Privacy Statement

Effective Date: June 27, 2024

(If you are a CA resident, this statement includes your California Privacy Rights. If you are a CO resident, this statement includes your Colorado Privacy Rights. If you are a CT resident, this statement includes your Connecticut Privacy Rights. If you are a MT resident, this statement includes your Montana Privacy Rights. If you are an OR resident, this statement includes your Oregon Privacy Rights. If you are a TX resident, this statement includes your Texas Privacy Rights. If you are a UT resident, this statement includes your Utah Privacy Rights. If you are a VA resident, this statement includes your Virginia Privacy Rights.)

To view our Consumer Health Data Privacy Policy, please see below.

Welcome to the Active&Fit Enterprise™ program which is a fitness and health education program (the “Active&Fit Enterprise Program” or “Program”). The Active&Fit Enterprise Program and website (the “Active&Fit Enterprise Website” or “Website”), are owned and operated by American Specialty Health Fitness Inc. (ASH Fitness), a subsidiary of American Specialty Health Incorporated (“ASH”), a Delaware corporation with a mailing address of 10221 Wateridge Circle, San Diego, CA 92121, on behalf of itself and its subsidiaries. The Active&Fit Healthy Living Program as part of the Active&Fit Enterprise program is managed by ASH affiliate, American Specialty Health Management, Inc. (ASH Management). The provisions of this Privacy Statement apply to these companies to the extent they support the Active&Fit Enterprise program. The terms “ASH” or “We” in this Privacy Statement refer collectively to these companies.

ASH values its users (“you”) and respects your privacy. We are committed to using your information responsibly. The information you provide to us through the Active&Fit Enterprise Program or on the Active&Fit Enterprise Website is governed by this Privacy Statement. This Privacy Statement informs users about the Active&Fit Enterprise information practices, including: what personal information, including any sensitive personal information, we collect through the Active&Fit Enterprise Program and on the Active&Fit Enterprise Website; how the personal information is collected; the business purposes for which we collect personal information; the types of third parties to whom we disclose personal information; how long we keep the personal information; and the choices you have about the collection and use of personal information. If you access the Active&Fit Enterprise Website through one of ASH’s health plan or employer group clients, any information you provide to us on the Active&Fit Enterprise Website will be governed by this Privacy Statement.

This Privacy Statement, together with the Terms and Conditions, governs your participation in the Active&Fit Enterprise Program and your use of the Active&Fit Enterprise Website. By using the Active&Fit Enterprise Website, or otherwise participating in the Active&Fit Enterprise Program, you accept and agree to be bound by this Privacy Statement and the Terms and Conditions.

You should read and familiarize yourself with this Privacy Statement and with the ActiveandFit.com Terms and Conditions. By using ActiveandFit.com, you acknowledge and consent to our collection, processing, and use of your information as described in this Privacy Statement. For any questions about this Privacy Statement, please contact us directly through any means noted at the end of this Privacy Statement. If information practices change, ActiveandFit.com will post the revised policy on ActiveandFit.com and/or will notify users through direct communication.

Information Collected by Active&Fit Enterprise

The types of information collected through the Active&Fit Enterprise Program or on the Active&Fit Enterprise Website (as further described below) may be considered Protected Health Information (“PHI”) and Personally-Identifiable Information (“PII”). We refer to both PHI and PII collectively as Personal Information (“PI”) in this document. We collect only PI that is necessary for users to access and use the Active&Fit Enterprise Program tools and features and the Active&Fit Enterprise Website (as further described below). Whether or not to provide PI is your choice, but without providing certain information you will not be able to access and use all tools and features of the Active&Fit Enterprise Program and Website.

Personal Information identifies, relates to, describes, is reasonably capable of being associated with, or could be linked, directly or indirectly, with a particular consumer or household. The type of personal information collected and used by Active&Fit Enterprise generally does not include sensitive personal information, which is subject to special protections under some state laws. Such laws consider sensitive personal information to include information like government-issued numbers (e.g., Social Security, driver’s license, state identification card, or passport); information allowing access to financial accounts like credit or debit cards; geolocation within a radius less than 1850 feet; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of consumer’s mail, email, text messages; genetic data; biometric information capable of uniquely identifying a consumer; health and mental health data; citizenship or immigration status; status as transgender or non-binary; or data about a person’s sex life or sexual orientation.

Active&Fit Enterprise does not collect financial account information. We use payment processors who comply with federal PCI standards to complete payment on our behalf. Those processors do not disclose financial account information to us.

Should you choose to use the Healthy Living Program, we must first make sure the coaching services available are appropriate for you. To do so, we ask general questions about mental and/or physical health concerns. Based on responses to such questions, or if you appeal any ASH determination not to make coaching services available to you, ASH may require more information from you or your medical provider. ASH intentionally limits the information needed to make these determinations using the least amount of information necessary. Please do not volunteer more detailed sensitive personal information than what is required.

If you choose to use the Connected feature or the Apple Watch via the ASHSync App, ASH will receive activity (e.g. steps, duration, etc.) you have authorized your device or app manufacturer to send to ASH.

Both the coaching and Connected features require you to opt into those services before receiving them. ASH does not use sensitive personal information other than the limited business purposes noted above.

ASH does not sell personal information to third parties. When we use any service providers, processors, or third parties to assist us for business purposes involving the collection, use or retention of personal information, we limit those arrangements to the uses disclosed in this privacy statement. We also contractually require such persons to only use the personal information for the specific business purposes authorized in the contract.

We do not use your personal information for Targeted Advertising (Cross-Context Behavioral Advertising).

ASH does not use personal information for profiling.

To help you identify resources on our website and applications, like fitness videos, we may ask you for your workout preferences to help you select workouts. Beyond this, ASH does not use personal information for profiling (the automatic processing of personal information to evaluate personal aspects and to analyze or predict aspects concerning, economic situation, health, personal preferences, interests, reliability, behavior, location or movements) or otherwise altering your experience outside your current interaction with the business.

Deidentified Information Will Not Be Re-identified: Deidentified information is data where identifiers are removed or altered so that the identify an individual, a household or device used by an individual reasonably cannot be determined from the data. Such data may also be known as pseudonymized or anonymized data. Where the information has been deidentified properly in accordance with federal or state law, the deidentified data set is not subject to privacy protections under the applicable law. To the extent ASH creates or uses such deidentified data sets, we will not attempt to alter that information so that is it is “reidentified,” meaning it could then be used to reasonably identify an individual, a household or device used by an individual.

How we obtain information about you:

  • when you provide it to us (e.g., by contacting us through our Contact Us, through our chat, when you call us, when registering or enrolling for the services),
  • from your use of our website, using cookies,
  • from your Sponsoring Organization (e.g. Health Plan/Insurer or Employer Group), and
  • occasionally, from our Service Providers.
This chart is a reference guide on how the Active&Fit Enterprise Program collects, uses, and shares your information. This is only a summary. You should review the full privacy statement below for more detail. If you are a California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, or Virginia resident, the full privacy statement below contains important information related to your privacy rights. For additional privacy rights related to Consumer Health Data laws, please see reference the Consumer Health Data Privacy Policy section below.
All Users - Publicly available program features
 Categories of Personal InformationSource of CollectionBusiness PurposeDisclosure to Others
Live Fitness Class StreamingIdentifiers:
IP Address Device ID
Profile name (if you comment or interact with Active&Fit Enterprise on social media platforms)
Provided by you when you activate or stream a digital workout or live fitness class.Performing Services for the Business: e.g., to facilitate access to and viewing of streamed materials made available through the program but hosted on, or streamed through, social media platforms.Your use of the third-party website (Facebook, YouTube, etc.) to view publicly available live classes is governed by the third party’s own Privacy Policy and Terms and Conditions. If you comment on a workout video, your comment may be publicly viewable and ASH may receive your profile name, in order to reply to your comment.
Fitness Center SearchIdentifiers: Address,

Preferred fitness location ZIP code*

*The ZIP Code for your first search is saved as your default Preferred ZIP Code until you change it.

