When you interact with our Services, you may choose to provide personal health information, or we may receive health information about you from or on behalf of health care providers and related healthcare specialists, professionals, or organizations (“Providers”). We are committed to maintaining the confidentiality of your personal health information, and under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the General Data Protection Regulation ("GDPR"), we must take measures to protect the privacy of the protected health information (“PHI”) that we receive from Providers. HIPAA and GDPR provide specific protections for the privacy and security of PHI and restricts how PHI is used and disclosed. We may only use and disclose your PHI in compliance with HIPAA, GDPR and the agreements that we have in place with Providers and others.
The GDPR divides organizations processing personal information into two categories: controllers and processors.
If you live in the EEA or the UK, we may act as either a controller or a processor of your personal information:
If you are a logged-in user of Level’s Services, Level Benefits, Inc. is your service provider. If you are otherwise accessing Level’s website or engaging with Level in a marketing capacity, Level Insurance Agency LLC is providing the Services.
We set out further information about how we use your personal information below.
Information You Provide. We collect the content and other information you provide when you use our Services, including information like your name, email address, date of birth, medical information, or social security number, or document uploads like receipts, when you submit them to us. Certain information may be required to register with us or to take advantage of some of our features. To the extent that you disclose to us any personal information of another individual, you represent that you have obtained such individual’s consent for the disclosure of such personal information, as well as the processing of the same in accordance with this Policy. You may also choose to provide feedback on our Services or contact us for support, and we will keep a record of that communication.
Information Provided About You. If you are a Member, we may receive information about you from Providers, your employer, or other third parties involved in providing the Services to you. We maintain claims information, information about prior authorizations that you requested and any other information needed to provide you with the healthcare services that you need. We also receive information about everyone using our Services, and their online activities on and off our websites and apps, from third-party partners, such as analytics from Google.
Failure to provide data. Where we need to collect personal information by law, or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you.
Below, we describe how we use the information we collect about you. If you are located in the EEA or the UK, we also provide the lawful basis under the GDPR for using your personal information in this way where we act as controller.
How we use information we collect:
Provision of the Services. We use the information we collect to provide, maintain, and protect and improve the Services, to develop new ones, and to protect Level and our users. We may also use this information to better provide our Services to you, such as showing relevant Provider options.
Lawful basis (EEA and UK): Necessary for our legitimate interests (to generate revenue from the Services)
Services Improvement. We use your information for business analytics (to improve the Services) and product development (to develop new Services).
Lawful basis (EEA and UK): Necessary for our legitimate interests (to improve the Services we offer to users)
Contact. We use your information to send you marketing communications, communicate with you about your use of our Services and let you know about our policies and terms. We also use your information to respond to you when you contact us. If you do not want to receive communications from us, please indicate your preference by contacting us at firstname.lastname@example.org.
Lawful basis (EEA and UK): Legitimate interests (to keep you informed about Services)
Marketing. We may use your information to send you marketing communications about our Services unless you have opted out of receiving this marketing communications from us.
Lawful basis (EEA and UK): Necessary for our legitimate interests (to grow our business)
Cookies and Other Similar Technologies. We use information collected from cookies and other similar technologies, like pixel tags, to deliver our Services and improve your user experience and the overall quality of our Services.
Lawful basis (EEA and UK):
Security. We take reasonable measures, including administrative, technical, and physical safeguards, to (i) protect your information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction; and (ii) detect and prevent fraud, waste and abuse. This may require us to process your personal information. Nevertheless, the internet is not a 100% secure environment, and we cannot guarantee absolute security of the transmission or storage of your information
Lawful basis (EEA and UK): Legitimate interests (to offer secure services).
Legal Requirements. We may need to use your personal information to comply with legal obligations to which we are subject, including regulatory, tax, accounting or reporting requirements.
Lawful basis (EEA and UK): Compliance with a legal obligation
To Provide the Services. You may choose to use our Services to interact with people or organizations other than Level (“Third Parties”), such as Providers or Members. We will share information about you with these Third Parties, but only to the extent reasonably necessary to provide the Services.
With Your Consent. We may request your consent to share personal information about you with additional Third Parties. In some cases, we may request additional consent from you if we think that there is other information that will help us better coordinate your care or better personalize the Services to fit your needs.
Law & Order. We may disclose your information to Third Parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Level or our users; or (d) protect Level's property rights.
Aggregated and Non-Personal Information. We may also share with Third Parties information in a manner that has been de-identified or anonymized in accordance with applicable laws.
We will only retain your personal information for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the Services we are providing, the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
We process and transfer personal information outside of the EEA and the UK, including to countries that have not been deemed to provide an equivalent level of protection for personal information as is provide in the EEA and the UK. If you are located in the EEA or the UK, we would like to reassure you that whenever we do so, we ensure that a similar degree of protection is afforded to your personal information. We do this using contracts specifically drafted and approved to give your personal information the same protection it has in the EEA or the UK.
Account Settings. Through your account settings, you may access, and, in some cases, edit or delete certain profile information you’ve provided to us. When you update information, however, we may maintain a copy of the unrevised information in our records. The information you can view, update, and delete may change as the Services change.
Deletion. You may request deletion of your account by contacting us. Some information may remain in our records after your deletion of that information from your account. We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally and only as permitted by law.
Opt-Out. We only share your Nonpublic Personal Information as described herein. We do not share your Nonpublic Personal Information with other parties for their independent marketing purposes. You may request that we limit some of the sharing of your Nonpublic Personal Information to certain third parties or affiliates by sending a written request to email@example.com or by mail to Level Privacy, P.O. Box 1461, New York, NY 10013. For purposes of this section, Nonpublic Personal Information means information that identifies you and is not available to the public.
If you are located in the EEA or the UK, you have the following additional rights:
Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios:
Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Where we act as a processor on behalf of your employer, we may need to cooperate with your employer in responding to your request to exercise your rights. Alternatively, your employer may choose to handle your request itself.
If you have questions or concerns about Level, our Services and privacy, contact us at firstname.lastname@example.org.
VeraSafe has been appointed as Level's representative for data protection matters in the European Union and United Kingdom. VeraSafe can be contacted on matters related to the processing of personal data using this contact form (available at verasafe.com/public-resources/contact-data-protection-representative). Alternatively, Verisafe may be contacted using the information below.
You have the right to make a complaint at any time to your data protection authority. We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority so please contact us in the first instance.
Last Updated: March 30, 2022