SPROUT WELLNESS SOLUTIONS

PRIVACY POLICY

Effective as of January 5, 2024

TELUS Health (Canada) Ltd. (hereinafter "Provider", "Us", "We" or "Our") is offering an industry-leading workplace wellness platform named Sprout At Work. The platform empowers organizations to embrace wellbeing and improve health & wellness for every user employee ("Services"). 

We are committed to transparency in the collection, use and disclosure of information that directly or indirectly identifies you (“Personal Information”). This Privacy Policy explains how and why we collect, use and disclose your Personal Information on our Services. As part of our Services, we provide a Privacy setting where you can manage your privacy settings. NOTE that all settings such as notifications and personalization require you to opt-out. If you do not wish to receive notifications or personalize your profile, for example, please adjust your Privacy settings accordingly. You must read this Privacy Policy before using our Services. If you have any questions about our privacy practices, please contact us at privacyhealth@telus.com. 

0. Types of Personal Information that We Collect

The following is a list of the types of information that we may collect through its Services. Please note that the types of Personal Information collected about you will depend on the activities in which you participate:

  • Identity Data includes your first name, last name, department or group, unique ID such as your employee ID, or other similar identifiers. 
  • Contact Data includes mailing address, email address and telephone number(s).
  • Profile Data includes profile photo, groups you belong to, events you are attending, challenges you are participating in, badges you have received, rewards you have redeemed.
  • Activity Data includes information collected through devices such as smartwatches that you have chosen to sync with your account and other data about your activities that you may enter manually through the Service.
  • Health and Wellness Data includes height, weight, waist circumference, heart rate, blood pressure, medical history, and family health history. You may also choose to contribute lifestyle habits and interests such as book clubs, meal recipes, parenting tips and financial wellness, as well as your personal wellness goals. 
  • Opinion Data includes any communications with other users through our Services, including our participation forums, message board, streams and/or on leaderboards. 
  • Technical Data includes internet protocol (IP) address, your mobile device’s unique ID number, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Services.
  • Usage Data includes information about how you use the Services, such as the buttons, controls, products and ads you click on, pages of our Services that you visit, the time spent on those pages, your search queries, the dates and times of your visits, but also about the webpage you were visiting before you came to our Services and the webpage, app(s) you go to next.

By using the Services, you authorize the provider to collect, store, and use your Personal Information in accordance with this Privacy Policy. 

  • Purpose and Legal Basis for your Personal Information

We collect your Personal Information for the following purposes, and we rely on the legal basis for processing identified below:

  • Identity Data: We collect and process your Identity Data for the purpose of registering and maintaining your account with our Services and with the Program Provider. We also collect and process this data to prevent, detect, and investigate fraud or security incidents. The legal basis for processing your Identity Data is to perform a contract with you.
  • Contact Data: We collect and process your Contact Data for the purpose of verifying your account details, contacting you with account information, and sending you relevant materials about our Services according to your preferences. We may also use the region that you have identified in our aggregated research and analytics and for quality improvement purposes. The legal basis for processing your Contact Data is to perform our contract with you. We also rely on our legitimate interest to use anonymized and aggregated data for the purpose of quality improvement and product development for our Services. 
  • Profile Data: We collect and process your Profile Data for the purpose of allowing you to personalize your profile, help your colleagues identify you in the Service, including the Program Provider, if you choose to be identified, help us verify your account, showcase your achievements on the Leaderboard, if applicable, and to resolve any inquiries or complaints. The legal basis for processing your Profile Data is to perform a contract with you.
  • Health and Wellness Data: We collect and process your Health and Wellness Data for the purpose of helping you organize and assess your health and wellness statistics, manage rewards and benefits to you through the Services, to offer you personalized recommendations for wellness content in our online newsletters, and to recommend programs you may wish to join through our Services. We also use anonymized information to train our machine learning algorithms and processes. We use any Health and Wellness Data that you contribute to our Wellness Survey for the purpose of determining and sharing a Wellbeing Score. The purpose of this data processing is to provide you with more personalized and relevant services, and to help you assess and track your wellbeing metrics. The legal basis for processing your Health and Wellness Data is consent.
  • Activity Data: We collect and process your Activity Data for the purpose of helping you organize and store your activity achievements, tracking your achievements on the Leaderboard for your organization (if applicable), and to provide rewards and activity incentives. The legal basis for processing your Activity Data is performance of a contract with you. We also rely on our legitimate interest to process this data for internal quality improvement purposes including training our algorithms to better calibrate incentives to activities. 
  • Opinion Data: We collect and process Opinion Data for the purpose of enabling community-building through our Services and to stimulate positive incentives for health and wellness. Where we enable the sharing of Opinion Data, you may control the extent of your engagement and opt-in or opt-out of certain forms of engagement through our Services, either through your “Privacy Settings” in your account or through some similar mechanism. We may record and store archives of these communications on the provider controlled servers to protect the safety and wellbeing of our users. The legal basis for processing your Opinion Data is your consent and our legitimate interest is protecting safe and respectful communications in our Services. 
  • Technical Data: We collect and process your Technical Data for the purpose of understanding your use of the Services and to troubleshoot technical issues when using the Services. We also process this data for quality improvement purposes to create a better user experience with the provider. The legal basis for processing your Technical Data is our legitimate interest to administer a high quality, easy to navigate, engaging and well-functioning wellness platform, and to provide timely and appropriate technical support to our users as needed.   
  • Usage Data: We collect and process your Usage Data for training and quality assurance purposes, to understand how you use our Service, to identify and resolve technical issues with our Service and to improve user experience on our platform. The legal basis for processing your Usage Data is our legitimate interest in quality improvement of our Services and technical assistance. 
  • How We Collect Your Personal Information 

