IT'S ELATION INC. AND WELLBEING WORKBENCH™ PRIVACY POLICY

Effective on: May 26, 2023

Last updated on: May 26, 2023

Privacy Summary

OUR CONTACT INFORMATION

It’s Elation, Inc.

Address: P.O. Box 1567

Cody, WY 82414, USA

Phone number: +1 (855) 878-2400

Email address: [email protected]

 

GENERAL INFORMATION
Do we collect Personal Data? YES. Some categories of personal data that we collect include user account information, wellness information in connection with the Wellbeing Workbench survey, and information about your use of our website.

Click here to know which categories of Personal Data we collect and how we obtain them.

Do we collect special categories of Personal Data? YES. The special categories of Personal Data that we collect are a part of the wellness information processed in connection with the Wellbeing Workbench survey. These categories are deidentified or anonymized for research and development purposes.

Click here to know which categories of special Personal Data we collect and how we obtain them.

 

Do we sell or share Personal Data? NO. We do not sell or share Personal Data with third parties other than the service providers we rely on to help provide our services.
TRACKING
Do we use cookies or similar tracking technologies on our websites? YES. Click here to read our cookie policy.
Do we use cookies or similar tracking technologies in our apps? YES. Click here to read our cookie policy.
Do we track your activities on other websites? NO. Click here to read our cookie policy.
PRIVACY RIGHTS
Can you request to receive a copy of the Personal Data we have collected about you? YES. Click here to learn how.
Can you withdraw your consent to our processing of your Personal Data? YES. Click here to learn how.
Can you request to have your data deleted? YES. Click here to learn how.
Can you request not to have your data sold or shared? N/A. We do not sell or share your Personal Data with third parties other than to vendors providing necessary support for our services.
Do we discriminate you for exercising your privacy rights? NO. Click here to learn more about your right not to be discriminated against.
Do we offer you financial incentives for your Personal Data? NO
SECURITY
Do we protect your Personal Data? YES. Click here to learn more about how we protect your Personal Data.
Are we currently being audited by a professional third party? YES. We are currently working with VeraSafe, our data protection consultancy, to assess, improve, and monitor our privacy and security compliance programs.

Introduction

It’s Elation, Inc. (“Elation”, “we”, “us”, “our”) takes the protection of information relating to identified or identifiable individuals (“Personal Data”) very seriously. Please read this privacy policy (the “Policy”) to learn what we are doing with your Personal Data, how we protect it, and what privacy rights you may have under applicable data protection and privacy laws, such as the European Union or United Kingdom General Data Protection Regulations (“GDPR”).

What Is Covered by this Privacy Policy?

This Policy addresses data subjects (which includes both individuals and households) whose Personal Data we may process to provide our customers, who are typically corporate employers (our “Customers”), our products and services, including the Wellbeing Workbench assessment tool (“Wb2”) and our public-facing websites located at https://elation.co and https://wb2.com (our “Websites”) (collectively, the “Services”).

When we provide access to Wb2 to our Customers for use by their employees, we do not decide why or how that Personal Data will be processed. Our Customers use our Services to store and process their own Personal Data. In these cases, we act only as a storage and service provider. We do not decide what Personal Data is being stored, and in general we will only access such Personal Data at our Customer’s request in connection with the Services, Customer support, or account administration matters.

When you give your data to one of our Customers or when we collect your Personal Data on their behalf, our Customer’s privacy policy or notice, rather than this Policy, will apply to our processing of your Personal Data. If you have a direct relationship with one of our Customers, please contact them to exercise your privacy rights.

This Policy also addresses data subjects (which includes both individuals and households) whose Personal Data we:

  • receive from our Customers and process pursuant to providing our Services as well as in the course of providing our Customers consulting and support services;
  • receive directly through our websites, including through accounts created by our users;
  • obtain through communications with consumers;
  • obtain as part of the wellness information processed in connection with Wb2 and deidentify or anonymize for research and development purposes;
  • receive from our business partners; or
  • process to promote our products and services.

What is Not Covered by this Privacy Policy?

Human Resources Personal Data

This Policy does not apply to the Personal Data of employees, job applicants, contractors, or other Elation personnel.

Information Which Does Not Constitute Personal Data

If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, and is not reasonably susceptible to reidentification, such information is not considered Personal Data and this Policy will not apply to our processing of that information.

What Can You Find in this Policy?

This Policy tells you, among other things:

Our Role with Respect to Your Personal Data

There is Personal Data that we process for our own purposes and Personal Data that we process on behalf of our Customers. This means that we do not always have the same degree of decision-making with respect to why and how each piece of Personal Data will be processed.

