CASTLIGHT COMPANIES UNIFIED MISSION CONTROL PRIVACY STATEMENT

LAST UPDATED NOVEMBER 25, 2020

Castlight Health, Inc. ("Castlight") and its wholly owned subsidiary Jiff, Inc. ("Jiff") (collectively "Castlight Companies" or "We") value our relationship with you and respect your privacy. This Privacy Statement ("Privacy Statement") covers your use of https://missioncontrol.castlighthealth.com/ (including its subpages) (the "Unified Mission Control Service").

We prepared this Privacy Statement to help you better understand how we collect, use, store, process, and transfer your "Personal Information" (i.e. any data that can be used on its own or with other information to identify you) when you use the Unified Mission Control Service.

If you do not agree with or are not comfortable with this Privacy Statement, you should immediately discontinue use of the Unified Mission Control Service. This Privacy Statement does not apply when you leave the Unified Mission Control Service and go to a third-party website. If we make any material adverse changes to this Privacy Statement, we will notify you as required under the applicable law.

If you have questions or concerns regarding this Privacy Statement, please contact us at privacy@castlighthealth.com, and advise that you are a United Mission Control Service user.

1. Information Collected

   The Castlight Companies may collect your Personal Information at several points in the Unified Mission Control Service.

   • Registration. We require the collection of your Personal Information as part of the registration process for the Unified Mission Control Service (for example, name, employer and email address). In most cases, you will be asked to enter this contact information directly. In other cases, that information may be pre-filled if we have already received such information.
   • Log Files. The Castlight Companies collect and store the Internet Protocol (IP) address of the computer you are using, the name of the domain and host from which you access the Internet, the browser software you use and your operating system; the date and time you access the service, and the Internet address of the website from which you directly linked to us. The Castlight Companies use this log file information to analyze trends, administer the service, and monitor service traffic and usage patterns for internal security purposes and to help make the Unified Mission Control Service more useful.
   • Activity. The Castlight Companies also collect and store usage activity of Unified Mission Control Service users. This may include, but is not limited to, activity relating to visits, communications, reports viewed, and account management.
2. Use of Your Information

   In addition to the uses of information outlined in Section A, we may also use your information for the following purposes:

   • To Provide Our Unified Mission Control Service. We may process your information to provide you with the Unified Mission Control Service you request, for account administration purposes, to diagnose or troubleshoot problems, administer the Unified Mission Control Service, to update you on the Unified Mission Control Service and the benefits of Castlight Companies' other services, and to detect and protect against error. We cannot provide you with Unified Mission Control Unified Mission Control Service without processing your Personal Information.
   • To Ensure the Security of the Unified Mission Control Service. We are committed to ensuring your safety and continued enjoyment of the Unified Mission Control Service. To do so, We may process your Personal Information to: combat spam, malware, malicious activities or security risks; improve and enforce our security measures; and to monitor and verify your identity so that unauthorized users do not access your account with us. We cannot ensure the security of the Unified Mission Control Service if we do not process your Personal Information for security purposes.
   • To Enforce our Terms, Agreement or Policies. We may process your Personal Information to actively monitor, investigate, prevent and mitigate any alleged or actual prohibited, illicit or illegal activities in the Unified Mission Control Service; investigate, prevent, or mitigate violations of our terms, agreements or policies; and enforce our agreements with third parties and partners. We cannot provide the Unified Mission Control Service in accordance with our terms, agreements or policies without processing your Personal Information for such purposes.
   • To Conduct Research & Development. We may use your information to operate, improve or monitor the Unified Mission Control Service or Castlight Companies' other services and to help us decide how such services can meet our users' needs. Research and development help us improve the Unified Mission Control Service, and build new services and customized features.

   If, in the future, we use your Personal Information in any way that is not described in this Privacy Statement, we will disclose this to you. If you choose to limit the ways we can use your Personal Information, some or all of the Unified Mission Control Service may not be available to you.

3. Information Disclosure

   We disclose your Personal Information as described below. The Castlight Companies will only disclose your Personal Information to third parties as provided for in this Privacy Statement or to the extent you have otherwise consented to additional use or disclosure of your Personal Information.

   • Compliance with Laws and Law Enforcement Requests. We may disclose information about you when we have a good faith belief that disclosure is reasonably necessary to: (a) comply with a law, regulation or legal requests including to meet national security or law enforcement requirements; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of the Unified Mission Control Service or its user; or (d) protect or enforce our property rights.
   • Service Providers, Business Partners, and Others. The Castlight Companies may share information with trusted third-party companies to help us provide, analyze and improve the Unified Mission Control Service. These parties are not allowed to use Personal Information except for the purpose of providing their services to us.
   • Business Transfers. If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your Personal Information may be transferred as part of that transaction, subject to the applicable law.
4. Tracking Technologies

   To personalize the Unified Mission Control Service, analyze trends, and to collect aggregate, information regarding service usage by all of our users, We use cookies. A "cookie" is a small text file that Castlight Companies or our partners transfer to your device's hard drive to collect information about your use of the Unified Mission Control Service. We use both first-party and third-party cookies in the Unified Mission Control Service.

