WebMD Health Services Group, Inc.

Privacy Policy

Your Sponsor (which could be your employer, group health plan, insurer, or a third-party) contracts with WebMD Health Services Group, Inc. for tools and services to help you manage your health. We refer to this wellness website and the tools and services provided by WebMD Health Services Group, Inc. collectively as the “WebMD Services.”

In this Privacy Policy, “we,” “our,” and “WebMD” refer to WebMD Health Services Group, Inc. and any company that WebMD Health Services Group, Inc. owns or controls. We do not operate, own, or control the website www.webmd.com. That website is run by WebMD LLC, which is an affiliate of WebMD Health Services Group but is not owned or controlled by it. WebMD Health Services Group may share information with companies that it owns or controls, and your information will remain protected under the terms of this Privacy Policy.

This Privacy Policy explains how WebMD collects, receives, uses, stores, shares, transfers, and processes your personal information as well as your rights in determining what we do with the information that we collect or hold about you. We know that keeping your personal information secure is very important to you. Please read this Privacy Policy before you use the WebMD Services. Use of the WebMD Services, as well as indicating your consent on this website’s initial registration page, signifies your acceptance of the terms of this Privacy Policy. If you do not accept the terms of this Privacy Policy, do not use the WebMD Services.

This Privacy Policy is not the same as your health plan’s Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Notice of Privacy Practices, which describes in detail how your health plan uses and discloses your individually identifiable health information. To learn more, see “Your Health Plan’s Notice of Privacy Practices” below.

How to Contact Us
WebMD Health Services Group, Inc.
Attn: Privacy Office
9229 Delegates Row, Suite 400
Indianapolis, IN 46240
privacy@webmd.com

Your Choices

• You decide whether to use the WebMD Services.
• When you establish an account, you will be asked to consent to the information practices described in this Privacy Policy.
• Before making any material changes to this Privacy Policy, we will ask for your consent.
• You may access, correct, and delete your personal information directly through the WebMD Services.
• We retain personal information in your WebMD account for as long as your WebMD account is open. Once we have been notified by your Sponsor that you are no longer eligible to use the WebMD Services, or if you otherwise write to us to have your account deleted, your account will be closed and the personal information in your WebMD account will be removed from WebMD’s database and backup files in accordance with our data destruction policy and the terms of our agreement with your Sponsor.
• You may close your account and delete your personal information at any time.

Our Commitment to Your Privacy

WebMD respects and safeguards the privacy of everyone who uses the WebMD Services. Here is a brief summary of our privacy practices:

• We collect information directly from you when you register an account or use our tools or services.
• We collect information about how you use our tools and services. We may use cookies or other tracking methods to do this. You can stop the collection of some information by turning off your browser’s cookies, but this may keep some of our tools and services from working as they were designed to work.
• We may collect location information when you use our apps, but only with your consent. You can stop this by not giving consent or by turning off location services on your device.
• We collect information that your Sponsor gives us.
• Our website does not contain advertisements and we do not share your personal information with any advertisers.
• We use the information that we collect to manage your account, give you relevant health information, give your Sponsor statistics and aggregate reports, and improve our tools and services.
• We will not use or share your personal information unless you allow us to, except as stated in this Privacy Policy or as directed by your Sponsor in accordance with your health plan’s Notice of Privacy Practices.
• We may share your information with service providers, third parties as directed by you or your Sponsor, in response to legal requests that we deem valid, in special circumstances, or in the event of a corporate restructure.
• We use reasonable security measures to protect your personal information.

Information Covered by This Privacy Policy

This Privacy Policy applies to information about you that WebMD collects and stores in relation to your use of the WebMD Services. This information may include:

• personal information, which is any information relating to you that identifies you or, combined with other information, allows you to be identified; and
• aggregate information, which is information about a group of individuals that does not identify any particular individual or allow any particular individual to be identified.

This Privacy Policy does not govern how other entities use your information. This includes third-party websites that you may get to by clicking on links on the WebMD Services. We recommend that you review the privacy policy of each third-party website you visit.

Personal Information We Collect

We collect personal information about you from your Sponsor, from third-party vendors working for your Sponsor, or directly from you when you use the WebMD Services.