  • When we collect the Personal Data of visitors to our Website, collect the Personal Data of users of Wb2 and deidentify or anonymize it for research and development purposes, or otherwise process the Personal Data of our prospective and current business contacts for sales and marketing purposes, we decide the purposes and means of processing, and consequently act as a data controller or “business”.
  • When we process the Personal Data of our Customer’s employees who participate in the Services, we process Personal Data as “service providers” or data processors on behalf of our Customers, who use our Services to gauge the wellbeing of their workforces. Where you give your data to one of our Customers or where we collect your Personal Data on their behalf, our Customer’s privacy policy or notice, rather than this Policy, will apply to our processing of your Personal Data. If you have a direct relationship with one of our Customers, please contact them to exercise your privacy rights.

Lawful Bases for Processing Your Personal Data

We must have a valid reason to use your Personal Data (i.e., a “lawful basis for processing”).

When we act as a data controller, we may process your Personal Data on the basis of:

  • your consent;
  • the need to perform a contract with you;
  • our legitimate interests or those of our Customers, such as providing our products and services to our customers, facilitating the provision of those services by our customers to their employees, and deidentifying or anonymizing certain categories of Personal Data for research and development purposes like developing new products and improving our existing offerings;
  • the need to comply with applicable law; or
  • any other ground, as required or permitted by law.

When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided here.

Where we process your Personal Data based on your consent, you may withdraw it at any time until your Personal Data has been deidentified or anonymized, after which it will no longer be possible to reidentify data derived from your Personal Data. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect the validity of our processing of Personal Data performed on other lawful grounds.

Where we receive your Personal Data as part of providing our Services to you to fulfill a contract, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to provide our Services to you.

Within the scope of this Policy, we may also process Personal Data based on the instructions of our Customers. To learn about their lawful bases for processing your Personal Data, please read the privacy policies or notices of our Customers.

The Personal Data We Process and How We Obtain It

The table below describes the categories of Personal Data we have collected about you in the last twelve months.

Personal Data We Collect, Process, or Store How We Obtain It
Identifiers

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, telephone number, personal or business email address, account name, or other similar identifiers.

Through the account registration process and consumer communications.

 

From account representatives and other vendor and customer personnel.

 

Special categories of Personal Data

Race, ethnicity, age (when revealing or concerning health), gender(when revealing or concerning health), activity patterns used to extract a template or other identifier or identifying information, such as sleep, health, or exercise data, profile reflecting a person's patterns of wellbeing, relative strength of wellbeing influencers, wellbeing trends over time, predispositions, behaviors, capacity for improvement, degree of burnout

Some Personal Data included in this category may overlap with other categories.

Collected from the individuals participant’s employer, who has contracted for use of our Wb2 platform.
Demographic information

Age, race, ethnicity, gender, state/province.

Collected from the individuals participant’s employer, who has contracted for use of our Wb2 platform.
Biometric information

Activity patterns used to extract a template or other identifier or identifying information, such as sleep, health, or exercise data.

Collected from individuals that use our Wb2 platform.
Wb2 Usage Data

Information regarding how consumers interact with the Wb2 tool, specifically time stamps for the completion of questions to identify individuals clicking answers without reading questions and abandoned assessments.

Collected via the Wb2 platform.
Internet or other similar network activity

Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.

Collected via cookies and related tracking technologies, if users opt in.
Professional or employment-related information

Employment, employment history, industries of employments, education, information about your employer (such as the name, address, and contact details of your employer), current or past job history or performance evaluations, job title, information collected pursuant to the Wellbeing Workbench survey such as job satisfaction, workplace habits, and employee interests.

Collected from Customers that use our Services, using public sources such as LinkedIn, and Google searches.

Collected from individuals that use our Wb2 platform.

Inferences drawn from other Personal Data

Profile reflecting a person's patterns of wellbeing, relative strength of wellbeing influencers, wellbeing trends over time, predispositions, behaviors, capacity for improvement, degree of burnout.

Collected from individuals that use our Wb2 platform.

We will not collect additional categories of Personal Data without informing you.

Cookies

A “cookie” is a small file stored on your device that contains information about that device. We may use cookies to provide website functionality, to provide authentication (session management), to obtain usage analytics (web analytics), to remember your settings, and to generally improve our website and Services.

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but have an expiration date. Some of the cookies placed on your device through our Services are first-party cookies which are placed directly by us. Other parties, such as Google, may also set their own third-party cookies. Please refer to the privacy policies of those third parties to learn more about how they collect and process information about you.

If you would prefer not to accept cookies, you can configure the setup of your browser to reject some or all of them. Note, if you reject certain cookies, you may not be able to use all features of our Services. For more information, please visit https://www.aboutcookies.org/.

You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our Services do not have the capability to respond to “Do Not Track” signals received from web browsers.