From your Program Provider: As part of your eligibility for the Services, your employer or other entity who invited you to join the provider service under their subscription (“Program Provider”) may provide the provider with certain information about you. This may include the information necessary to verify your identity when you register for the Services and to manage your account on an ongoing basis, and such other information as may be provided by your Program Provider. If you do not want the provider to receive this information, please contact your Program Provider and ask them to stop sending the provider any information about you. Please note that this may make you ineligible to participate in the Program.

Directly from You: You may provide Personal Information directly to the provider. You may do so by entering information directly into the Service, engaging with the Service, responding to questionnaires or surveys, or similar.

Through automated technologies or interactions with devices you choose to synch with the Service: You can choose to allow certain wearable devices and mobile applications to sync data to the Service. You can modify these permissions at any time through the connected devices setting of the Services. Further, when you access our website or otherwise use the Service, we may automatically collect your Technical Data and User Data. The data are typically collected through the use of server log files or web log files, mobile device software development kits and tracking technologies like browser cookies.  

  • With Whom We Share your Personal Information 

We may share your Personal Information as follows:

Your Program Provider: We may share with your Program Provider the necessary information for them to administer your incentives, to manage your account and to otherwise act as Service administrator. We will share information directly with Your Program Provider only to the extent needed for the administration of your incentives, such as calculation of health plan premium discounts, applicable taxation, reward redemption, or other arrangements for which such information is relevant. Where we reasonably believe that there may be a risk of imminent harm to you or someone else and we reasonably believe that your Program Provider is best placed to act, we may also share such information with your Program Provider. We may also share aggregated or de-identified information with other providers to your Program Provider at the request of your Program Provider.

For US users:  if your Program Provider is considered a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA), we may be obligated to disclose any information collected on the platform. 

Third-Party Service Providers (or, Processors): Your information may be disclosed, stored and/or transferred (or otherwise made available) to our affiliates and other third parties who provide services on our behalf such as email services. Our service providers are given the information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. Our service providers are contractually bound to use Your Personal Information as instructed by us only and they are required to have as stringent data security mechanisms as we have. 

Legal and Compliance.  We and our service providers may provide your Personal Information in response to a search warrant or other legally valid inquiry or order, or to another organization for the purposes of investigating a breach of an agreement or contravention of law or detecting, suppressing or preventing fraud, or as otherwise required or permitted by applicable Canadian, US or other law or legal process. Your Personal Information may also be disclosed where necessary for the establishment, exercise or defence of legal claims and to investigate or prevent actual or suspected loss or harm to persons or property.

Sale or Merger. Personal Information may be provided to third parties in connection with a business transaction, including a merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of the provider or as part of a corporate reorganization, or stock or asset sale, or other change in corporate control, including for the purpose of determining whether to proceed or continue with such transaction or business relationship.