   • First-party cookies are cookies that are placed on your device by us, while third-party cookies are set by parties other than us.
   • Third-party cookies are operated by third parties that can recognize your device when it visits the Unified Mission Control and when it visits other websites. We may receive reports based on the use of these technologies by these companies on an individual and aggregated basis. You can find out more about how Google uses data here.

   Unified Mission Control may use the tool described below (the "Analytics Service") to collect information about use of Unified Mission Control, such as how often users visit Unified Mission. We use the information we collect from the Analytics Service to maintain and improve Unified Mission Control. The analytics tools we may use include:

   Mixpanel

   Mixpanel is provided by Mixpanel Inc.

   You can prevent Mixpanel from using your information for analytics purposes by opting-out. To opt-out of Mixpanel service, please visit this page: https://mixpanel.com/optout/

   For more information on what type of information Mixpanel collects, please visit the Terms of Use page of Mixpanel: https://mixpanel.com/terms/

   Managing Cookies Via Browser Settings. You can control the use of cookies at the individual browser level. If you reject cookies, you may not be able to use some or all portions or functionalities of the Unified Mission Control Service.

   • First Party Cookies. You can enable, disable or delete cookies via your browser settings. To do this, follow the instructions provided by your browser, usually located within the "Help", "Tools", or "Edit" settings of your browser. Many browser manufacturers provide helpful information about cookie management, including, but not limited to: Google Chrome; Internet Explorer; Mozilla Firefox; Safari (desktop or mobile); Android Browser, and Opera.
   • Third Party Cookies. Any cookies that are placed on your browsing device by a third party can be managed through your browser (as described above) or by checking the third party's website for more information about cookie management and how to "opt-out" of receiving cookies from them.

   Do Not Track. Some Internet browsers (e.g. Internet Explorer, Mozilla Firefox, and Safari) include the ability to transmit "Do Not Track" or "DNT" signals. Since uniform standards for "DNT" signals have not been adopted, the Unified Mission Control Service does not currently process or respond to "DNT" signals.

5. Opting Out or Opting-In to Specific Uses of Information
   • Invitations. If you no longer wish to receive invitations to register for the Unified Mission Control Service, please directly contact your Unified Mission Control Service account administrator.
   • Email Updates and Marketing. We may send informational announcements or may market any of our services to you as a user of the Unified Mission Control Service. You will be able opt-out of any such communications at any time by clicking the "unsubscribe" link at the bottom of any such email. Transactional communications about your account or the Unified Mission Control Service are not considered "marketing" communications.
6. Accessing and Updating Your Personal Data

   You can update or correct some of your Personal Information by directly contacting your Unified Mission Control Service account administrator. For individuals located in the European Economic Area, Switzerland or the United Kingdom during data collection, please refer to the Section J for more information about your privacy rights.

7. Security

   All communications between you and the Castlight Companies server are encrypted using the latest version of TLS (Transport Layer Security). The Castlight Companies take commercially reasonable measures to secure your data on our servers. However, no method of transmission over the Internet or method of electronic storage is 100% secure and we cannot guarantee its absolute security. To protect your privacy and security, never share your username or password for the Unified Mission Control Service and always log out as soon as you are finished using the service.

8. Storage and Maintenance of Information

   We will store your Personal Information as long as your account is open. If your Employer request to close its account with Castlight, we will take steps to delete all your Personal Information, unless a longer retention period is required or permitted by law. We have established internal policies for the deletion of data from customer accounts following termination of our contractual obligations with a customer.

9. International Transfers

   If you access or use the Unified Mission Control Service, Personal Information may be transferred to, processed and maintained on servers or databases located outside of the country or jurisdiction where you are located. Such countries or jurisdictions may have data protection laws that are less protective than the laws of the jurisdiction in which you reside.

   For cross-border and onward transfers of Personal Information collected from individuals while they are located in the European Economic Area, the United Kingdom or Switzerland ("EEA Personal Information "), we rely primarily on Model Contractual Clauses approved by the European Commission to the extent the recipients of the EEA Personal Information are located in a country that the EU considers to not provide an adequate level of data protection, or other legal transfer mechanisms recognized under Chapter V, GDPR. We may also rely on an adequacy decision of the European Commission confirming an adequate level of data protection in the jurisdiction of the party receiving the information.