Personal information collected from, or provided to us by, your Sponsor includes basic demographic information such as your name, email address, and your work location.

Personal information collected directly from you includes:

• information that you give us when you set up an account on the WebMD Services (this includes your name, email address, and date of birth) and your account information, including passwords and answers to security questions;
• information about your health and behavior that you give us when you use WebMD Services, such as health trackers or a health assessment; and
• other information that your Sponsor has requested, such as social security numbers, trade union membership, and trade union membership.

You may choose not to give such information, but you would be limiting the usefulness of the WebMD Services. Further, if you choose not to give certain information, your Sponsor may make you ineligible for certain incentives. Ask your Sponsor if you have questions about its incentive programs.

Your Sponsor may direct third-party vendors that provide services (such as pharmacy benefits and biometric screening) on its behalf to send your personal information to us.

Other Information Collected When You Use Our Services

Information collected indirectly from you includes information about your usage of the WebMD Services, including information about how you navigate this website, which health topics you inquire about, and which tools you use. To collect this type of information we use cookies, web beacons, and other web trackers. Cookies are small text files that are stored on your browser when you visit a website that can be recognized during future visits to the website. Similarly, a web beacon, pixel tag, or clear GIF is a small bit of code embedded on a web page or in an email.

WebMD and its service providers use cookies and similar technologies to:

• dynamically generate content on web pages or in newsletters;
• statistically monitor how many people are using this website;
• determine how many people open our emails;
• determine the popularity of certain content; and
• facilitate your login and serve as navigation aides and session timers.

We never use cookies or similar trackers for advertising. You can turn off cookies in your browser settings, but doing so may negatively impact the functionality of the WebMD Services. This website does not respond to web browser do not track signals.

We do not track your use of the WebMD services for advertising.

Mobile Device Applications

We offer some services through mobile apps. As with all of our other tools and services, you must set up an account to use apps. We collect information when you use an app. This can include the number of times that you use the app and the information you submit via the app. We may also collect information about the device on which you use the app. This includes the device’s maker, type, and software. To install one of our apps on your device, we’ll give you a unique code to access the app and to enable certain features. Our apps may ask you to allow location functions (i.e., GPS). You don’t have to give your location. If you don’t consent, some apps may not work as they were designed to work. You can stop our apps from providing location information about you by changing the location settings on your mobile device.

The information we collect when you use our apps is governed by this Privacy Policy.

Why We Collect and How We Use Your Information

Personal information provided by your Sponsor is needed to:

• authenticate you as a legitimate user of the WebMD Services;
• establish log-in credentials to provide you with secure access to your information;
• provide demographic data required by some WebMD Services; and
• provide your Sponsors with reports of aggregate information (see the Disclosures to Your Sponsor section below).

Personal information collected directly from you is needed to:

• establish and control access to your WebMD account;
• allow you to track your health information and health-related behavior;
• provide personalized content, advice, and recommendations that are relevant to you and your health needs; for example, we:
• allow you to track your health and behaviors,
• give you personalized health assessments,
• send you health alerts or other health-related messages, and
• send you messages about your account;
• produce the report of statistics and aggregate information mentioned above;
• respond to questions or comments that you send to us;
• allow you to communicate with others in online health topic communities;
• communicate with you as required by law, in connection with our services and as otherwise permitted by you or your Sponsor; and
• find out how our services are being used to help us improve and know which tools users find most helpful.

Personal information collected indirectly from you is needed to assess and improve how users of the WebMD Services navigate and utilize the website.

Disclosures to Your Sponsor

We may disclose information about you to your Sponsor or to any third party: (a) as instructed by your Sponsor, (b) as described in the Notice of Privacy Practices that your Sponsor gave you, and (c) in accordance with applicable laws and regulations.

We do provide your Sponsor with a number of reports on an aggregate and anonymous basis.  Your Sponsor uses these aggregate reports to better understand and assess the health needs and concerns of its employee population, and to consider development of programs to address these needs and concerns. For example, your Sponsor might learn that there is significant interest in stopping smoking amongst employees in a particular geographic region and then introduce smoking cessation programs in those countries.