Aggregated Data. We may create and share aggregated data that does not identify you with third parties and the public in a variety of ways. When we provide this information, we take technical measures to ensure that the data does not identify you and cannot be associated back to you.

  • Personal Information of Minors

Our Services are not intended for children under the age of 16 and We do not knowingly collect any personal information from such children. Children under the age of 16 should not use our Services at any time. In the event that We learn that We have inadvertently gathered personal information from children under the age of 16, We will take reasonable measures to promptly erase such information from our records.

  • Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal information. You may have the right to:

  • Request access to your Personal Information. This enables you to receive a copy of the Personal Information we hold about you and to check that we are lawfully processing it.
  • Request correction of the Personal Information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
  • Request erasure of your Personal Information. This enables you to ask us to delete or remove Personal Information where there is no legitimate basis for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information in the following scenarios: (a) if you want us to establish the information's accuracy; (b) where our use of the information is unlawful but you do not want us to erase it; (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us using the details set out below.

You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

  • How We Protect Your Personal Information

We have implemented reasonable administrative, technical and physical measures in an effort to safeguard the Personal Information in our custody and control against theft, loss and unauthorized access, use, modification and disclosure. We restrict access to your personal information on a need-to-know basis to employees and authorized service providers who require access to fulfill their job requirements.

For user accounts registered directly with the provider profile information is protected by the password each member uses to access their online account. It is important that you protect and maintain the security of your account and that you immediately notify Us of any unauthorized use of your account. If you forget the password to your account, the website allows you to request that instructions be sent to you that explain how to reset your password. When you sign into your account, we encrypt the transmission of that information using secure socket layer technology (“SSL”).

While We take reasonable precautions against possible security breaches of our websites and our customer databases and records, no website or Internet transmission is completely secure, and we cannot guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. We urge you to take steps to keep your personal information safe (including your account password), and to log out of your account after use. If your third-party site account is hacked, this may lead to the unauthorized use of the provider service you have registered to use, so be careful to keep your account information secure. If you have questions about the security of our websites, please contact Us at privacyhealth@telus.com.

  • Our Retention of Your Information 

We have Personal Information retention processes designed to retain Personal Information for no longer than necessary for the purposes stated above or to otherwise meet legal requirements. For more information about our retention processes, please contact Us at privacyhealth@telus.com.

  • International Transfers 

Your Personal Information may be transferred outside the jurisdiction in which you are situated and may become subject to the laws of the receiving jurisdiction, which may differ from the laws of your jurisdiction. For any Personal Information of European Data Subjects that we collect and process outside the European Economic Area, we rely on robust data processing agreements containing Standard Contractual Clauses approved by the European Commission or other approved or legal method, and that it is treated securely and in accordance with this Privacy Policy.

  • Third-Party Links

Our Services may contain links to other websites that are not owned or controlled by us. We do not endorse, review and we are not responsible for the privacy policies of or content displayed on such other websites. When you click on such a link, you will leave our Services and another entity may collect Personal Information from you. You are responsible for reading and agreeing to the Privacy Policy and Terms of Service of any third-party links accessed through our Services. 

9.1 Google Fit API

The provider’s platform use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

  • Changes to Our Privacy Policy

We may update this Privacy Policy to reflect changes to our privacy practices. We encourage you to periodically review this page for the latest information on our privacy practices. If we decide to make material changes to our Privacy Policy, we will notify you and other users by placing a notice on Sproutatwork.com or by sending you a notice to the e-mail address we have on file for you. We may supplement this process by placing notices in our Services and on other Provider websites. You should periodically check Sproutatwork.com and this privacy page for updates.

  • Challenging Compliance and Contacting Us

Please contact our Privacy Officer at privacyhealth@telus.com or 25 York Street, Suite 2100 Toronto, Ontario Canada, M5J 2V5 if:

  • you have any questions or comments about this Privacy Policy,
  • you wish to access, update, and/or correct inaccuracies in your personal information, or
  • you otherwise have a question or complaint about the manner in which we or our service providers treat your personal information.

If you are dissatisfied with our response, you have the option of contacting the appropriate supervisory authority or Privacy Commissioner in your jurisdiction. A list of European Data Protection Supervisors is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en

In the United Kingdom, you may contact https://ico.org.uk/make-a-complaint/ 

In Canada, you may contact https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/file-a-complaint-about-a-business/ or one of the applicable provincial commissioners.