Evernorth Website and Mobile Application Privacy Notice

Last Updated: 11/22/2024, Version: 2.1

Introduction

This Privacy Notice ("Notice") applies to Personal Information collected through the Evernorth Health, Inc. (“Evernorth,” “we,” “us,” or “our”) or affiliated website or mobile application on which it is posted, unless otherwise modified by another notice. We refer to these websites and mobile applications as “Services” throughout this Notice. Please note that this Privacy Notice may supplement, or be superseded by, other applicable policies, practices, and notices that may relate to the specific relationship you have with Evernorth or the particular Services you are using.

By using our Services and/or providing us your Personal Information, you acknowledge the terms of this Notice and those within our Terms of Use as well as any applicable Site Specific Terms of Use related to the specific Service being accessed. 

Please note that this Notice does not apply to job applicants and candidates who apply for employment with us or to employees in the context of our working relationship with them. It also does not apply to information that is exempted by another law, including the Health Insurance Portability and Accountability Act (“HIPAA”) as described below. 

Health Information 

In some circumstances, our collection and use of Personal Information will be subject to the requirements of the HIPAA. Identifiable information for patients or members and related to their care or payment for care will be treated as protected health information (“PHI”) under HIPAA, at which point the terms of the applicable HIPAA Notice of Privacy Practices will apply and will supersede this notice.

In providing Services, many Evernorth affiliates act as “business associates,” a type of contractor under HIPAA, acting on behalf of certain health plans and other HIPAA “covered entities” or business associates. In either case, your health plan is responsible for providing you with a HIPAA Notice of Privacy Practices, and you may request a copy of that document from your health plan directly.

In other circumstances, certain Evernorth affiliates act as covered entities under HIPAA and provide services directly. Patients of Evernorth Care Group and Evernorth Behavioral Care Group should visit our Privacy Menu  page to access the Notices of Privacy Practices for those entities. 

Table of Contents

• Our Information Practices
  • Personal Information We Collect
  • How We Use Personal Information
  • How We Disclose Personal Information
• Cookies, SDKs, and Other Tracking Technologies
  • Cookies and Other Technologies
  • Tracking and Advertising Choices
• State-Specific Disclosures
  • Rights for Residents of Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Tennessee, Utah, and Virginia
  • California Privacy Rights
• Additional Information
  • Changes to this Privacy Notice
  • Links to Other Websites 
  • Our Online Privacy Notice for Children
  • Contacting Us

Our Information Practices

Personal Information We Collect

We may collect information that describes or relates to you and is classified as Personal Information or Personal Data under applicable state laws (collectively, “Personal Information”). Personal Information does not include:

• Publicly available information as defined under applicable state laws.
• Deidentified or aggregated information as defined under applicable state laws.
• Other information excluded from the applicable state laws, including but not limited to Personal Information governed by HIPAA or the Gramm Leach Bliley Act.

In the past 12 months, we may have collected the following categories of Personal Information:

• Identifiers such as name, contact information, online identifiers, and government-issued ID numbers;
• Characteristics of Protected Classifications under state or federal law such as age and medical conditions;
• Commercial Information such as transaction information and purchase history;
• Internet or Network Activity Information such as browsing history, interactions with our website, Internet Protocol (IP) address, Media Access Control (MAC) address; operating system and version; Internet browser type and version (for more information, see the Cookies and Other Tracking Technologies section, below);
• Geolocation Data such as device location;
• Audio, Electronic, Visual and Similar Information such as call and video recordings; and
• Professional or Employment-Related Information such as place of employment and job title.

We may collect this Personal Information directly from you and automatically when you use our Services. We also may collect this Personal Information from our affiliates, vendors, joint marketing partners, and social media platforms.      

How We Use Personal Information

To the extent we collect your Personal Information as described above, we may use your Personal Information for the following purposes:

• Services and Support. To provide and operate our Services, communicate with you about your use of the Services, provide you with information about our Services, including information about health care, health related services, resources and benefits that will help you manage your health; sending administrative information to you, such as changes to our terms, conditions, and policies; provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments and claims, communicate with you about the Services, complete transactions, and provide quotes;
• Customization and Personalization. To tailor content we may send or display on the Services, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences;
• Marketing and Advertising. For marketing and advertising purposes. For example, to send you information about our Services, such as offers, promotions, newsletters, and other marketing content, as well as any other information that you sign up to receive. We also may use certain information we collect to manage and improve our advertising campaigns so that we can better reach people with relevant content;
• Analytics and Improvement. To better understand how users access and use the Services, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our Services and business operations, to develop services and features, and for internal quality control and training purposes;
• Research and Surveys.; To administer surveys and questionnaires, such as for market research or member satisfaction purposes;
• Infrastructure. To maintain our facilities and infrastructure and undertake quality and safety assurance measures;
• Authentication. To authenticate or confirm your identity; 
• Security and Protection of Rights. To protect the Services and our business operations; to protect our rights or those of our stakeholders; to prevent and detect fraud, unauthorized activities and access, and other misuse; conduct risk and security control and monitoring; where we believe necessary, to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use and/or any additional terms specific to the Services;
• Compliance and Legal Process. To comply with the law and our legal obligations, to respond to legal process and related to legal proceedings;
• General Business and Operational Support. To consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions; and
• Business Transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business accounting, recordkeeping, and legal functions.