Provided by you.Performing Services for the Business: e.g., to conduct a search of Fitness Centers near the address or ZIP Code entered.We do not share the address information you enter on our site with any third parties.
Check-InIdentifiers:

IP Address, Geolocation, Check-In/Check-Out times

Provided by you to ASH when you opt in to provide your location.To perform services related to recording your activity, tracking your fitness center visits to meet fitness center visit reward thresholds.We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
Contact UsIdentifiers:

First and last name,
E-mail address


Protected Class Information:
Date of Birth,
Special Identifiers*:
Phone number

Other Information:
General inquiry details, **Sponsoring Organization

*a Special Identifier is one that may be subject to cybersecurity and breach notification laws in various states. An example would be California Civil Code 17898.80, subdivision (e). **Optional fields

Provided by you.

Performing Services for the Business: e.g., to verify your identity and response to your questions, suggestions and complaints.

Security

Service Providers, Contracted Fitness Centers, and Sponsoring Organizations:

To Perform Services for the Business: (e.g., we may disclose the information outside of ASH as necessary to resolve your inquiry when resolution requires third-party action);

Security.

Chat Service Provider:
To perform services for the business: e.g., provide chat feature, quality assurance, product improvement, security, debugging, research and tech development.

 

Website AnalyticsIdentifier:

IP Address

Internet or Electronic Activity Information:
Web server logs,
Cookies,
Web beacons,
Active&Fit Enterprise Website browsing activity

Data Analytic Providers

Performing Services for the Business: e.g., auditing advertising performance, internal research and tech development, quality assurance, and product improvement.

Security

Debugging

Data Analytic Providers evaluate information for us.

We do not disclose personal information related to the information that Data Analytic Providers provide to us with third parties.

Registered or Enrolled Users - Program features available to members
 Categories of Personal InformationSource of CollectionBusiness PurposeDisclosure to Others
Program Administration:

Website Registration/

Program Enrollment/
Benefit Administration

Guest Pass Requests

Fitness Center/Active Options Activation & Access

Identifiers:

First and last name, address,
Email address,
Fitness ID

Special Identifier*:
Phone number (optional),
Username and password,
Security question and answer,

Protected Class Information:
Date of Birth

Other Information:
Selected fitness center location,
Preferred fitness location ZIP code

*A special identifier is one that may be subject to cybersecurity and breach notification laws in various states. An example, would be California Civil Code 1798.80, subdivision (e).

Provided by you during registration and by your Sponsoring Organization for eligibility purposes. 

Performing Services for the Business: e.g. service your account, provide customer service, process transactions, verify customer information, internal research and tech development, quality assurance, and product improvement.

To provide a directory of Fitness Centers

Non-targeted advertising and general marketing of affiliate products available to you through ASH, or in connection with your Sponsoring Organization’s plan.

Security

Debugging

We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.

Contracted Fitness Centers and/or Active Options locations and their representatives (hereinafter “Fitness Centers”) for eligibility, reimbursement, and utilization reporting. Additional information disclosed may include Fitness ID, program name, and effective date/termination date.

Fitness Centers may share utilization data with Us for benefit administration purposes.

We may disclose email, first name, and last name with Service Providers who support email communications.

We may disclose first name and last name, general location with Social Media Platform Operators that allow for customer service inquiries by way of social media platforms to be addressed directly via the social media platform.

Service Providers for security.

Digital WorkoutsIdentifiers:

IP Address Device ID
Fitness ID
Profile name (if you comment or interact with Active&Fit Enterprise or Streaming Service Providers)

Other Information:
digital workout completion status

Collected through completion analytics or Provided by you to Streaming Service Provider when you activate or stream a digital workout or live fitness class.Perform Services for the Business: e.g., to maintain and service your account, provide customer service, process transactions, track utilization, and verify customer information; facilitate access to, and viewing of, streamed materials made available through the program but hosted on, or streamed through, the Streaming Service Provider’s platform.

Streaming Service Provider: The Provider and ASH share general utilization data for administrative purposes such as processing reimbursement by ASH to the Provider.

Your use of the third-party website (Facebook, YouTube, etc.) to view publicly available live classes is governed by that platform’s own Privacy Policy and Terms & Conditions. If you comment on a workout video, your comment may be publicly viewable and ASH may receive your profile name to reply to your comment.

We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.

If you are enrolled in rewards, ASH may use utilization data to process rewards with your Sponsoring Organization.

Connected!TM
Feature

Identifiers:
Device ID

Personal Information:
Your fitness device activity information (e.g. steps, duration, distance, and calories)

When you agree to participate in the Connected! feature, you authorize your device to share your activity information with an activity aggregator, who forwards the activity information to Us to include in your account.

Perform Service for the Business: e.g., to facilitate services related to adding your activity, such as steps taken in a day, to your account so that you may track your progress over time. For internal research and tech development, quality assurance, and product improvement.

Security

Debugging

We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
Active&Fit Enterprise ASHSyncTM AppIdentifiers:

Username
Password
Device ID,
IP Address

Personal Information:
Your fitness device activity information for Apple Watch (e.g., steps, exercise duration, etc.)
Height
Weight
Time Zone
Username
Password

Provided by You when you log in.

When you authorize your device to send your information through the app to our activity aggregator Service Provider so that it may be added to your account so that ASH may track incentives, if applicable.

To perform services for the business: (e.g., to track your activity and progress over time, and to process rewards, if applicable.)We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
Active&Fit Healthy Living CoachingIdentifier:

First and last name,
E-mail address, mailing address

Special Identifier Information:
Phone number

Video and/or Audio: coaching sessions may be telephonic or virtual capturing voice and video

Other Information: Healthy Living Coaching Enrollment Information (e.g., self-reported information related to wellness goals,
Height,
Weight), Sponsoring Organization name

Protected Class Information:
Date of Birth

Sensitive Personal Information:
General health information

 

Provided by you.

Healthy Living Coaching Information is provided by you to ASH Fitness’ affiliate, American Specialty Health Management, Inc. (ASH Management). ASH Management provides the coaching services.

Perform services for the business: e.g., maintain and service your account, provide customer service, process transactions, verify customer information.

General health information is collected to ensure coaching program is appropriate for you.

Non-targeted advertising and general marketing of affiliate products available to you through ASH as part of your Sponsoring Organization’s plan

ASH Management provides the coaching services with administrative support provided by ASH Fitness. Any Healthy Living Coaching Information noted herein is retained by ASH Management. ASH Fitness and ASH Management will exchange individually identifiable information (e.g., Identifiers, Personal Information, Protected Class Information, excluding Sensitive Personal Information) for administration of the coaching feature and to address any complaints.

ASH Management may also provide individually identifiable information to ASH Fitness about Active&Fit Enterprise member participation in the program, but information is limited to your participation and does not include any information obtained in coaching sessions. We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.

Surveys

Identifiers:
First and last name,
Email address, mailing address
Sponsoring Organization Member ID (provided by your Sponsoring Organization)

Protected Class Information: Date of Birth
Gender

Personal Information:
Mailing address

Provided by your Sponsoring Organization or by you to ASH; when ASH uses our Survey Service Provider we share this information with the provider.Perform services for the business: e.g., to gather customer feedback to perform services related to internal research, tech development, quality assurance and product improvement.

With Survey Service Provider for administering the survey and/or ASH.

