendors, joint marketing partners, and other entities, such as Google or Apple when you enable sharing from your wearable device or other application.

How We Use Personal Information

We use the Personal Information we collect for the following purposes:

Services and Support. To provide and operate our Services, communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments and claims, communicate with you about the Services, and for similar service and support purposes.
Analytics and Improvement. To better understand how users access and use the Services, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our Services and business operations, to develop services and features, and for internal quality control and training purposes.
Customization and Personalization. To tailor content we may send or display on the Services, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
Marketing and Advertising. For marketing and advertising purposes. For example, to send you information about our Services, such as offers, promotions, newsletters and other marketing content, as well as any other information that you sign up to receive. We also may use certain information we collect to manage and improve our advertising campaigns so that we can better reach people with relevant content.
Research and Surveys. To administer surveys and questionnaires, such as for market research or member satisfaction purposes.
Infrastructure. To maintain our facilities and infrastructure and undertake quality and safety assurance measures.
Authentication. To authenticate or confirm your identity.
Security and Protection of Rights. To protect the Services and our business operations; to protect our rights or those of our stakeholders; to prevent and detect fraud, unauthorized activities and access, and other misuse; conduct risk and security control and monitoring; where we believe necessary, to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use, including our Universal Terms and Site Specific Terms, as applicable.
Compliance and Legal Process. To comply with the law and our legal obligations, to respond to legal process and related to legal proceedings.
General Business and Operational Support. To consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions.
Business Transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.
Deidentification. We may also aggregate or de-identify data by removing identifying details so it no longer identifies an individual. If we de-identify the data, we will not attempt to reidentify it.

We retain the Personal Information we collect only as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection. For example, we will retain your account data for as long as you have an active account with us, as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, comply with our legal obligations.

How We Disclose Personal Information

We may disclose Personal Information for the following purposes:

Operating Services and Sites and Providing Related Support. To provide and operate our Services, communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, and for similar service and support purposes.
Business Transfers. If we or our affiliates are or may be acquired by, merged with, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected from you to the other company. As part of the business transfer process, we may share certain of your Personal Information with lenders, auditors, and third-party advisors, including attorneys and consultants.
In Response to Legal Process. We may disclose your Personal Information to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena.

To Protect You, Us, and Others. We disclose your Personal Information when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use or this Notice, or as evidence in litigation in which we are involved.

We may disclose the Personal Information that we collect for the purposes described above with the following parties:

Vendors. We may disclose Personal Information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors, and legal counsel.
Our Affiliates. We may disclose Personal Information we collect to our affiliates or subsidiaries. Text message consent and data will be disclosed in accordance with the consent you have provided.
Our Business Customers. Any Personal Information that we collect and process on behalf of a business client will be disclosed as directed by that business customer.
Government or Public Authorities. We may disclose Personal Information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our Services, (d) to protect the property, rights, and safety of us, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.

Our Use of Tracking Mechanisms

We may use Software Development Kits (SDKs) cookies, pixels, tags, and other tracking mechanisms to track information about your use of our Services, and to provide, customize, evaluate, and improve our Services.

Software Development Kits (SDKs) are programming packages that allow programmers to develop mobile applications that are designed to work on or with a specific platform. We use SDKs to track and measure certain data about how users interact with our mobile application.

A cookie is a small alphanumeric identifier that is placed on your website browser when you visit a website. Cookies are transferred to your device’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate and use our Services, while others are used to allow us to track your activities at our Services. Below are descriptions of the cookies and other technologies we use on our Services.

Session Cookies. Session cookies exist only during an online session. They disappear from your device when you close your browser or turn off your device. We use session cookies to allow our systems to uniquely identify you during a session while accessing our Services. This allows us to display content and provide our Services to you while navigating our Services.
Persistent Cookies. Persistent cookies remain on your device after you have closed your browser or turned off your device. We use persistent cookies to track statistical information about user activity.

Third-Party Analytics. We use third-party tools to evaluate usage of our Services. These third-party analytics companies use technologies similar to cookies to provide us with reports and metrics that help us evaluate usage of our Services, improve our Site, and enhance performance and user experiences.

Session Replay/Session Recording Technologies. We may use session replay or session recording technologies so we can diagnose problems with our Services and identify areas for improvement. The data collected by this technology is not accessible by or shared with third parties or service providers.