We retain the Personal Information we collect as long as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection. For example, we will retain your account data for as long as you have an active account with us, as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, or comply with our legal obligations.

How We Disclose Personal Information

To the extent we collect your Personal Information as described above, we may disclose Personal Information for the following purposes:

• Operating the Services and Providing Related Support. To provide and operate our Services, communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, and for similar service and support purposes.
• Business Transfers. If we or our affiliates are or may be acquired by, merged with, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected from you to the other company. As part of the business transfer process, we may share certain of your Personal Information with lenders, auditors, and third-party advisors, including attorneys and consultants.
• In Response to Legal Process. We may disclose your Personal Information to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena.
• To Protect You, Ourselves, and Others. We disclose your Personal Information when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use, any additional terms specific to the Services, or this Notice, or as evidence in litigation in which we are involved.

We may disclose the Personal Information that we collect for the purposes described above with the following parties:

• Vendors. We may disclose Personal Information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors, legal counsel, and platform providers who provide our SMS service.
• Our Affiliates. We may disclose Personal Information we collect to our affiliates or subsidiaries.
• Our Business Customers. Any Personal Information that we collect and process on behalf of a business client will be disclosed as directed by that business customer. 
• Third-Party Ad Networks and Providers. We may disclose Personal Information to third-party ad network providers, sponsors and/or traffic measurement services. These third parties may use cookies, JavaScript, web beacons (including clear GIFs), and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third party's specific Privacy Notice, not this one. To exercise your choices about receiving third-party ads, see the “Tracking and Advertising Choices” section below.
• Government or Public Authorities. We may disclose Personal Information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our Services, (d) to protect the property, rights, and safety of us, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.

When we obtain consent to text you, we will only use your data within the scope of the consent obtained.

Cookies, SDKs, and Other Tracking Technologies 

We may use cookies, SDKs, tags, and other tracking mechanisms to track information about your use of our Services, and to provide, customize, evaluate, and improve our Services.

Cookies and Other Technologies

A cookie is a small alphanumeric identifier that is placed on your website browser when you visit a website. Cookies are transferred to your device’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Services, while others are used to allow us to track your activities at our Services. Software Development Kits (SDKs) are programming packages that allow us to develop our Services. Certain SDKs allow us to track and measure certain data about the way users interact with our mobile apps. Below are descriptions of the types of tracking technologies our Services may employ.

• Session Cookies. Session cookies exist only during an online session. They disappear from your device when you close your browser or turn off your device. We use session cookies to allow our systems to uniquely identify you during a session while accessing our Services. This allows us to display content and provide our Services to you while navigating our Site.
• Persistent Cookies. Persistent cookies remain on your device after you have closed your browser or turned off your device. We use persistent cookies to track statistical information about user activity.
• Clear GIFs, Pixel Tags and Other Technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (a.k.a. web beacons, web bugs or pixel tags), in connection with our Services to, among other things, track activities of Site visitors, and to help us manage content on our Services.
• Third-Party Analytics. We use third-party tools, which are operated by third-party companies, to evaluate usage of our Services. These third-party analytics companies use cookies, pixels, and other tracking technologies to collect usage data about our Services to provide us with reports and metrics that help us evaluate usage of our Services, improve our Services, and enhance performance and user experiences.
• Third Party Advertising. We work with third-party ad networks, analytics, marketing partners, and others (“third-party ad companies”) to personalize content and display advertising within our Services, as well as to manage our advertising on third-party websites. We and these third-party ad companies may use cookies, pixels tags, and other tools to collect browsing and activity information within our Services (as well as on third-party websites and services), as well as IP address, unique ID, cookie and advertising IDs, and other online identifiers. We and these third-party ad companies use this information to provide you more relevant ads and content within our Services and on third-party websites, and to evaluate the success of such ads and content.
• Session Replay. We use session replay technologies so we can diagnose problems with our Services and identify areas for improvement. The data collected by this technology is not accessible by or shared with third parties or service providers.

Tracking and Advertising Choices

If you wish to prevent cookies from tracking your activity on our websites or visits across multiple websites, there are tools you can use to disable cookies and opt out of interest-based advertising.