We may share aggregate results of the survey with Sponsoring Organizations, existing and potential clients and the public.

Home Fitness Kits Identifiers:

First and last name,
Email address, Mailing address

Special Identifier:
Phone Number

Other Information:
Selected Home Fitness Kit

Provided by you to ASH Service Provider.

Information you enter on our Service Provider’s website may be subject to their Terms and Conditions.

Perform Services for the Business: e.g., maintaining and servicing your account, providing customer service, and billing your Sponsoring Organization for utilization, if applicable.

We share with your Sponsoring Organization, if applicable, for benefit administration, utilization reporting, and billing purposes.

ASH will receive data from third party service providers to help administer your benefit.

Workout PlansOther Information:
Exercise goal,
Fitness level
Provided by you.Perform Services for the Business: e.g., to recommend workout videos, exercise plans, and home fitness kit(s) to you.We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes. We may also share aggregate usage and response information with existing and potential clients, and the public.
Resource Library Educational Videos

Identifiers:
First Name
Last Name
Fitness ID

Other Information:
Resource completion status

Collected through completion analytics and provided by you.Perform Services for the Business: e.g., to track website activity and use of resource library and process rewards, if applicable.We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
Payment Processing If you choose to enroll in the Active&Fit Enterprise Program, you will be asked to provide your credit card information to process any fees incurred by you as part of the program, including but not limited to, required annual and/or monthly dues. We use PCI-compliant third-party payment processors to collect and process your credit card information. Our systems store redacted credit card information (first six (6) and last four (4) numbers of your credit card), according to PCI data protection standards. Active&Fit Enterprise does not directly collect or process full credit card numbers or security codes.
Additional Sharing

For legal purposes, including as reasonably necessary to comply with law or legal process (including a court or government order or subpoena); to detect, prevent, or otherwise address fraud, security or technical issues; to enforce this Privacy Statement or the Terms and Conditions for the Active&Fit Enterprise program and the use of this Website; and as reasonably necessary to protect the rights, property or safety of ASH, ASH users, and/or the public.

During a corporate reorganization: If ASH is involved in a merger, acquisition, financing, or sale of business or assets, information collected from and about users may be transferred to one or more third parties involved in such transaction and, upon such transfer, the relevant third-party privacy policy or policies may govern further use of the information. In the event of such a change, ASH will endeavor to notify our users of the change as well as any choices our users may have regarding the change.

Aggregate information: In addition, ASH may provide service providers, reputable third-party vendors and Sponsoring Organizations with aggregate statistics regarding user participation, Active&Fit Enterprise Website traffic patterns and related Usage Information. The information so provided will not include individually identifiable information, meaning we will not share your Personal Information when sharing aggregate information.

Your Active&Fit Enterprise Program may include access to other ASH products and programs, such as but not limited to, the Connected! and Active&Fit Healthy Living Features. These products and programs have separate Terms and Conditions and Privacy Statements and may be provided by affiliates of ASH Fitness. You should review and accept their respective Terms and Conditions and Privacy Statements before you use them.

If you consent to your information being used to access one of our affiliate products, the use of your information is governed by the Privacy Statement of the affiliate product.

If you choose not to provide your Personal Information, certain features of the Active&Fit Enterprise Program and Active&Fit Enterprise Website will not be available to you.

How Active&Fit Enterprise Uses Personal Information

All Users -- Publicly available program features

Viewing live workouts: If you click on the Active&Fit Enterprise live workout links hosted on Facebook and YouTube, you will be redirected to those third-party websites to view the workout. Your use of the third-party website (Facebook, YouTube, etc.) is governed by its own Privacy Policy and Terms and Conditions. If you comment on a workout video, your comment may be publicly viewable and ASH may receive your profile name in order to reply to your comment.

Searching for an Active&Fit Enterprise Fitness Center: We use the address you provide to help locate Active&Fit Enterprise fitness centers near you. The ZIP code that you enter for your first search is saved as your default Preferred ZIP code until you change it. We do not disclose search information you enter on our site with any third parties.

Contacting us: When you contact us through the Active&Fit Enterprise Website, via chat, telephone or other means, we may collect your first and last name, phone number, address, e-mail address, date of birth, sponsoring organization and the details of your inquiry. We will use your information to perform services for the business such as to process and respond to your inquiries and requests. We may disclose such information with your Sponsoring Organization, our service providers, or contracted fitness centers, as necessary, to resolve issues requiring their input.

Website Analytics

We may collect your IP addresses (which are numerical numbers that are automatically assigned to users’ computers and mobile devices when they use the Internet) and information obtained by tracking the "clickstreams" from usage of ActiveandFit.com (page requests, pages visited, content viewed, clicks and search queries made, etc.) We use cookies and other similar technologies on the Active&Fit Enterprise Website to help us remember who you are, to enhance and personalize your experience, to understand and save your preferences for future visits, to compile group information about our users, and to carry out other tasks relating to the operation or improvement of the Active&Fit Enterprise Website.

  • "Cookies" are small text files that are placed on your hard disk by a webpage server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you. Most web browsers are initially set to accept cookies, but you can change your browser settings to notify you when you are sent a cookie, giving you the ability to accept or reject it, or you can choose to routinely and manually delete cookies stored on your computer or mobile device. Each time you revisit the Active&Fit Enterprise Website, your ability to restrict our use of cookies on that service is subject to your browser settings and limitations at the time. Please note that if you choose to disable or reject cookies from the Active&Fit Enterprise Website, some portions and features of the Active&Fit Enterprise Website may become inaccessible or may not function properly. For more information on how to manage cookies, visit http://www.aboutcookies.org/.
  • We may also use "web beacons" – which can be included in web pages or in emails for reporting and analytic purposes, such as counting users who have visited a web page and/or tracking usage patterns. We do not gather personal information of any kind via this activity. Web beacons cannot be declined when delivered via a regular web page. However, web beacons can be refused when delivered via email. If you do not wish to receive web beacons via email, refuse HTML (select Text only) emails via your email.
  • Web server log information: We collect and store server logs to ensure network and IT security and so that the server and website remain uncompromised. This includes analyzing log files to help identify and prevent unauthorized access to our network, the distribution of malicious code, denial of services attacks and other cyber-attacks, by detecting unusual or suspicious activity.
    • We also use server logs to troubleshoot application issues that would impact Active&Fit Enterprise users experience. This could happen when a certain feature (for example login or subscription) isn’t working as expected or when the performance of the website is degraded.
    • Unless we are investigating user-impacting issues, suspicious or potential criminal activity, we do not make, nor do we allow our hosting provider to make, any attempt to identify you from the information collected via server logs.
  • Third-Party Pixels: There are three types of commonly used pixels: Targeting Pixels, Retargeting pixels, and Conversion pixels. All pixels are tiny snippets of code that allow website owners to gather information about visitors to the website. Website pixels track how you browse, what type of ads you click on, and if you make any purchases. Pixels also collect your name, IP address, and email address. We use tracking pixels to measure our non-targeted, general marketing campaigns’ performance and track conversions to our website and Program.
  • Do Not Track: Some web browsers incorporate a "do-not-track" (“DNT”) or similar feature that signals to websites that a visitor does not want to have his/her online activity tracked. If a website receives a DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, we (along with many other website operators) do not currently respond to DNT signals. For more information about DNT signals, visit www.allaboutdnt.com.
  • Data Analytics Providers: We use Google Analytics to collect information to improve the Website, such as how often users visit the Website, what pages they visit when they do so, and how users landed on the Active&Fit Enterprise Website. Google Analytics places a cookie on your web browser so that it can identify you the next time you visit the Website, and the cookie cannot be used by anyone but Google. Google’s ability to use and share information collected by Google Analytics about your visits to the Website is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. If you don’t want Google Analytics to be used in your browser, you can install the Google Analytics opt-out browser add-on which is available at https://tools.google.com/dlpage/gaoptout
  • Do Not Track: Some web browsers incorporate a "do-not-track" (“DNT”) or similar feature that signals to websites that a visitor does not want to have his/her online activity tracked. If a website receives a DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, we (along with many other website operators) do not currently respond to DNT signals. For more information about DNT signals, visit.