WebMD may tell your Sponsor if you have registered with WebMD, if you have taken a health assessment, or if you’ve signed up for WebMD programs offered by your Sponsor. We will do so to help your Sponsor manage incentives and analyze registration rates. WebMD will not share your personal information (such as the answers you give to the health assessment) in a manner that can be used to identify you with your Sponsor.

Disclosures to Other Third Parties

WebMD may give your personal information to third-party vendors that provide us services, including analytics, security, and marketing. Additionally, at the direction of your Sponsor, WebMD may give your personal information to third-party vendors that provide services for your Sponsor. For example, if your Sponsor provides an incentive program that is managed by a vendor (e.g., for completing a health assessment), then we may share your name, contact information, and eligibility with the vendor so that you can get your incentive. In any case, these third-party vendors are authorized only to process that information as necessary and as directed by us or your Sponsor, respectively.

We may also give your personal information to other third parties under special circumstances such as:

• a court order, search warrant, subpoena, or other legal purpose that we deem to be valid;
• to protect our rights, your rights, or the rights of others; and
• a corporate transaction that results in a transfer of the assets or line of business that holds your information.

Should any of these events occur, WebMD will attempt to notify you through the email address you provided us, unless doing so would violate a law or court order.

How We Safeguard Your Information

We use reasonable technical, administrative, and physical safeguards to protect your information from loss, misuse, and unauthorized access and changes. All personal information you provide through the use of the WebMD Services is secured in transmission using encryption and passwords. We also use industry-standard encryption and hash algorithms in storing your personal information within our databases and in back-up files. We use firewalls and monitoring software to provide real-time protection for our servers, which are locked down using standard physical measures. We store identical information on servers at two separate locations to provide continuity of service.

We limit access to your information to help ensure that only you, our authorized personnel, and other authorized third parties can access your information as described in this Privacy Policy. All WebMD personnel are required to complete privacy and security training on a regular and refresher basis and are subject to disciplinary action for violating WebMD’s information security policies.

No information system is 100% secure, and we can’t guarantee that your information will be protected against all security threats.

No information system is 100% secure, and we can’t guarantee that your information will be protected against all security threats.

Storage of Your Information

The personal information you provide when using the WebMD Services is stored and maintained on servers owned by WebMD in data centers located in the United States.

Your Access and Correction Rights

When you log in to this website, you can view, change, and delete personal information that you have entered on this website.

Your Sponsor may choose to include information about your health (such as your lab results, medications, or conditions) in your account. You can view this information on the WebMD Services. You can stop this information from being shown on your screen when you log on; but, you can’t delete information that your Sponsor gives us.

Also, your rights to view, correct, or change your personal information that are set forth in your health plan’s Notice of Privacy Practices may apply to some or all of the information that we collect. Please read that notice so you know your rights and how to act on them.

Your Account Deletion Rights

You may close your WebMD account and remove personal information from your account. To do this, you can either:

• go to the “Account Deletion” tab under “Settings” on this website’s home page and follow the on-screen instructions to delete your account; or
• send a signed statement with your name, address, email address, and birth date that directs WebMD to close your account and remove your personal information, to the address below.

If you want to write to us to have your account deleted, or to make changes to your information, send it to:

WebMD Health Services Group, Inc.
Attn: Privacy Office
9229 Delegates Row, Suite 400
Indianapolis, IN 46240
privacy@webmd.com

or by submitting a request through the “Feedback” option at the bottom of the log-in page.

If you delete your account and personal information, your Sponsor may decide that you are not eligible for incentives and your account access, gained through your Sponsor, will end immediately.

If You Separate from Your Sponsor or Your Account Is Cancelled

Certain events may cause you to lose access to your WebMD account. For example, you may change jobs or health plans, or the contract between WebMD and your Sponsor may end. When we know that you no longer have access, WebMD will shut down your account and your personal information will be removed in keeping with our data destruction schedule. You may be able to access your information after your account is shut down if your Sponsor has allowed portable personal health records. If you think that your account has been disabled in error, please contact WebMD at:

WebMD Health Services Group, Inc.
Attn: Privacy Office
9229 Delegates Row, Suite 400
Indianapolis, IN 46240
privacy@webmd.com

or by submitting a request through the “Feedback” option at the bottom of the log-in page.

