This FSA Store Inc. Consumer Health Data Privacy Policy (“CHD Policy”) supplements the FSA Store Inc. (“we,” “us,” “our”) Privacy Notice (“Privacy Notice”) and applies to information defined as “consumer health data” (“CHD”) by the Washington state My Health My Data Act (“MHMDA”) and Nevada’s Consumer Health Data Privacy Law (“Nevada CHD Law”) (collectively, “CHD Laws”). Undefined capitalized terms shall have the meanings set forth in the Privacy Notice.
1. Categories of CHD Collected
As described further in our Privacy Notice, and depending on applicable law and your interactions with us, we may collect the following categories of CHD, as broadly defined in the CHD Laws. We collect information about the following based on your interactions with us.
- Individual health conditions, treatment, diseases, or diagnoses (e.g., information about medical treatment such as your purchase of a diabetic care product).
- Social, psychological, behavioral, and medical interventions (e.g., mental health, sobriety, or weight loss treatment you seek from our marketing affiliates).
- Health-related surgeries or procedures (e.g., information that indicates prior or forthcoming surgeries or procedures such as your purchase of a postpartum recovery kit).
- Purchase of prescribed medication (e.g., your purchase of prescription eyeglasses).
- Reproductive or sexual health information (e.g., your purchase of birth control or other contraceptives, prenatal vitamins, or tests for sexually transmitted diseases).
- Data that identifies you as seeking health care services (e.g., information that indicates your plans to undertake certain health treatments or procedures based on your purchase history).
- Other information that may be used to infer, derive, or extrapolate data related to the above or other health information.
You may also provide us with CHD in connection with online tools and mobile apps we provide to help you track and manage expenses associated with your health and flexible savings account(s). As part of those services, you may provide us with receipts, explanation of benefits, or other documents that may reflect the following categories of CHD, for which we will handle in accordance with this CHD Policy:
- Individual health conditions, treatment, diseases, or diagnoses.
- Social, psychological, behavioral, and medical interventions.
- Health-related surgeries or procedures.
- Use or purchase of prescribed medication.
- Bodily functions, vital signs, symptoms, or measurements of health information.
- Diagnoses or diagnostic testing, treatment, or medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data.
- Data that identifies you as seeking health care services.
- Other information that may be used to infer, derive, or extrapolate data related to the above or other health information.
If you choose to provide us with other CHD, for example, when engaging with us via chat features, we will handle it in accordance with this CHD Policy.
2. Sources of CHD
As described further in our Privacy Notice, we collect information that may include CHD from the following sources: (1) directly from you; (2) automatically through your use of our websites and apps; and (3) other sources such as marketing affiliates and your third-party administrator.
3. Purposes for Collection of CHD
We describe the purposes for collection and use of CHD in the “How We Use Your Information” section of our Privacy Notice. As further described there and subject to applicable law, we may collect and use CHD as directed by you or with your consent, or (1) to provide and manage the Services, including to communicate with you; (2) to analyze and improve the Services; (3) for research and development, including to create new products and services; (4) for marketing and advertising purposes; (5) for security purposes and to protect us and others, including by preventing fraud; and (6) for legal purposes, such as to comply with applicable laws or to establish, exercise, or defend our legal rights.
4. How and Why We Disclose CHD
We may disclose each of the categories of CHD described above for business purposes to the categories of entities described in the “How We Disclose Your Information” section of our Privacy Notice. As further described in our Privacy Notice and subject to applicable law, we may disclose the categories of CHD:
- To provide and manage the Services;
- To engage in research, development, analytics, marketing, and advertising;
- To enable our vendors to provide us with services that allow us to operate our Services, such as data storage, billing, marketing, analytics, and customer service;
- With your consent, such as disclosures for certain advertising efforts, including allowing third parties to collect CHD across our Services;
- To protect us and others, including to enforce our Terms of Use, Privacy Notice, or other contracts with you, and for fraud prevention;
- To comply with our legal obligations; and
- In connection with any negotiation or completed acquisition, merger, or purchase involving our business assets.
As described in our Privacy Notice, we reserve the right to create aggregate/de-identified data from the information we collect through the Services and our disclosure of such aggregate/de-identified data is in our discretion.
As further described in our Privacy Notice, and subject to applicable law (e.g. subject to your consent in certain situations), we may disclose CHD to the following categories of third parties:
- Vendors and service providers;
- Other entities that provide you with services (e.g., providers of health-related services linked on our website that you interact with);
- Advertising networks (if we receive consent);
- For the protection of us and others (e.g., to governmental or regulatory agencies);
- For legal purposes (e.g., to governmental entities in response to legal process);
- As necessary for business transfers; and
- At your direction or with your consent.
5. How to Exercise Your Rights Under CHD Laws
Depending on your jurisdiction and subject to exceptions, the CHD Laws extend certain rights regarding CHD, which may include the right to request to (1) confirm whether we are collecting, sharing or selling your CHD; (2) access your CHD; (3) delete your CHD; (4) correct your CHD; and (5) withdraw your consent to the collection or sharing of your CHD.
You can seek to exercise these rights by emailing us at [email protected]. Depending on the nature of your request, we may request further information if appropriate to authenticate your identity.
If we deny your request in whole or in part, you may appeal that decision by emailing us at [email protected]. If you are a resident of Washington and your appeal is denied, you can contact the Washington State Attorney General at www.atg.wa.gov/file-complaint. If you are a resident of Nevada and your appeal is denied, you can contact the Nevada Attorney General at https://ag.nv.gov/Complaints/File_Complaint/.
6. Contact Us; Updates to this CHD Policy
You can contact us about this CHD Policy by emailing us at [email protected].
This CHD Policy is effective as of the date of the “Last Updated” date above. We may update this CHD Policy from time to time, so we encourage you to review it periodically. By continuing to use our services after an update to this CHD Policy, you agree that we will handle your CHD in accordance with the updated CHD Policy. We will update the “Last Updated” date above if we make an update to this CHD Policy, and otherwise notify you if required by applicable law.