Program features available to registered or enrolled members

  • Registering/Enrollment with the Website requires first and last name, date of birth, address, and e-mail address. We also require a username and password to enter the password-protected area of the Active&Fit Enterprise Website and a security question and answer to help recover your username and/or password. Your home phone number is optional. We will use your registration information to set up, administer, service, and communicate with you regarding your account. If you enroll in the Active&Fit Enterprise program, we will use the eligibility information that your Sponsoring Organization sends ASH, including your Sponsoring Organization member ID, address, and date of birth to verify your eligibility and complete your enrollment. We may also use this information for security purposes. We use limited data to assist with debugging purposes. We use and disclose your registration information with service providers as needed to perform the business service and security functions noted above. We may share your email, first name, and last name with service providers who support email communication. We may also use this information to provide you with general, non-targeted advertising and marketing of affiliate products available to you through ASH, or in connection with your Sponsoring Organization’s plan.
  • If you request a Guest Pass Letter, you will be required to register for the site.
  • Searching for and selecting an Active&Fit Enterprise Fitness Center: We use the address you provide to help locate Active&Fit Enterprise fitness centers near you. If you enroll with a fitness center, we will use your information to process your enrollment along with a Fitness ID we assign to your account with Fitness Centers. We do so to confirm your eligibility for services, to reimburse Fitness Centers and for reporting utilization of the Fitness Center services. Additional information shared with Fitness Centers for these purposes may include your Sponsoring Organization’s program name, your effective date/termination date with Active&Fit Enterprise, and the fitness center location and date of your visit or use of the location. We may receive your fitness center location and date of visit information directly from the fitness center if the fitness center is in the Active&Fit Enterprise network. By selecting such a fitness center for the purpose of participating in the Active&Fit Enterprise program, you acknowledge and agree that the fitness center may provide your visit information to us on your behalf. We also share your visit information, including Fitness Center location and date of visit, with your Sponsoring Organization, if applicable, to manage your program.
  • Check-In: If you use the Check-In feature, you allow ASH to receive your IP Address, Geolocation, and check in/check out times. We will use the information to perform services related to recording your activity and tracking your fitness center visits to meet fitness center visit rewards thresholds, if applicable. You must enable location permissions on your browser and tap “Start Workout” to start your check in session. Once your workout is complete, tap “End Workout” in order to track your fitness center visit. We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
  • Digital Workouts: For some digital workouts, ASH embeds Streaming Service Providers’ video platform directly onto the Active&Fit Enterprise Website. For such content, when you view the content, the Streaming Service Provider and ASH will receive analytic information such as IP address, Device ID, videos participants have selected to watch, and the timestamp when such participants watched the videos. We also track your digital workout completion status through completion analytics. The provider and ASH will use this information to receive data about the content being accessed and to process payment to the Streaming Service Provider. In addition, ASH will pair the information with your Fitness ID for program administration purposes. We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
  • Connected!TM Feature: If you use this feature you will separately agree at that time to authorize your eligible, enabled, activity/fitness device or equipment (a “Fitness Device”) to transmit your designated activity information from your Fitness Device from the Fitness Device manufacturer to a third-party data aggregator that we use to facilitate the Active&Fit Connected! feature. The aggregator, in turn, will forward that information to us. After receiving the information from the aggregator, we upload the information into your member profile/account on Active&Fit Enterprise Website. By using the Connected! feature, you allow us to receive this information from your Fitness Device. We may use the information to perform services for the business such as customer services, internal research and tech development, quality assurance and product improvement. We may also use the information as needed for security purposes together with our service providers supporting our security efforts. We may also use limited information for debugging purposes. We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
  • If you choose to sync your Apple Watch with the ASHSync Mobile App, you allow ASH to receive your fitness device activity information for Apple Watch (e.g. steps, exercise duration, etc.). Your device sends information directly through the Mobile App to our activity aggregator Service Provider so that it may be added to your account. We will use this information to perform services related to recording your activity, tracking your progress over time, and processing rewards (if applicable). We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
  • If you participate in Active&Fit Healthy Living Coaching, ASH will collect your first and last name, date of birth, e-mail address, phone number, mailing address, and Sponsoring Organization name. The coaching is provided through ASH Fitness’ affiliate ASH Management. ASH Management uses the personal information you provide during coaching to provide you with the coaching services and to track your progress with your wellness goals ASH Management records video and audio coaching sessions for quality assurance and training purposes. ASH Management discloses individually-identifiable participation information with ASH Fitness. The two affiliates may share your Identifiers and related Personal Information and Protected Class Information, excluding Sensitive Personal Information like your answers to the general health questions, to perform services for the business. These would include servicing your account, providing customer service, processing transactions, and verifying customer information. ASH Management does not disclose coaching records or information obtained in a coaching session with ASH Fitness. We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes. ASH Fitness may also exchange individually identifiable information with you Sponsoring Organization as necessary to resolve customer service issues that you may have involving your program. This information is not maintained on the Active&Fit Enterprise Website.
  • Surveys: A portion of members are randomly selected for participation in surveys. If you are selected, your name, email address, mailing address, DOB and gender may be forwarded to our Survey Service Provider for administration of the survey or used to process surveys conducted by ASH. If you receive a survey, your participation is optional. If you participate in a Survey, ASH will use your information and responses to improve our program and to share program aggregate feedback with your Sponsoring Organization, our existing and potential clients, and the public. Such aggregate information will not include information that can be used to identify you.
  • Home Fitness Kits: If you select a Home Fitness Kit on the Active&Fit Enterprise website, we collect your name, date of birth, address, e-mail address, and home phone number during the website registration process. Additionally, you will provide your name, shipping address, email address, and phone number to the third-party Service Provider website to complete your Home Fitness Kit order. Information you enter on our Service Providers website may be subject to their Terms and Conditions. ASH will receive data from third party service providers to help administer your benefit. Your Home Fitness Kit selection will be shared with your Sponsoring Organization for billing and utilization reporting purposes.
  • Workout Plans: If you register on the Active&Fit website, the first time you log in you will have the option to complete the Workout Plans questionnaire about your fitness preferences and exercise level. Your participation is optional. If you choose to participate, ASH will use your information and responses to provide recommendations for Digital Workout Videos and home fitness kit option(s). If you choose to complete the questionnaire, we may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes. ASH may also share non-individually identifiable aggregate answers with existing and potential clients, and the public.
  • Resource Library Educational Videos: If you view Resource Library Educational Videos on the Active&Fit Enterprise website, we collect your name, date of birth, address, e-mail address, and home phone number during the website registration process. We also track your resource completion status through completion analytics. We use this information to perform services for the business - e.g., to track website activity and use of the Resource Library, and to process rewards, if applicable. We may share information with your Sponsoring Organization and/or designated vendor for benefit administration, utilization reporting, and billing purposes.
  • Payment: If you are required to pay a fee to ASH in connection with your use of the Active&Fit Enterprise program, ASH will use a third-party PCI DSS certified payment processor, to collect and process your credit card information. Our systems store redacted credit card information (first six (6) and last four (4) of your credit card), according PCI data protection standards. Active&Fit Enterprise does not collect or process full credit card numbers or security codes.