The WebMD Services Are Intended for Adults

All WebMD services are for adults who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. But, parents and guardians may set up accounts for minors in their care. Parents and guardians are solely responsible for accessing and maintaining data on behalf of their minors. Parents and guardians are fully responsible for securing usernames, passwords, and other login information and for the accuracy of information. Parents and guardians are also fully responsible for interpreting any advice their minors receive.

Questions or Complaints

We will respond to your questions or complaints about how WebMD handles your personal information. Questions or complaints regarding this Privacy Policy or WebMD’s handling of your personal information should be directed to:

WebMD Health Services Group, Inc.
Attn: Privacy Office
9229 Delegates Row, Suite 400
Indianapolis, IN 46240
privacy@webmd.com

California Privacy Rights

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. For more information relevant to our users who are California residents, please read our Supplemental Privacy Notice for California Residents.

Note to Users Outside of the United States

WebMD stores all information on servers owned and maintained by WebMD in data centers in the United States. In order to provide the WebMD Services to you, we must transfer your personal information to the United States where it will be stored and processed in accordance with this Privacy Policy. 

Canadian Privacy Rights

Cross-Border Transfer. The collection, use and disclosure of your personal information through the WebMD Services is governed by applicable Canadian laws and is also subject to US privacy laws.  WebMD may transfer your personal information outside Canada to its affiliates or third-party service providers with operations in other countries, which are subject to laws of a foreign jurisdiction. WebMD transfers and stores personal information on WebMD servers in the US. By accepting this Privacy Policy, using the WebMD Services or providing us with your personal information you acknowledge and consent to your personal information being processed by third parties on WebMD’s behalf and transferred, accessed and/or stored in countries outside Canada.

Canada Anti-Spam Law. In accordance with Canadian Anti-Spam laws, we obtain your consent in order to send you commercial electronic messages. You may subscribe or unsubscribe to receive marketing communications from us, such as announcements of new features. We do not share email addresses or other contact information with third parties without your permission.  

Consent for WebMD Services. WebMD will seek your specific consent  for the collection, use or disclosure of personal information in connection with WebMD Services that involve the provision of health care or wellness services.  The purposes for which this information is collected, used or disclosed are set out at the time of collection.

Withdrawal of Consent, Access and Correction. You may withdraw your consent for the collection, use or disclosure of Personal Information at any time by notifying privacy@webmd.com, however such withdrawal shall not have retroactive effect.  You may also make a request to access or correct your Personal Information by making a request in writing.

Personal Data Privacy Notice under Mexican Law

Privacy Notice. This privacy policy constitutes the personal data privacy notice (the “Privacy Notice”) required under the Federal Protection Law of Personal Data in Possession of Private Parties and its Regulations of the United Mexican States (collectively, the “Mexican Privacy Law”). In compliance with Mexican Privacy Law, this Privacy Notice sets forth above (i) what Personal Information we collect from you, (ii) how we collect your Personal Information, (iii) how we use your Personal Information and (iv) how we share your Personal Information with third parties.

Consent. Pursuant to Mexican Privacy Law, you hereby agree and grant your express consent for WebMD to use your Personal Information in accordance with the terms and conditions of this Privacy Notice, unless you oppose such use.  At any time you may revoke your consent in writing as hereinafter set forth below in the paragraph “ARCO Rights”.

Security of your Personal Information. This Privacy Notice sets forth above the administrative, technical and physical security measures that we have implemented to protect your Personal Information from unauthorized access or disclosure and improper use. Compliance of such measures shall be likewise requested from any third parties with whom we share your Personal Information.

ARCO Rights. As holder of the Personal Information, you may exercise your rights of access, rectification, cancellation and opposition to the use of your Personal Information (“ARCO Rights”) provided by Mexican Privacy Law, or your right to revoke your consent granted to WebMD for the use of your Personal Information by contacting us as set forth below.

For such purposes, you shall provide the following: (a) name and address or other means to give you a response to your request; (b) your identification documents or, if applicable, legal representation documents; (c) a clear and precise description of the Personal Information with respect of which you wish to exercise any of the ARCO Rights; (d) your express revocation of your consent, if applicable, to the use of your Personal Information and, therefore, to stop using the same; and (e) any other element which may facilitate the identification of the Personal Information.