Tracking Choices

If you wish to prevent cookies and other tracking mechanisms from tracking your activity when you use our Services, there are tools you may be able to use to disable such technologies. For instance, you can set your browser to block certain cookies or notify you when a cookie is set. The Help portion of the toolbar on most browsers will tell you how to prevent your device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Services who disable cookies will be able to browse the Services, but some features may not function.

We are not responsible for the completeness, effectiveness, or accuracy of any third-party opt-out options or programs.

State-Specific Disclosures

This section describes how we collect Personal Information and our information practices related to Personal Information when you visit our website, use our mobile applications, or otherwise interact with us (collectively our “Services”), under the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020, (“CCPA”); Colorado Privacy Act (“CPA”); Connecticut Data Protection Act (“CTDPA”); Virginia Consumer Data Protection Act (“VCDPA”); the Utah Consumer Privacy Act (“UCPA”) and the Washington My Health My Data Act (“MHMDA”). To the extent applicable, these laws will be referred to as “applicable state laws” in this Notice. This Notice applies to the Personal Information we collect from residents of these states.If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or Washington please refer to the relevant section(s) below.

California Privacy Rights

Under the CCPA, California residents have the right to receive certain disclosures regarding our information practices related to “Personal Information,” as defined under the CCPA. To the extent you are a resident of California, and we collect Personal Information subject to CCPA, the following applies:

Disclosures to Third Parties

This section relates to our third-party disclosures. We disclose the Personal Information we collect (as described in the “Our Information Practices” section, above) to the following categories of third parties. We also disclose Personal Information to service providers, as described above in this Notice.

Third party analytics providers
Regulators, government entities, and law enforcement
Affiliates and subsidiaries

Additionally, CCPA defines a "sale" as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available Personal Information to a third party for purposes of cross-context behavioral advertising. We do not “sell” or “share” Personal Information for these purposes. We do not sell or share any Personal Information about individuals who we know are under sixteen (16) years old.

Your CCPA Rights

To the extent you are a resident of California, you may have the following rights to your Personal Information:

Right to Access: With respect to the Personal Information we have collected about you in the prior 12 months, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of Personal Information about you we have collected; (ii) the sources from which we have collected that Personal Information; (iii) our business or commercial purposes for collecting, selling, or disclosing that Personal Information; (iv) the categories of third parties to whom we have disclosed that Personal Information; and (v) a copy of the specific pieces of your Personal Information we have collected.
Right to Correct: You have the right to request that we correct inaccuracies in your Personal Information.
Right to Delete: Subject to certain conditions and exceptions, you may have the right to request deletion of Personal Information that we have collected about you.
Right to Opt-Out of Sale/Sharing: You may have the right to opt-out of the “sale” or “sharing” of your Personal Information. We do not “sell” or “share” Personal Information as those terms are used in the CCPA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of the rights described in this section.
Authorized Agent: You may designate someone as an authorized agent to submit requests and act on your behalf. To do so, you must provide us with written permission to allow the authorized agent to act on your behalf.

To make a request for the rights described above, please contact us at Privacy@evernorth.com or mail us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office.

Please indicate you are making a request pursuant to your “California Privacy Rights.” You must provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your request or, where necessary, to process your request. If we are unable to adequately verify a request, we will notify the requestor. If we are unable to adequately verify a request, we will notify the requestor.

Colorado Privacy Rights

Under the CPA, Colorado residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the CPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Colorado, and we collect Personal Data subject to applicable Colorado law, the following applies.

Right to Access: You have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You have the right to delete the Personal Data provided to us by you.
Right to Data Portability: You have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the CPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Colorado residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. You have the right to contact the Colorado Attorney General if you have concerns about the result of the appeal.

Connecticut Privacy Rights

Under the CTDPA, Connecticut residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the CTDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a Connecticut resident, and we collect Personal Data subject to applicable Connecticut law, the following applies.

Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the CTDPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition, and we do not engage in “targeted advertising” as that term is used in the CTDPA. Connecticut residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

Virginia Privacy Rights

Under the VCDPA, Virginia residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the VCDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Virginia and we collect Personal Data subject to applicable Virginia law, the following applies.