For more information about our use of cookies, please see our Cookie Policy.

For What Purposes Do We Use Your Personal Data?

We may process your Personal Data for the following purposes:

  • To provide our products and services to our customers;
  • To deidentify and anonymize it, in order to then conduct research and development to devise new products and improve our existing offerings, including refining the methodology employed by Wb2;
  • To fulfill our legal obligations and exercise our legal rights;
  • To send email and other marketing communications; and
  • To respond to customer inquiries and requests.

How Long Do We Keep Your Personal Data?

We will retain your Personal Data for as long as is necessary to fulfil the purpose for which we collected it and any other permissible purposes in compliance with our data retention policies. For example, we will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Generally, we retain usage data for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our services, or we are legally obligated to retain this data for longer time periods.

If your Personal Data is used for more than one purpose, we will retain it until the purpose with the longest retention period expires; but we will stop using it for the purpose with a shorter retention period once that period expires. Our retention periods are also based on our business needs and good practice.

In cases where we act as a data processor, we retain Personal Data for as long as instructed by the respective Customer (who typically acts as a data controller), unless applicable laws require otherwise.

To Whom Do We Disclose Your Personal Data?

The following table describes, in the last twelve months, the categories of information we have disclosed to third parties for assistance with our processing of your Personal Data or as required by law, and the categories of those third parties.

  Personal Data Disclosed for Assistance With Our Processing of Your Personal Data or as Required by Law?
Category Yes or No Categories of Third Parties Receiving Personal Data
Identifiers YES ●       Infrastructure services providers

●       Internet service providers

●       Cloud service providers

●       Payment processing providers

●       Email service providers

●       Office tools providers

●       Web analytics providers

●       Project management tool providers

Special categories of Personal Data YES ●       Infrastructure services providers

●       Cloud service providers

Demographic information YES ●       Infrastructure services providers

●       Office tools providers

●       Web analytics providers

Biometric information NO N/A
Wb2 Usage Data YES ●       Infrastructure services providers

●       Cloud service providers

●       Payment processing providers

●       Email service providers

●       Web analytics providers

●       Project management tool providers

Internet or similar network activity YES ●       Infrastructure services providers

●       Internet service providers

●       Cloud service providers

●       Payment processing providers

●       Email service providers

●       Office tools providers

●       Web analytics providers

●       Project management tool providers

Professional or employment-related information YES ●       Infrastructure services providers

●       Internet service providers

●       Cloud service providers

●       Email service providers

●       Office tools providers

●       Web analytics providers

●       Project management tool providers

Inferences drawn from other Personal Data YES ●       Infrastructure services providers

●       Cloud service providers

●       Email service providers

If you are located in the European Union or the United Kingdom, it's important to note that these third parties may be located outside of the European Union or the European Economic Area (“EEA”). In some cases, the European Commission may have determined that a country’s data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to personal data. We will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to personal data when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses as approved by the European Commission under Article 46.2 of the GDPR.

When you use the Services, certain third parties may collect Personal Data about your online activities over time and across different websites or online services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.]

Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it to comply with official investigations or legal proceedings (whether initiated by governmental officials or private parties). If we have to make such a disclosure, then we may not be able to ensure that the recipients of your Personal Data will maintain its privacy and security.

We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring.

We may use, transfer, sell, share, and disclose aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

What Privacy Rights Do You Have?

You have specific rights regarding your Personal Data that we collect and process. In this section, we first describe those rights and then explain how you can exercise those rights. Please note that you can only exercise these rights with respect to Personal Data that we process about you when we act as a data controller or as a “business” under the CCPA. To exercise your rights with respect to your Personal Data processed by us on behalf of one of our Customers, please read the privacy policy or notice of that Customer.

Right to Know What Happens to Your Data

This is called the right to be informed. It means that you have the right to obtain from us information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and whom it will be disclosed to, among other things. We are informing you of how we process your Personal Data with this Policy.

We will always try to inform you about how we process your Personal Data. However, if we do not collect your Personal Data directly from you, then the GDPR exempts us from the obligation to inform you: (i) when doing so would be impossible or unreasonably expensive; (ii) when the gathering and/or transmission of your Personal Data is required by law, or (iii) if the processing of your Personal Data must remain confidential due to professional, statutory, or other confidentiality obligations.

Right to Know What Personal Data Elation Has About You

This is called the right of access. This right allows you to ask whether we process your Personal Data and, where that is the case, to obtain a copy or access to your Personal Data and certain related information.