10. Personal Information from the European Economic Area ("EEA")

    This section only applies to individuals who are in the European Economic Area, United Kingdom or Switzerland (collectively, the "EEA") at the time of data collection. We are a data controller with regard to any Personal Information collected from users of the Unified Mission Control Service. Users are individuals providing Personal Information to us via the Unified Mission Control Service pursuant to a contract that has been entered into between the user's Employer ("Employer") and the Castlight Companies (or in the case of a benefit consultant user, between such benefit consultant's customer who is also a customer of the Castlight Companies, i.e. a mutual customer).

    Legal Bases for Processing Personal Information from the EU. As described in this Privacy Statement, we use your Personal Information if it is necessary to carry out our obligations arising from any contracts entered into between your Employer and us. We may also collect and process your Personal Information for our legitimate interests to protect our property, rights or safety of our customers or others, or to offer information on our services we feel may interest you. In addition, it may be our legal obligation to use or share your Personal Information with third parties, such as public authorities or law enforcement bodies.

    Additional Rights. You have the rights described below. We may limit these privacy rights requests (a) where denial of access is required or authorized by law, (b) when granting access would have a negative impact on others' privacy, (c) to protect our rights and properties, or (d) where the request is frivolous or burdensome. You can exercise your privacy rights by contacting you Unified Mission Control Service account administrator and we will handle your request under applicable law. When you make a request, we will verify your identity to protect your privacy and security.

    • Right to withdraw consent. To the extent we requested your consent to process your Personal Information, you have the right to withdraw your consent.
    • Right of access to and rectification. You may request that we provide you with a copy of your Personal Information held by us. If you request to access or rectify any other information, we will do our best to provide it to you without undue delay, subject to some fee associated with gathering of the information, as permitted by law.
    • Right to erasure (i.e. "Right to be Forgotten"). In certain circumstances, you may have a right to the erasure of your Personal Information that we hold on you. You have the right to request erasure of Personal Information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing that you previously consented, but later withdraw such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. We will provide notice to each processor that we disclosed your Personal Information to regarding any rectification or erasure of Personal Information or restriction of processing, unless you initiated the disclosure, or providing notice proves impossible or involves disproportionate effort.
    • Right to data portability. If we process your Personal Information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your Personal Information in a structured, commonly used and machine-readable format, unless exercise of this right adversely affects the rights and freedoms of others.
    • Right to restriction of or object to processing. You have the right to restrict or object to our processing of your Personal Information where one of the following applies: (a) you dispute the accuracy of Personal Information processed by the Castlight Companies (for a period enabling us to verify its accuracy); (b) the processing is unlawful and you oppose the erasure of the Personal Information and request the restriction of its use instead; (c) we no longer need the Personal Information for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims; and (d) you have objected to certain processing relying on legitimate interest, pending verification of whether our legitimate grounds override your rights. In some cases, your ability to use all or portions of the Unified Mission Control Service may be limited by our inability to use your Personal Information.
    • Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except as allowed under applicable data protection laws. The Unified Mission Control Service does not engage in such automated processing.
    • Right to lodge a complaint. If you believe that we violated your rights, we encourage you to contact us first at privacy@castlighthealth.com referencing that you are a United Mission Control Service user so that we can try to resolve your concern. You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement.

    The Castlight Companies are responsible for the processing of EEA Personal Information it receives and subsequently transfers to a third party acting as an agent on its behalf. Before we share your information with any third party, we will enter into a written agreement that the third party provides at least the same level of protection for the EEA Personal Information as required under applicable data protection laws.

    The Castlight Companies also participates in and has certified its compliance with the EU-US and Swiss Privacy Shield Framework. We are committed to subjecting all Personal Information received from European Union member countries, the United Kingdom or Switzerland, in reliance on the Privacy Shield Framework, to the Framework's applicable Principles. To learn more about the Privacy Shield Framework, you can visit the U.S. Department of Commerce's Privacy Shield List.

    The Castlight Companies are responsible for the processing of Personal Information received under the Privacy Shield Framework, and subsequent transfers to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of personal data from the European Union, the United Kingdom and Switzerland, including the onward transfer liability provisions.

    With respect to Personal Information received or transferred pursuant to the Privacy Shield Framework, the Castlight Companies are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, the Castlight Companies may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

    If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S. based third party dispute resolution provider (free of charge) here. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

11. Contact Us

    If you have any questions about this Privacy Statement, please contact us at privacy@castlighthealth.com referencing that you are a United Mission Control Service user.