Right to Access: To confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right of Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller or business where the processing is carried out by automated means.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete Personal Data provided by or obtained about you.
Right to Opt-Out of Sale: Under the VCDPA, a “sale” includes disclosing or making available Personal Information to a third party in exchange for money. We do not “sell” Personal Information under this definition.
Right to Opt-Out of Targeted Ads and Significant Profiling: You may have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling, and we do not engage in targeted marketing as that term is used in the VCDPA.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@evernorth.com or mail us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Virginia Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. Please note, we may deny your request if (1) we are not reasonably capable of associating your request with the Personal Data or it would be unreasonably burdensome for us to associate your request with the Personal Data; (2) we do not use the Personal Data to recognize or respond to you specifically or associate the Personal Data with other Personal Data about you; and (3) we do not sell the Personal Data to any third party or otherwise voluntarily disclose the Personal Data to any third party other than a processor, except as otherwise permitted under Virginia law.

Utah Privacy Rights

Under the Utah Consumer Privacy Act (“UCPA”), Utah residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under UCPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Utah, and we collect Personal Data subject to applicable Utah law, the following applies.

Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of UCPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation. We do not “sell” Personal Information under this definition. We also do not engage in “targeted advertising” under the UCPA. Utah residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling.

Washington State Consumer Health Data Privacy Notice

Consumer Health Data Collected

The personal information, including consumer health data, we collect varies based on your relationship with us. For example, if you visit our website or mobile application we may collect personal information through tracking technologies essential to running our website or mobile application. Or, if you visit our physical premises in Washington, if any, we may collect video surveillance or other information that could incidentally include consumer health data.

We may collect the following categories of consumer health data:

Individual health conditions, treatment, diseases, or diagnosis;
Social, psychological, behavioral, and medical interventions;
Health-related surgeries or procedures;
Use or purchase of prescribed medication;
Bodily functions, vital signs, symptoms, or measurements of other types of consumer health data;
Diagnoses or diagnostic testing, treatment, or medication;
Gender-affirming care information;
Reproductive or sexual health information;
Biometric data;
Genetic data;
Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
Data that identifies a consumer seeking health care services; and
Other information that may be processed to derive or infer data related to the above or other consumer health data.

The categories of consumer health data above may include the following personal information, when collected in connection with your past, present, or future physical or mental health status:

Identifiers such as name, contact information, online identifiers, and government-issued ID numbers;
Characteristics of Protected Classifications under state or federal law such as age, health information, medical conditions, and “consumer health data” as defined by MHMDA;
Commercial Information such as transaction information and purchase history;
Internet or Network Activity Information such as browsing history, interactions with our website, Internet Protocol (IP) address, Media Access Control (MAC) address; operating system and version; Internet browser type and version;
Geolocation Data such as device location; and
Audio, Electronic, Visual and Similar Information such as call and video recordings;

We process any deidentified consumer health data only in a deidentified fashion and will not attempt to reidentify such data.

Why We Collect and Use Consumer Health Data

To the extent we collect your Consumer Health Data as described above, we may use it for the following purposes:

Services and Support. To provide and operate our Services, communicate with you about your use of the Services, provide you with information about our Services, including information about health care, health related services, resources and benefits that will help you manage your health; sending administrative information to you, such as changes to our terms, conditions, and policies; provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments and claims, communicate with you about the Services, complete transactions, provide quotes; and to provide our insurance products or services requested by consumers;
Analytics and Improvement. To better understand how you access and use the Services, and for other internal research and analytical purposes, such as to evaluate and improve our Services and business operations and for internal quality control and training purposes;
Research and Surveys. To administer surveys and questionnaires, such as for customer engagement purposes;
Infrastructure. To maintain our facilities and infrastructure and undertake quality and safety assurance measures;
Authentication. To authenticate or confirm your identity;
Security and Protection of Rights. To protect the Services and our business operations; to protect our rights or those of our stakeholders; to prevent and detect fraud, unauthorized activities and access, and other misuse; conduct risk and security control and monitoring; where we believe necessary, to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use as well as any additional terms specific to the site;
Compliance and Legal Process. To comply with the law and our legal obligations, to respond to legal process and related to legal proceedings;
General Business and Operational Support. To consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions; and
Business Transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.
Deidentification. We may also aggregate or de-identify data by removing identifying details so it no longer identifies an individual. If we de-identify the data, we will not attempt to reidentify it.

