SPROUT WELLNESS SOLUTIONS
PRIVACY POLICY
Effective as of January 5, 2024
TELUS Health (Canada) Ltd. (hereinafter "Provider", "Us", "We" or "Our") is offering an industry-leading workplace wellness platform named Sprout At Work. The platform empowers organizations to embrace wellbeing and improve health & wellness for every user employee ("Services").
We are committed to transparency in the collection, use and disclosure of information that directly or indirectly identifies you (“Personal Information”). This Privacy Policy explains how and why we collect, use and disclose your Personal Information on our Services. As part of our Services, we provide a Privacy setting where you can manage your privacy settings. NOTE that all settings such as notifications and personalization require you to opt-out. If you do not wish to receive notifications or personalize your profile, for example, please adjust your Privacy settings accordingly. You must read this Privacy Policy before using our Services. If you have any questions about our privacy practices, please contact us at privacyhealth@telus.com.
The following is a list of the types of information that we may collect through its Services. Please note that the types of Personal Information collected about you will depend on the activities in which you participate:
By using the Services, you authorize the provider to collect, store, and use your Personal Information in accordance with this Privacy Policy.
We collect your Personal Information for the following purposes, and we rely on the legal basis for processing identified below:
From your Program Provider: As part of your eligibility for the Services, your employer or other entity who invited you to join the provider service under their subscription (“Program Provider”) may provide the provider with certain information about you. This may include the information necessary to verify your identity when you register for the Services and to manage your account on an ongoing basis, and such other information as may be provided by your Program Provider. If you do not want the provider to receive this information, please contact your Program Provider and ask them to stop sending the provider any information about you. Please note that this may make you ineligible to participate in the Program.
Directly from You: You may provide Personal Information directly to the provider. You may do so by entering information directly into the Service, engaging with the Service, responding to questionnaires or surveys, or similar.
Through automated technologies or interactions with devices you choose to synch with the Service: You can choose to allow certain wearable devices and mobile applications to sync data to the Service. You can modify these permissions at any time through the connected devices setting of the Services. Further, when you access our website or otherwise use the Service, we may automatically collect your Technical Data and User Data. The data are typically collected through the use of server log files or web log files, mobile device software development kits and tracking technologies like browser cookies.
We may share your Personal Information as follows:
Your Program Provider: We may share with your Program Provider the necessary information for them to administer your incentives, to manage your account and to otherwise act as Service administrator. We will share information directly with Your Program Provider only to the extent needed for the administration of your incentives, such as calculation of health plan premium discounts, applicable taxation, reward redemption, or other arrangements for which such information is relevant. Where we reasonably believe that there may be a risk of imminent harm to you or someone else and we reasonably believe that your Program Provider is best placed to act, we may also share such information with your Program Provider. We may also share aggregated or de-identified information with other providers to your Program Provider at the request of your Program Provider.
For US users: if your Program Provider is considered a Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA), we may be obligated to disclose any information collected on the platform.
Third-Party Service Providers (or, Processors): Your information may be disclosed, stored and/or transferred (or otherwise made available) to our affiliates and other third parties who provide services on our behalf such as email services. Our service providers are given the information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. Our service providers are contractually bound to use Your Personal Information as instructed by us only and they are required to have as stringent data security mechanisms as we have.
Legal and Compliance. We and our service providers may provide your Personal Information in response to a search warrant or other legally valid inquiry or order, or to another organization for the purposes of investigating a breach of an agreement or contravention of law or detecting, suppressing or preventing fraud, or as otherwise required or permitted by applicable Canadian, US or other law or legal process. Your Personal Information may also be disclosed where necessary for the establishment, exercise or defence of legal claims and to investigate or prevent actual or suspected loss or harm to persons or property.
Sale or Merger. Personal Information may be provided to third parties in connection with a business transaction, including a merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of the provider or as part of a corporate reorganization, or stock or asset sale, or other change in corporate control, including for the purpose of determining whether to proceed or continue with such transaction or business relationship.
Aggregated Data. We may create and share aggregated data that does not identify you with third parties and the public in a variety of ways. When we provide this information, we take technical measures to ensure that the data does not identify you and cannot be associated back to you.
Our Services are not intended for children under the age of 16 and We do not knowingly collect any personal information from such children. Children under the age of 16 should not use our Services at any time. In the event that We learn that We have inadvertently gathered personal information from children under the age of 16, We will take reasonable measures to promptly erase such information from our records.
Under certain circumstances, you have rights under data protection laws in relation to your personal information. You may have the right to:
If you wish to exercise any of the rights set out above, please contact us using the details set out below.
You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We have implemented reasonable administrative, technical and physical measures in an effort to safeguard the Personal Information in our custody and control against theft, loss and unauthorized access, use, modification and disclosure. We restrict access to your personal information on a need-to-know basis to employees and authorized service providers who require access to fulfill their job requirements.
For user accounts registered directly with the provider profile information is protected by the password each member uses to access their online account. It is important that you protect and maintain the security of your account and that you immediately notify Us of any unauthorized use of your account. If you forget the password to your account, the website allows you to request that instructions be sent to you that explain how to reset your password. When you sign into your account, we encrypt the transmission of that information using secure socket layer technology (“SSL”).
While We take reasonable precautions against possible security breaches of our websites and our customer databases and records, no website or Internet transmission is completely secure, and we cannot guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. We urge you to take steps to keep your personal information safe (including your account password), and to log out of your account after use. If your third-party site account is hacked, this may lead to the unauthorized use of the provider service you have registered to use, so be careful to keep your account information secure. If you have questions about the security of our websites, please contact Us at privacyhealth@telus.com.
We have Personal Information retention processes designed to retain Personal Information for no longer than necessary for the purposes stated above or to otherwise meet legal requirements. For more information about our retention processes, please contact Us at privacyhealth@telus.com.
Your Personal Information may be transferred outside the jurisdiction in which you are situated and may become subject to the laws of the receiving jurisdiction, which may differ from the laws of your jurisdiction. For any Personal Information of European Data Subjects that we collect and process outside the European Economic Area, we rely on robust data processing agreements containing Standard Contractual Clauses approved by the European Commission or other approved or legal method, and that it is treated securely and in accordance with this Privacy Policy.
Our Services may contain links to other websites that are not owned or controlled by us. We do not endorse, review and we are not responsible for the privacy policies of or content displayed on such other websites. When you click on such a link, you will leave our Services and another entity may collect Personal Information from you. You are responsible for reading and agreeing to the Privacy Policy and Terms of Service of any third-party links accessed through our Services.
The provider’s platform use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
We may update this Privacy Policy to reflect changes to our privacy practices. We encourage you to periodically review this page for the latest information on our privacy practices. If we decide to make material changes to our Privacy Policy, we will notify you and other users by placing a notice on Sproutatwork.com or by sending you a notice to the e-mail address we have on file for you. We may supplement this process by placing notices in our Services and on other Provider websites. You should periodically check Sproutatwork.com and this privacy page for updates.
Please contact our Privacy Officer at privacyhealth@telus.com or 25 York Street, Suite 2100 Toronto, Ontario Canada, M5J 2V5 if:
If you are dissatisfied with our response, you have the option of contacting the appropriate supervisory authority or Privacy Commissioner in your jurisdiction. A list of European Data Protection Supervisors is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
In the United Kingdom, you may contact https://ico.org.uk/make-a-complaint/
In Canada, you may contact https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/file-a-complaint-about-a-business/ or one of the applicable provincial commissioners.