If we receive and confirm that the right-of-access request came from you or your authorized agent, we will then disclose to you:

    • The categories of your Personal Data that we process;
    • The categories of sources for your Personal Data;
    • Our purposes for processing your Personal Data;
    • Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period;
    • The categories of third parties to whom we disclose your Personal Data;
    • If we carry out automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
    • The specific pieces of Personal Data we process about you in an easily-sharable format;
    • If we disclosed your Personal Data to third parties for assistance with our processing of your Personal Data or as required by law, the categories of Personal Data and categories of recipients of that Personal Data for disclosure;
    • If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests; and
    • The appropriate safeguards used to transfer Personal Data from the EEA or the UK to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

We may be legally prohibited from disclosing certain information, such as Social Security numbers, driver’s license numbers, other government-issued identification numbers, financial account numbers, health insurance or medical identification numbers, account passwords, and security questions and answers. If that is the case, then we will inform you that we have this information but not provide it to you.

Right to Change Your Personal Data

This is called the right to rectification. It gives you the right to ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have on file about you and complete any incomplete Personal Data.

If your account settings do not allow you to change your Personal Data yourself, please contact us and we will do our best to change the Personal Data for you.

Right to Delete Your Personal Data

This is called the right to erasure, right to deletion, or right to be forgotten. This right means that you can ask for your Personal Data to be deleted.

You can delete your Personal Data from your online account by filling out this online form. Also, you can ask for your other Personal Data to be deleted or your online account to be closed by contacting us at [email protected].

There may be situations where, for technical, legal, or other reasons, it is not possible for your Personal Data to be deleted. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to Ask Us to Limit How We Process Your Personal Data

This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data

This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

Right to Port or Move Your Personal Data

This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have provided to us or that you have generated by using our Services or website, so that you can:

    • Move it;
    • Copy it;
    • Keep it for yourself; or
    • Transfer it to another organization.

We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy of it in electronic format.

Right Related to Automated Decision-Making

We sometimes use computers to study your Personal Data. We might use this Personal Data so we know how you use our services. For decisions that may seriously impact you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening, and the effect.

To turn off personalized advertising, please change your cookie settings by clicking here.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not:

    • Deny you goods or services;
    • Charge you different prices or rates for goods or services, including through granting discounts or other benefits or imposing penalties;
    • Provide you a different level or quality of goods or services; or
    • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

How Can You Exercise Your Privacy Rights?

To exercise any of the rights described above, please submit a request by either:

  1. Calling us at +1 (855) 878-2400;
  2. Contacting us by email at [email protected];
  3. Writing to us at:

It’s Elation, Inc.

Attn: Elation Privacy Team

P.O. Box 1567

Cody, WY 82414

U.S.A.; or

  1. Click and choose from following Privacy Settings, then submit.

How We Protect Your Personal Data

Verification of Your Identity

In order to correctly respond to your privacy rights requests, we need to confirm that YOU made the request. Consequently, we may require additional information to confirm that you are who you say you are.

For requests submitted via password-protected accounts, your identity is already verified. For requests sent by one of the means listed here, we will verify your identity by asking you about information that matches the information that we already have about you.

We will only use the Personal Data you provide us in a request to verify your identity or authority to make the request.

Verification of Authority

If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual, or proof of parental responsibility or legal guardianship. Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with Elation and confirm with us that they gave you permission to submit this request.

Response Timing and Format of Our Responses

We will confirm the receipt of your request within ten (10) business days, and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request.

Please allow us up to a month to reply to your requests from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing.

If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.

We will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

Privacy of Children

The Services are not directed at, or intended for use by, children under the age of 13.

Data Integrity & Security

We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing, which includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction. Some of those measures include encryption, risk assessments, patch management, integrity controls, password and account security, network security, back up and restoration, security incident management, collection limitation, employee training, privilege management, and physical security.

VeraSafe, LLC is currently assessing our data governance and data security (regarding Personal Data processed within the scope of this Policy) for compliance with the Data Security, Data Quality, and Privacy By Default sections of the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data security.

Right to Lodge a Complaint with a Supervisory Authority

If the GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.

Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR.

Changes to this Policy

If we make any material change to this Policy, we will post the revised Notice to this web page. We will also update the “Effective” date.

Contact Us

If you have any questions about this Policy or our processing of your Personal Data, or want to submit a verifiable consumer request, please write to the Elation Administrative Team by email at [email protected] or call at +1 (855) 878-2400 or by postal mail at:

It’s Elation, Inc.

Attn: Elation Privacy Team

P.O. Box 1567

Cody, WY 82414

U.S.A.

For communications unrelated to verifiable consumer requests, please allow up to thirty (30) days for us to reply. For communications related to verifiable consumer requests, please click here for response timing and format of our responses.

Elation Logo on White Circle

Want to learn more?

Please reach out so we can discuss your unique needs and help you begin working toward solutions.

Please enter your name.
Please enter a message.