Categories of Sources

We generally collect personal information, including consumer health data, from the following categories of sources:

Directly from you and automatically;
Our affiliates; and
Our vendors

Our Sharing of Consumer Health Data

The categories of third parties and other recipients with whom we may share consumer health data as necessary to provide our products and services requested by consumers are:

Our affiliates (a full list of specific affiliates is available here);
Or business customers (as directed by that business partner);
Government or public authorities if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our services, (d) to protect the property, rights, and safety of us, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.

How to Exercise Your Rights

MHMDA grants certain rights including a right of access and deletion, subject to certain exceptions.

If you would like to exercise your rights under the MHMDA, you may make a request by contacting us at Privacy@evernorth.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Washington Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records.

If your request to exercise a right under the MHMDA is denied, you may appeal the denial. A method for submitting an appeal will be contained in our response. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint.

Nevada Consumer Health Data Privacy Rights

Under the NHDPA, Nevada residents and those whose consumer health data is collected in Nevada have the right to receive certain disclosures regarding a business’ processing of “Consumer Health Data,” which is a type of Personal Information, defined by NHDPA. Consumer Health Data means Personal Information that is linked or reasonably capable of being linked to a consumer and that is used by a regulated entity to identify the past, present or future health status of a consumer. This data may vary depending on your relationship with us. For example, we may collect consumer health data when administering a prescription discount card, or verifying your eligibility for benefits under a program we administer.

In connection with the identifiers described above, we may collect the following categories of consumer health data:
Individual health conditions or status, disease or diagnosis;
Social, psychological, behavioral, and medical interventions;
Surgeries or other health-related procedures;
The use or acquisition of medication;
Bodily functions, vital signs, symptoms;
Reproductive or sexual health care information;
Gender-affirming care information;
Certain Biometric data;
Certain Genetic data;
Information related to the precise geolocation information of a consumer that a indicates an attempt by a consumer to receive health care services or products; and
Other information that is derived or extrapolated from information that is not consumer health data that is a proxy or used to infer data related to the above.

NHDPA grants certain rights including a right of access and deletion, subject to certain exceptions. If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@evernorth.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Nevada Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. If your request to exercise a right under the NHDPA is denied, you may appeal the denial.

Montana Consumer Data Privacy Act (Effective October 1, 2024)

Under the MCDPA, Montana residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” and defined under MCDPA, as well as certain rights with respect to processing of such Personal Data. To the extent you are a resident of Montana, and we collect Personal Data subject to applicable law, the following applies.

Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the MCDPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Montana residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Opt-Out Link on the bottom of the website homepage.
Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@evernorth.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Montana Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. If your request to exercise a right under the MCDPA is denied, you may appeal the denial.

Oregon Privacy Rights (Effective July 1, 2024)

Under the OCPA, Oregon residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” and defined under OCPA, as well as certain rights with respect to processing of such Personal Data. To the extent you are a resident of Oregon, and we collect Personal Data subject to applicable law, the following applies.

Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the OCPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Oregon residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Opt-Out Link on the bottom of the website homepage.
Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@evernorth.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Oregon Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. If your request to exercise a right under the OCPA is denied, you may appeal the denial.

Texas Privacy Rights (Effective July 1, 2024)

Under the TDPSA, Texas residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” and defined under TDPSA, as well as certain rights with respect to processing of such Personal Data. To the extent you are a resident of Texas, and we collect Personal Data subject to applicable law, the following applies.

Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the TDPSA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Texas residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Opt-Out Link on the bottom of the website homepage.
Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@evernorth.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “Texas Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records.

External Links

Our Services may contain links to unaffiliated websites. Any access to and use of such linked websites is not governed by this Notice, but instead is governed by the privacy policies or notices of those websites. We are not responsible for the information practices of such websites, including their collection of your personal information or PHI. You should review the privacy policies and terms for any third parties before proceeding to those websites or using those features.

Children

Our Services are not designed for children under thirteen (13). Accordingly, we do not knowingly collect information online from children under 13. If we discover that a child under 13 has provided us with information, we will delete such information from our systems.

Changes to our Practices

The Notice is current as of the date set forth above. We may change, update, or modify this Notice from time to time, so please be sure to check back periodically. We will post any updates to this Notice here. If we make any changes that materially affect our practices regarding our use of the personal information we previously collected, we will endeavor to provide you with notice, such as by posting prominent notice on our Site or App.

Contact Information

Contact Us

If you have any questions or concerns regarding this Notice or our privacy practices, you may contact us at Privacy@evernorth.com or mail us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Contact us by phone toll-free at 1-800-244-6224.