Disclosure of Your Personal Information to Others

ASH may disclose your Personal Information with third parties for the purposes noted above. In summary, we disclose personal information to others in the following circumstances:

With Sponsoring Organizations: You have access to Active&Fit Enterprise through a program made available to your Sponsoring Organization. Your Sponsoring Organization is the entity who is offering the Active&Fit Enterprise program to its eligible population. We may provide your information to your Sponsoring Organization as needed to administer your available benefits, including but not limited to helping you meet and processing available incentives and rewards. ASH may also provide limited participation and aggregate usage information to your Sponsoring Organization and/or other entities that have contracted with your Sponsoring Organization to provide you with health-related services on behalf of your Sponsoring Organization. In certain limited situations, ASH may be required to provide some personal information to your Sponsoring Organization in order to perform billing, eligibility, and other administrative functions. In these situations, ASH ensures that there are security protections in place so that personal information is only disclosed to those who perform the benefit administration process described above as permitted by state and federal law, and not used for employment related or benefit underwriting purposes.

With Service Providers and Contractors: to provide services under the Program and to support the operation and maintenance of the Active&Fit Enterprise Website. We may also receive product purchased information and aggregate statistical information from Vendors who are linked to the Active&Fit Enterprise website for the purpose of program and product improvement. For example, if you make a purchase on a linked Vendor website for a product advertised on our Website, we may receive aggregate information on the product(s) purchased and website usage data. Active&Fit Enterprise will not receive your individual payment or purchase information from Vendors. Our service providers include:

  • Telephone Providers
  • Email Providers
  • Mailing List Providers
  • Payment Processors
  • Activity Aggregators
  • Cloud Providers
  • Chat Providers
  • Data Analytic Providers
  • Fitness Providers
  • Fitness Class Streaming Providers
  • Healthy Living Coaching/ASH Management
  • Advertising Networks
  • Security Service Providers

For legal purposes, including: as reasonably necessary to comply with law or legal process (including a court or government order or subpoena); to detect, prevent, or otherwise address fraud, security or technical issues; to enforce this Privacy Statement or the Terms and Conditions for the Active&Fit Enterprise program and the use of this Website; and as reasonably necessary to protect the rights, property or safety of ASH, ASH users, and/or the public.

During a corporate reorganization: If ASH is involved in a merger, acquisition, financing, or sale of business or assets, information collected from and about users may be transferred to one or more third parties involved in such transaction and, upon such transfer, the relevant third-party privacy policy or policies may govern further use of the information. In the event of such a change, ASH will endeavor to notify our users of the change as well as any choices our users may have regarding the change.

Disabling and Deleting User Accounts and Information

California residents see below. Colorado residents see below. Connecticut residents see below. Montana residents see below. Oregon residents see below. Texas residents see below. Utah residents see below. Virginia residents see below. For information pertaining to our Consumer Health Privacy Policy, please see below. Except as expressly otherwise stated in this Privacy Statement, and except where applicable law provides otherwise, personal information collected on the Active&Fit Enterprise Website cannot be deleted or removed from ASH’s database and will be retained in accordance with ASH’s record retention policy. User accounts, however, may be disabled upon written request, using the contact information at the end of this Privacy Statement.

Retention

ASH retains your data for as long as your account remains continually active. ASH may also retain your data for up to 10 years or longer if required by any legal obligations.

Opt-out of Communications received from Active&Fit Enterprise

If you have provided your email address, postal address, and/or telephone number to ASH, you may opt out of receiving marketing/promotional communications about affiliate programs that may be available to you from ASH by contacting ASH as described at the end of this Privacy Statement. To stop receiving marketing/promotional communications via email, you can also use the “unsubscribe” link contained in a marketing/promotional email you have previously received from ASH. Please note that email unsubscribe requests may not take effect immediately.

NOTE: Your opt-out regarding our marketing/promotional communications will not stop communications from ASH of a transactional nature or as required by law. For example, we will still send you communications regarding your account, request or inquiry you have made with ASH, notices regarding material changes to the Active&Fit Enterprise Website or its information practices, and other administrative notices.

Privacy of Minors

ASH is concerned about the safety of children when they use the Internet. The Active&Fit Enterprise Website may be used by eligible participants at least 13 years old, with parental supervision, while utilizing the account of a registered parent/guardian. If ASH becomes aware that a user is under the age of 18 and has provided Personal Information to ASH without prior parental consent or supervision, ASH will remove all information provided by such underage user from its database.

Security of Personal Information

In order to maintain the confidentiality of and safeguard the security of users’ personal information, ASH enforces strict company-wide policies regarding privacy, security, and confidentiality. Despite these measures, the confidentiality of your Personal Information cannot be guaranteed. We encourage you to take appropriate steps to protect your Personal Information, such as using a complex password when you register for the Program.

ASH has an organizational commitment to protecting privacy and security. All employees who work on the Active&Fit Enterprise Website are made aware of security policies and practices through employee orientation and annual refresher training. Personal information is secured in an isolated database with tightly restricted access. Employees authorized to view this information are authenticated prior to gaining such access. ASH reviews web security on an ongoing basis. In addition to daily security administration and response activities, the Active&Fit Enterprise Website undergoes an overall security review on an annual basis.

Third-Party Links and Services

For your convenience, the Active&Fit Enterprise Website may provide links to third-party websites, platforms and online services not owned or controlled by or affiliated with ASH (each, a “Linked Third-Party Website/Service”). Linking or hosting a platform does not mean, and should not be deemed or construed to mean, that ASH endorses or approves or is affiliated with a Linked Third-Party Website/Service. ASH is not responsible for the information privacy and security policies or practices of a Linked Third-Party Website/Service. When you leave the Active&Fit Enterprise Website to visit a Linked Third-Party Website/Platform/Service, this Privacy Statement no longer applies, and any information collected from or about you by a Linked Third-Party Website/Platform/Service will be governed by that site/service’s privacy policies and practices, which may be substantially different from those of ASH. A Linked Third-Party Website/Platform/Service may set or use its own cookies, web beacons, etc. to your computer or mobile device, and may collect information from and about you and use the information in ways that ASH would not. You access a Linked Third-Party Website/Platform/Service entirely at your own risk. You should always read the privacy policy associated with a Linked Third-Party Website/Platform/Service before disclosing any personal information.

For more on Links, please see the Terms and Conditions of this Website.

 

Note to international users.

The Active&Fit Enterprise Program and Website are intended for U.S. residents. If you are outside of the United States and access the Active&Fit Enterprise Website or submit your Personal Information to us, please be advised that U.S. law may not offer the same privacy protections as the law of your jurisdiction. By using the Active&Fit Enterprise Website or submitting your Personal Information to us, you consent to the transfer to and processing of your Personal Information in the United States.

CONSUMER HEALTH DATA PRIVACY POLICY

This Consumer Health Data Privacy Policy applies to “Consumer Health Data”, as that term has been defined by applicable laws, including, but not limited to Washington House Bill 1155, known as the “My Health My Data Act”, and Nevada Senate Bill 370, “Nevada’s Consumer Health Data Privacy Law”. This policy provides consumers whose consumer health data is processed ("you", or "your") with specific rights regarding their consumer health data. This Consumer Health Data Privacy Policy supplements the above Privacy Statement and applies solely to consumers protected by the applicable laws pertaining to the processing of Consumer Health Data.

Additionally, this policy explains your rights regarding your consumer health data and how you can exercise those rights. This policy describes the practices of Active&Fit Enterprise and its subsidiaries and affiliates (“ASH”, “we”) that link to this policy regarding the collection, use, disclosure, sale, and sharing of consumer health data we collect from you.