Australian Privacy Rights

Australian Privacy Act. The Australian Privacy Act 1968 (for the purposes of this section, the “Privacy Act”) provides Australian citizens with certain rights regarding their personal information. This section contains additional information about WebMD’s collection, use and disclosure of Australian users’ information through the WebMD Services.

Definition of Personal Information: For Australian users of the WebMD Services, personal information has the meaning set out in the Privacy Act, which at a high level includes any information or opinion about an individual who is reasonably identifiable.

Accuracy of Personal Information:  We try to maintain your personal information as accurately as reasonably possible. We rely on the accuracy of personal information as provided to us both directly (from you) and indirectly. We encourage you to contact us if you become aware of any personal information we hold about you is incorrect and to notify us of a change in your personal information. Our contact details are set out in the section of this Privacy Policy titled “How to Contact Us”.

Complaints: If you have any questions, comments or complaints about our collection, use or disclosure of personal information, or if you believe that we have not complied with this Privacy Policy or the Privacy Act, please contact us (WebMD’s contact details are set out in the section of this Privacy Policy titled “How to Contact Us”).  We will take any privacy complaint seriously and any complaint will be assessed with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need. 

If you are not satisfied with the outcome of our assessment of your complaint, you may wish to contact the Office of the Australian Information Commissioner.

Overseas disclosure of Personal Information: WebMD may disclose Personal Information outside of Australia to our related bodies corporate, service providers and other third parties including those located in the United States. 

Note to Users in the European Economic Area (EEA) and UK

General Data Protection Regulation

The EU General Data Protection Regulation and UK General Data Protection Regulation (together the “GDPR”) require certain information to be provided to data subjects located in the EEA and the UK, and grant them certain rights regarding their personal data. This section applies solely to the processing activities that are governed by the GDPR.

Data Controller and EEA Representative

When you access the WebMD Services, your Sponsor and WebMD are separate controllers of certain processing activities related to your personal data. WebMD has appointed Aptus Health International France SAS as its representative in the EEA. WebMD’s Data Protection Officer can be contacted at privacy@webmd.com. This Privacy Policy describes how WebMD processes your personal data.

Legal Bases for Processing

We may process your personal data in order to perform a contract with you (e.g., to deliver the WebMD Services you have requested) or in order to take certain steps prior to entering into such contract. For example, we may process your personal data in the following instances:

● In order to provide you with the WebMD Services, you will need to create an account with WebMD and we will need to verify you as the account owner.
● As part of the WebMD Services, we may need to contact you in order to provide you with information about your account or other health management and wellbeing program services.
● As part of the WebMD Services, we may provide personalized services and more relevant content to you, based on the information you provide to us and on the information that we collect as part of your use of the WebMD Services.
● As part of the WebMD Services, we may provide you with information for general service and transactional purposes, such as answering your questions, administering your account, responding to your complaints, and processing your data subject rights requests.
● We may offer health management and wellbeing programs as part of the WebMD Services, and in order for you to participate in these programs, we may receive certain types of data from third-party service providers engaged by us or your Sponsor. These service providers may include entities that offer biometric screenings or flu shot services.

We may also process your personal data based on our legitimate interests or on the legitimate interests of third parties, such as your Sponsor, provided that such processing shall not outweigh your rights and freedoms. For example, we may process your personal data in order to:

● Keep the WebMD Services safe and secure;
● Comply with laws and regulations that apply to us;
● Manage corporate transactions, such as mergers or acquisitions; and
● Understand and improve the WebMD Services.

Finally, we may process your personal data when you have given us your explicit consent to such processing, particularly:

● The sensitive personal data you provide to us; and
● When you consent to receiving newsletters, marketing materials, and other promotional offers from us.

Where we rely on your consent to process your personal data, you have the right to decline consent or withdraw your consent at any time. Where we rely on our legitimate interests to process your personal data, you have the right to object.

Transfers of Personal Data Outside of the EEA and the UK

WebMD, the controller of your personal data, is located in the United States. Accordingly, your personal data is processed by WebMD in the United States.