Consumer Health Data ASH Collects

As stated in the above Privacy Statement, in sections outlining the personal data we collect, data collected depends on your interactions with Active&Fit Enterprise and choices you make, the features you engage with or opt-in to, and the information you choose to share. Because applicable laws define consumer health data broadly, some categories of the data described above may also be considered consumer health data.

Examples of consumer health data, as defined by applicable laws may include, but are not limited to:

  • General health information provided to your coach (*if opted-into coaching services), including but not limited to height, weight, health related conditions or diagnosis, symptoms, surgeries, procedures, medications, interventions, etc.)
  • Information which could identify your attempt to seek health care services or information, including services that allow you to assess, measure, improve, or learn about your or another person’s health through things like search queries, browsing histories, and survey responses.
  • Other information that may be used to infer or derive data related to the above or other health information.

How Consumer Health Data is Collected

As described in the above section of the privacy statement outlining the personal data we collect, we collect personal data, which could include consumer health data, directly from you, from your interactions with our products and services.

Why We Collect and Use Consumer Health Data

We collect and use consumer health data for the purposes described in the sections above outlining our business uses of personal data. Principally, we collect and use consumer health data as reasonably necessary to provide you with the products you have requested or authorized. This may include providing and operating the product and associated features, ensuring secure and reliable operation of the products and the systems that support them, troubleshooting and product improvement, and other essential business operations that support the provision of the product, such as analyzing our performance, meeting legal obligations, and conducting research and development.

Our Sharing of Consumer Health Data

We may share each of the categories of consumer health data described above for the purposes described in above sections of the privacy statement. We may share personal data, including consumer health data, with your consent or as reasonably necessary to administer the product, as described above.

Third Parties with Which We Share Consumer Health Data

As necessary for the purposes outlined above, we may share consumer health data with the following categories of third parties:

  • Service Providers- Vendors working on our behalf may access consumer health data for the purposes described above.
  • Affiliates- We enable access to data across our subsidiaries and affiliates where we share common data systems or where access helps us provider our services and operate our business.
  • Health Plan Clients/Sponsoring Organizations- We may share consumer health information with our health plan clients and sponsoring organizations for the purposes stated above.
  • Government Agencies- As stated in our Privacy Statement, we may disclose consumer health data to law enforcement and government agencies when necessary to comply with applicable law or respond to valid legal requests.

How to Exercise your Consumer Health Data Rights

Consumer Health Data laws provide consumers whose consumer health data is processed with specific rights related to collection, use and disclosure of their consumer health data.

Consumer Health Data and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your consumer health data in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations.

Additionally, should we receive consumer health data related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you use of Active&Fit Enterprise is subject to Consumer Health Data laws, you may exercise your rights as described below:

Right to Know: You have the right to request that ASH disclose what consumer health information we have collected, used, disclosed, and sold, including specific pieces of consumer health data as well as a list of third parties and affiliates with whom we share such information for the date range indicated by you for records dated on or after March 31, 2024.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of consumer health data we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your consumer health data and the specific pieces of your consumer health data we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of consumer health data we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal, and your consumer health data is subject to the Washington My Health My Data Act (WA HB 1155), you can submit a complaint with the Washington Attorney General at https://www.atg.wa.gov/file-complaint.

Right to Correct: You have the right to have inaccurate consumer health data we maintain about your corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested consumer health data is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Correct Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Delete: You have the right to request the deletion of your consumer health information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance applicable laws.

A denial of a deletion request may occur if ASH requires the use of your consumer health data to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal, and your consumer health data is subject to the Washington My Health My Data Act (WA HB 1155), you can submit a complaint with the Washington Attorney General at https://www.atg.wa.gov/file-complaint.

Right to Withdraw Consent: You have the right to withdraw consent from future collection and sharing of consumer health information.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Withdraw by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Withdraw Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email. If we are able to successfully verify your information, ASH will honor your request and no longer collect or process the information requested from the time of completed verification.

Please note, depending on the nature of your request to withdraw consent, some or all features of the program will not be available to you.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Withdraw Consent Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address.

 

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Consumer Health Data Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal, and your consumer health data is subject to the Washington My Health My Data Act (WA HB 1155), you can submit a complaint with the Washington Attorney General at https://www.atg.wa.gov/file-complaint.

CALIFORNIA RESIDENTS: YOUR CALIFORNIA PRIVACY RIGHTS

Under California Civil Code Section 1798.83 (known as the "shine the light" law), California residents have a right to request an information-sharing disclosure from a business to which they have provided personal information, and which has disclosed the information to any third party for third-party direct marketing uses in the prior calendar year.

ASH does not knowingly share your personal information with third parties for their direct marketing use without your permission. California residents may send requests for information-sharing disclosure under this law by contacting us by mail at the address located in the contact section below. Please note that, under this law, we are not required to respond to your request more than once in a calendar year, nor are we required to respond to any requests that are not sent to the above-designated email address.

The California Consumer Privacy Act (CCPA) (California Civil Code 1798.100-199) provides California residents with specific rights related to the collection, use and disclosure of their personal information by us. While our privacy practices have adopted many of the CCPA requirements across our program, this section discusses specific rights and elements applicable to persons who are California residents at the time we collected, used or disclosed your personal information.

The CCPA and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your personal information in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code).

Additionally, should we receive CCPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you and you are a California resident, you may exercise your rights under the CCPA as described below:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold, including specific pieces of personal information, for the date range indicated by you for records dated on or after January 1, 2020.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “California Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information and the specific pieces of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “California Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Correct: You have the right to have inaccurate personal information we maintain about your corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “California Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested PI is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Correct Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “California Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with CCPA requirements.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to comply with the California Electronic Communications Privacy Act, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

No Fee for Requests for Rights to Know/Access/Portability, Correct or Delete: ASH does not charge a fee to exercise these rights. However, should we receive CCPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the CCPA.

Right to Authorize an Agent: You have the right to authorize an agent to assist in exercising your California privacy rights on your behalf. To authorize an agent, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “California Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Authorize Agent by phone at 1-877-771-2746.

 

ASH will verify your request by matching information provided by you in the Right to Authorize an Agent Form to information housed in our internal systems.

Additionally, if you have provided your agent with Power of Attorney, you do not have to fill out our form but will need to provide a valid copy of the Power of Attorney documentation.

If we are unable to verify the request, we will deny the request and provide notice of such denial.

COLORADO RESIDENTS: YOUR COLORADO PRIVACY RIGHTS

The Colorado Privacy Act (“CPA”) provides Colorado residents with specific rights related to the collection, use and disclosure of their personal information by us.

While our privacy practices have adopted many of the CPA requirements across our program, this section discusses specific rights and elements applicable to persons who are Colorado residents at the time we collected, used or disclosed your personal information.

The CPA and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your personal information in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations.

Additionally, should we receive CPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you and you are a Colorado resident, you may exercise your rights under the CPA as described below:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Colorado Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Colorado Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above. If we deny your request, you have a right to appeal that decision. To appeal, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Colorado Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Colorado Attorney General.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Correct: You have the right to have inaccurate personal information we maintain about you corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Colorado Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested PI is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

If we deny your request, you have a right to appeal that decision. To appeal, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Colorado Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal, we will provide instructions for how you can submit a complaint with the Colorado Attorney General.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Colorado Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address. If we deny your request, you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with CPA requirements.

ASH may be unable to delete spouse/domestic partner account information related to account activity controlled by the Primary Account Holder.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Colorado Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal, we will provide instructions for how you can submit a complaint with the Colorado Attorney General.

No Fee for Requests for Rights to Know/Access/Portability, Correct or Delete: ASH does not charge a fee to exercise these rights. However, should we receive CPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the CPA.

 

Right to Opt-Out of Targeted Advertising: ASH does not sell or knowingly share your Personal Information with third parties for non-permitted uses including direct marketing or targeted advertising (i.e., cross-context behavioral advertising). Colorado residents may send requests for information-sharing disclosure under this law by contacting us by email (HIPAA@ashn.com), phone 1-877-771-2746 or by mail at the address located in the contact section below. Please note that, under this law, we are not required to respond to your request more than twice in a calendar year, nor are we required to respond to any requests that are not sent to the designated email, phone number, or address.

CONNECTICUT RESIDENTS: YOUR CONNECTICUT PRIVACY RIGHTS

The Connecticut Data Protection Act (“CTDPA”) provides Connecticut residents with specific rights related to the collection, use and disclosure of their personal information by us.

While our privacy practices have adopted many of the CTDPA requirements across our program, this section discusses specific rights and elements applicable to persons who are Connecticut residents at the time we collected, used or disclosed your personal information.

The CTDPA and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your personal information in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations.

Additionally, should we receive CTDPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you and you are a Connecticut resident, you may exercise your rights under the CTDPA as described below:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Data Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year, the request is determined to be technically infeasible or unreasonably burdensome, or if your request is not submitted online or using the email, phone number, or address designated above. If we deny your request, you have a right to appeal that decision. To appeal, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Connecticut Attorney General.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Correct: You have the right to have inaccurate personal information we maintain about you corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested PI is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

If we deny your request, you have a right to appeal that decision. To appeal, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal, we will provide instructions for how you can submit a complaint with the Connecticut Attorney General.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address. If we deny your request, you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with CTDPA requirements.

ASH may be unable to delete spouse/domestic partner account information related to account activity controlled by the Primary Account Holder.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal, we will provide instructions for how you can submit a complaint with the Connecticut Attorney General.

Right to Revoke Consent: You have the right to revoke consent for processing your personal information by ASH.

To revoke consent, you may fill out this. form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Connecticut Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Revoke Consent by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Revoke Consent Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. If we deny your request you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

If ASH is able to verify and grants your request, we will cease future processing of your personal information within 15 days of the request, in accordance with CTDPA requirements. Please note that revocation of consent to process personal information will result in certain features of the Active&Fit Enterprise Program and Active&Fit Enterprise Website no longer being available to you.

No Fee for Requests for Rights to Know/Access/Portability, Correct or Delete: ASH does not charge a fee to exercise these rights. However, should we receive CTDPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the CTDPA.

 

Right to Opt-Out of Targeted Advertising: ASH does not sell or knowingly share your Personal Information with third parties for non-permitted uses including direct marketing or targeted advertising (i.e., cross-context behavioral advertising). Connecticut residents may send requests for information-sharing disclosure under this law by contacting us by email (HIPAA@ashn.com), phone 1-877-771-2746 or by mail at the address located in the contact section below. Please note that, under this law, we are not required to respond to your request more than twice in a calendar year, nor are we required to respond to any requests that are not sent to the designated email, phone number, or address.

MONTANA RESIDENTS: YOUR MONTANA PRIVACY RIGHTS

The Montana Consumer Data Privacy Act (“MTCDPA”) provides Montana residents with specific rights related to the collection, use and disclosure of their personal information by us.

While our privacy practices have adopted many of the MTCDPA requirements across our program, this section discusses specific rights and elements applicable to persons who are Montana residents at the time we collected, used or disclosed your personal information.

The MTCDPA and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your personal information in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations.

Additionally, should we receive MTCDPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you and you are a Montana resident, you may exercise your rights under the OCPA as described below:

Your rights in relation to your information:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above. If we deny your request you have a right to appeal that decision. To appeal, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Montana Attorney General.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Correct: You have the right to have inaccurate personal information we maintain about you corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746. ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested PI is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

If we deny your request you have a right to appeal that decision. To appeal, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Montana Attorney General.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address. If we deny your request you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with MTCDPA requirements.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Montana Attorney General.

No Fee for Requests for Rights to Know/Access/Portability, Correct or Delete: ASH does not charge a fee to exercise these rights. However, should we receive MTCDPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the MTCDPA.

Right to Authorize an Agent: You have the right to authorize an agent to assist in exercising your Montana privacy rights on your behalf. To authorize an agent, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Montana Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Authorize Agent by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Authorize an Agent Form to information housed in our internal systems.

 

Additionally, if you have provided your agent with Power of Attorney, you do not have to fill out our form but will need to provide a valid copy of the Power of Attorney documentation.

If we are unable to verify the request, we will deny the request and provide notice of such denial.

OREGON RESIDENTS: YOUR OREGON PRIVACY RIGHTS

The Oregon Consumer Privacy Act (“OCPA”) provides Oregon residents with specific rights related to the collection, use and disclosure of their personal information by us.

While our privacy practices have adopted many of the OCPA requirements across our program, this section discusses specific rights and elements applicable to persons who are Oregon residents at the time we collected, used or disclosed your personal information.

The OCPA and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your personal information in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations.

Additionally, should we receive OCPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you and you are a Oregon resident, you may exercise your rights under the OCPA as described below:

Your rights in relation to your information:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above. If we deny your request you have a right to appeal that decision. To appeal, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Oregon Attorney General.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Correct: You have the right to have inaccurate personal information we maintain about you corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746. ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested PI is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

If we deny your request you have a right to appeal that decision. To appeal, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Oregon Attorney General.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address. If we deny your request you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with OCPA requirements.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 45 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Oregon Attorney General.

Right to Revoke Consent: You have the right to revoke consent for processing your personal information by ASH.

To revoke consent, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Revoke Consent by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Revoke Consent Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. If we deny your request you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

If ASH is able to verify and grants your request, we will cease future processing of your personal information within 15 days of the request, in accordance with OCPA requirements. Please note that revocation of consent to process personal information will result in certain features of the Active&Fit Enterprise Program and Active&Fit Enterprise Website no longer being available to you.

No Fee for Requests for Rights to Know/Access/Portability, Correct or Delete: ASH does not charge a fee to exercise these rights. However, should we receive OCPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the OCPA.

Right to Authorize an Agent: You have the right to authorize an agent to assist in exercising your Oregon privacy rights on your behalf. To authorize an agent, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Oregon Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Authorize Agent by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Authorize an Agent Form to information housed in our internal systems.

 

Additionally, if you have provided your agent with Power of Attorney, you do not have to fill out our form but will need to provide a valid copy of the Power of Attorney documentation.

If we are unable to verify the request, we will deny the request and provide notice of such denial.

TEXAS RESIDENTS: YOUR TEXAS PRIVACY RIGHTS

The Texas Data Privacy and Security Act (“TDPSA”) provides Texas residents with specific rights related to the collection, use and disclosure of their personal information by us.

While our privacy practices have adopted many of the TDPSA requirements across our program, this section discusses specific rights and elements applicable to persons who are Texas residents at the time we collected, used or disclosed your personal information.

The TDPSA and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your personal information in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations.

Additionally, should we receive TDPSA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you and you are a Texas resident, you may exercise your rights under the TDPSA as described below:

Your rights in relation to your information:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above. If we deny your request you have a right to appeal that decision. To appeal, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Texas Attorney General.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Correct: You have the right to have inaccurate personal information we maintain about you corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746. ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested PI is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

If we deny your request you have a right to appeal that decision. To appeal, you may fill out this a href="https://go.ashcompanies.com/hubfs/Privacy/TXRequesttoAppeal.pdf">form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Texas Attorney General.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address. If we deny your request you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with TDPSA requirements.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Texas Attorney General.

No Fee for Requests for Rights to Know/Access/Portability, Correct or Delete: ASH does not charge a fee to exercise these rights. However, should we receive TDPSA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the TDPSA.