WebMD may also transfer your personal data to third-party service providers to help us provide the WebMD Services to you. Personal data may be stored and processed in any country where WebMD has engaged service providers. If you are located in the EEA on in the UK, please note that your personal data may be transferred to the United States or another country that may not be considered to have the same level of data protection as the countries in the EEA or the UK. However, please note that we have implemented appropriate safeguards by entering into standard contractual clauses with any service provider located outside the EEA and the UK.

Retention of Personal Data

WebMD will retain your personal data up to ninety (90) days after your account deactivation. Thereafter, the data will be archived in order to comply with applicable law or regulation that you, WebMD, or your Sponsor may be subject to, such as HIPAA, or the data will be fully anonymized.

Your Rights to Your Personal Data

Under the GDPR, and in certain circumstances, you may ask to access, rectify, erase, restrict, or port your personal data, as well as, object to the use of your personal data. To exercise these rights, or if you have any questions or comments regarding your personal data, please contact us at privacy@webmd.com.

When we process your personal data based on your consent, you have the right to withdraw your consent, at any time, without affecting the lawfulness of such processing before your withdrawal. To withdraw your consent, please submit a written request to privacy@webmd.com.

For processing necessary to perform the contract, or based on our legitimate interests, we may be unable to accommodate any requests to cease such processing; or if we do accommodate such requests, you may lose access to the WebMD Services.

If you believe that we have not complied with our obligations under this Privacy Policy or the GDPR, you have the right to complain to your local data protection authority.

Do You Need to Provide Personal Data?

We need to process your personal data in order to provide you with the WebMD Services. If you do not want to provide any personal data, you may not enjoy all or part of the WebMD Services.

Automated Decision-Making

WebMD does not make automated decisions that create legal effects or otherwise significantly affect you.

Our Safeguards and Security Measures

We have implemented technology and security measures to protect your personal data from unauthorized access, disclosure, improper use, alteration, unlawful or accidental destruction, and accidental loss. For more information, please refer to the How We Safeguard Your Information section above.

By using the WebMD Services or providing personal information to us, you acknowledge that we may communicate with you electronically about any security, privacy, or administrative issues relating to your use of the WebMD Services. If You have any reason to believe that your interaction with us is no longer secure, please contact us immediately at privacy@webmd.com.

Your Health Plan’s Notice of Privacy Practices

You should know that your health plan has a Notice of Privacy Practices, which includes policies for use and disclosure of your information, including information that you provide to WebMD. This is managed by your health plan, not by WebMD, so we aren’t able to let you know of changes or updates. If you would like to read a copy of your health plan’s Notice of Privacy Practices, please ask your Sponsor or your plan for a copy.

Changes to This Privacy Policy

We may change parts of this Privacy Policy from time to time. Changes take effect at the time they are posted unless otherwise noted. You will be required to opt-in to the new policy when they log back in after any material changes. We will update the date at the end of this Privacy Policy if we make any changes.

You should regularly review this Privacy Policy at https://www.webmdhealth.com/main/policy/display.aspx?policytype=privacy.

The date of any change, along with a brief description of the change, will be posted at the bottom of the Privacy Policy.

Issue date: December 23, 2021

December 23rd, 2021: Added Privacy Rights for Canada, Mexico, and Australia. Edited language for disclosures to sponsors.

April 28, 2021: Amendment the policy to remove provisions relating to the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks. Further updated the policy to clarify processing that is subject to the GDPR.

January 9, 2020: Amendment the policy to include a reference to the Supplemental Privacy Notice for California residents.

March 6, 2019: Minor adjustments made to the policy to clarify processing in accordance with the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks.

February 25, 2019: Amended the policy to clarify the entity processing personal information and added legal bases for processing in accordance with the EU General Data Protection Regulation.

May 25, 2018: Minor adjustments made to the policy to reflect changes in the access technology made available to users and to clarify both information-handling practices and compliance with the EU General Data Protection Regulation.

January 18, 2018: Removed references to Safe Harbor.

July 1, 2017: Amended the policy to incorporate the additional privacy protections of the Swiss-U.S. Privacy Shield framework.

October 2016: Amended the policy to incorporate the additional privacy protections of the EU-U.S. Privacy Shield framework.

March 2013: Added Section XV. Safe Harbor Supplement for European Users.