Right to Authorize an Agent: You have the right to authorize an agent to assist in exercising your Texas privacy rights on your behalf. To authorize an agent, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Texas Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Authorize Agent by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Authorize an Agent Form to information housed in our internal systems.

 

Additionally, if you have provided your agent with Power of Attorney, you do not have to fill out our form but will need to provide a valid copy of the Power of Attorney documentation.

If we are unable to verify the request, we will deny the request and provide notice of such denial.

UTAH RESIDENTS: YOUR UTAH PRIVACY RIGHTS

The Utah Consumer Privacy Act (“UCPA”) provides Utah residents with specific rights related to the collection, use and disclosure of their personal information by us.

While our privacy practices have adopted many of the UCPA requirements across our program, this section discusses specific rights and elements applicable to persons who are Utah residents at the time we collected, used or disclosed your personal information.

Your rights in relation to your information:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Utah Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Utah Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Utah Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with UCPA requirements.

ASH may be unable to delete spouse/domestic partner account information related to account activity controlled by the Primary Account Holder.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

No Fee for Requests for Rights to Know/Access/Portability or Delete: ASH does not charge a fee to exercise these rights. However, should we receive UCPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the UCPA.

 

Right to Opt-Out of Targeted Advertising: ASH does not sell or knowingly share your Personal Information with third parties for non-permitted uses including direct marketing or targeted advertising (i.e., cross-context behavioral advertising). Utah residents may send requests for information-sharing disclosure under this law by contacting us by email (HIPAA@ashn.com), phone (877) 771-2746 or by mail at the address located in the contact section below. Please note that, under this law, we are not required to respond to your request more than twice in a calendar year, nor are we required to respond to any requests that are not sent to the designated email, phone number, or address.

VIRGINIA RESIDENTS: YOUR VIRGINIA PRIVACY RIGHTS

The Virginia Consumer Data Protection Act (“VCDPA”) provides Virginia residents with specific rights related to the collection, use and disclosure of their personal information by us.

While our privacy practices have adopted many of the VCDPA requirements across our program, this section discusses specific rights and elements applicable to persons who are Virginia residents at the time we collected, used or disclosed your personal information.

The VCDPA and the details noted here do not apply to situations where your personal information is collected, used or disclosed by us:

  1. Where in our capacity as a business associate of a covered entity, we collect or maintain your personal information in the same manner as protected health information in compliance with privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). This may apply when your access to our program is made available to you as part of a health benefit plan operated by a plan sponsor who is a covered entity under the laws noted immediately above.
  2. Where your access to our program is made available to you through a sponsoring organization as part of the organizations’ policies or products subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations.

Additionally, should we receive VCDPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to either charge a reasonable fee for taking the action requested or refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

If neither of the above situations apply to you and you are a Virginia resident, you may exercise your rights under the VCDPA as described below:

Your rights in relation to your information:

Right to Know: You have the right to request that ASH disclose what personal information we have collected, used, disclosed, and sold.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Virginia Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Know by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Access and Portability: You have the right to receive a copy of your personal information we maintain in an easily readable electronic format. To request this information, you may fill out this form and select the option to receive a copy of the associated data.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Virginia Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Access and Portability by phone at 1-877-771-2746.

ASH will verify your request by matching information provided by you in the Right to Know and Access Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request and provide only general information about the type of personal information we process as outlined in this document. ASH may also deny requests if you submit the Right to Know and Access Form more than twice in a calendar year or if your request is not submitted online or using the email, phone number, or address designated above. If we deny your request you have a right to appeal that decision. To appeal, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Virginia Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Virginia Attorney General.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Know and Access Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

Right to Correct: You have the right to have inaccurate personal information we maintain about you corrected. To request this information, you may fill out this form to specify which information requires correction.

You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Virginia Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Correct by phone at 1-877-771-2746. ASH will verify your request by matching information provided by you in the Right to Correct Form to information housed in our internal systems.

If we are unable to verify the request, we will deny the request. We may also deny the request, in whole or in part, if we determine the contested PI is more likely than not accurate based on the totality of circumstances. We may also deny a request if it involves the same alleged inaccuracy previously denied within the past 6 months should the request not provide new or additional documentation attempting to prove the inaccuracy. We may also deny a request if we have a good-faith, reasonable and documented belief the request is fraudulent or abusive.

If we deny your request you have a right to appeal that decision. To appeal, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Virginia Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Virginia Attorney General.

Right to Delete: You have the right to request the deletion of your personal information collected or maintained by the ASH.

To request this information, you may fill out this form. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Virginia Privacy Rights” or by mailing said form to our address below. You may also utilize your Right to Delete by phone at 1-877-771-2746.

ASH will verify your request in a two-step verification process. First, ASH will match information provided by you in the Right to Delete Form to information housed in our internal systems. Second, ASH will contact you to verify your identity and confirm your request, such contact may be made by phone or email.

If we are unable to verify the request, we will deny the request and provide notice of such denial. ASH may also deny requests if you submit the Right to Delete Form more than twice in a calendar year or if your request is not sent to the designated email, phone number, or address. If we deny your request you have a right to appeal that decision. Our response to you will include instructions on how you can appeal the denial.

ASH will grant, deny, or respond to a request within 45 days of receipt of the Right to Delete Form. If an extension of time (up to a maximum of 90 days) is required, we will notify you and provide additional information about the process.

In response to your request, ASH may deny or grant your request. If ASH grants your request, we will notify you as to which of the following methods We have used to fulfill your request. We may do one of the following: (1) permanently delete your information from our systems; (2) deidentify your information; or (3) aggregate your information in accordance with VCDPA requirements.

A denial of a deletion request may occur if ASH requires the use of your personal information to complete a transaction or provide services on your behalf, to detect security incidents and prosecute those responsible, to debug and repair errors that impair existing functionality, to exercise free speech or allow you to exercise free speech or any other right, to engage in public or peer-reviewed research with informed consent if deletion would seriously impair the achievement of such research, to enable solely internal uses that are reasonably aligned with the business relationship between you and ASH, or to comply with a legal obligation.

To appeal a denial, you may fill out this form to specify which information requires correction. You may submit this form by emailing us at the following email: HIPAA@ashn.com with the subject line “Virginia Privacy Rights” or by mailing said form to our address below. You may also call 1-877-771-2746. We will reply to your appeal in writing within 60 days of receipt. If we deny your appeal we will provide instructions for how you can submit a complaint with the Virginia Attorney General.

No Fee for Requests for Rights to Know/Access/Portability, Correct or Delete: ASH does not charge a fee to exercise these rights. However, should we receive VCDPA-related requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we reserve the ability to refuse to act on the request. If we refuse your request on this basis, we will notify you of the reason why.

Right to Non-Discrimination: You have the right to exercise your privacy rights to know and to delete without facing discrimination of service or product offerings. Your use of Active&Fit Enterprise will remain the same whether you exercise your Right to Know or Right to Delete under the VCDPA.

 

Program Contact Information

Questions and requests may be submitted through the Contact Us page of the Active&Fit Enterprise Website, or using the following contact information:

U.S. Mail

Active&Fit Enterprise Customer Service
P.O. Box 509117
San Diego, CA 92150-9117

By Phone

1-877-771-2746, 5 am to 6 pm Pacific Time, Monday through Friday (except for federal holidays).

E-mail

fitnessservice@ashn.com

If you need assistance with or require this Privacy Statement in an alternative format, please contact us at 1-877-771-2746.

Privacy and Security Contact Information

ASH has a designated Privacy Officer and an Information Security Officer to oversee our privacy and security programs. You may direct questions about these programs to these individuals by either calling 1-877-427-4766 or emailing HIPAA@ashn.com.

Use of this Website is governed by the Active&Fit Enterprise Terms and Conditions.