• Browser Solutions for Disabling Cookies. If you wish to prevent cookies from tracking your activity on our website or visits across multiple websites, you can set your browser to block certain cookies or notify you when a cookie is set. The Help portion of the toolbar on most browsers will tell you how to prevent your device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Services who disable cookies will be able to browse the Services, but some features may not function.
• Industry Solutions for Opting Out of Interest-Based Advertising. Notwithstanding the above, you may follow the steps provided by initiatives that educate users on how to set tracking preferences for most online advertising tools. These resources include the Network Advertising Initiative (https://thenai.org/about-online-advertising/) and the Digital Advertising Alliance (https://digitaladvertisingalliance.org/). 

Note, your opt out may not be effective if your browser is configured to reject cookies. Opting out of participating third party ad networks does not opt you out of being served advertising. You may continue to receive generic or “contextual” ads on our Services. You may also continue to receive targeted ads on other websites, from companies that do not participate in the above programs.

We are not responsible for the completeness, effectiveness, or accuracy of any third-party opt-out options or programs.

State-Specific Disclosures

Residents of certain jurisdictions have additional rights under applicable privacy laws. The first subsection below describes the rights created by the state privacy laws that are currently effective or will take effect in 2025. If you are a resident of California, please refer to the “California Privacy Rights” subsections below. 

Rights for Residents of Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Tennessee, Utah, and Virginia

The list below describes the rights available under the Colorado Privacy Act; Connecticut Data Protection Act; Delaware Personal Data Privacy Act; Iowa Consumer Data Protection Act; Maryland Online Data Privacy Act (effective October 2025); Minnesota Consumer Data Privacy Act (effective July 2025); Montana Consumer Data Privacy Act; Nebraska Data Privacy Act; New Hampshire Privacy Act; New Jersey Data Protection Act; Oregon Consumer Privacy Act; Texas Data Privacy and Security Act; Tennessee Information Privacy Act (effective July 2025); the Utah Consumer Privacy Act; and the Virginia Consumer Data Protection Act.

• Right to Access: You have the right to confirm whether or not we are processing your Personal Information and to access such Personal Information.
• Right to Correction: You have the right to correct inaccuracies in your Personal Information, taking into account the nature of the Personal Information and the purposes of the processing of your Personal Information.
• Right to Deletion: You have the right to delete the Personal Information provided to us by you.
• Right to Data Portability: You have the right to obtain a copy of the Personal Information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Information to another controller without hindrance, where the processing is carried out by automated means. 
• Right to Opt-Out of Sales, Targeted Advertising, and Profiling: For purposes of the applicable state laws, a “sale” includes disclosing Personal Information to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Some states provide a  right to opt out of the automated processing of your Personal Information by us for decisions that produce legal or similarly significant effects concerning you, but we do not process Personal Information for such profiling. To opt out of targeted advertising, please click on the Opt-Out Link on the bottom of the website homepage. 
• Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. Note that Utah law does not provide a right to appeal.

If any of the rights described above apply to you, you may make a request by filling out our form at Privacy Web Form (onetrust.com) or mail us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office. Please indicate that you are making a request pursuant to your “[State] Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records.

California Privacy Rights

Under the CCPA, California residents have the right to receive certain disclosures regarding our information practices related to “Personal Information,” as defined under the CCPA. To the extent you are a resident of California, and we collect Personal Information subject to CCPA, the following applies.

Disclosures to Third Parties

This section relates to our third-party disclosures. We may disclose Personal Information to service providers, as described above in this Notice. We also may disclose the Personal Information we collect (as described above) to the following categories of third parties.

• Third party analytics providers
• Regulators, government entities, and law enforcement
• Affiliates and subsidiaries

Additionally, CCPA defines a "sale" as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available Personal Information to a third party for purposes of cross-context behavioral advertising. While we do not disclose Personal Information to third parties in exchange for monetary compensation, we may “sell” or “share” (as defined by the CCPA) identifiers and internet and electronic network activity information to third parties. We do so to improve and evaluate our advertising campaigns and better reach customers and prospective customers with more relevant ads and content. As described in the Cookies and Other Technologies section above, although we also use session replay technologies to record users’ interactions with the Services, this data is not accessible by or shared with third parties or service providers.

We do not sell or share any Personal Information about individuals who we know are under sixteen (16) years old.

Your CCPA Rights

To the extent you are a resident of California, you may have the following rights to your Personal Information:

• Right to Access: With respect to the Personal Information we have collected about you in the prior 12 months, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of Personal Information about you we have collected; (ii) the sources from which we have collected that Personal Information; (iii) our business or commercial purposes for collecting, selling, or disclosing that Personal Information; (iv) the categories of third parties to whom we have disclosed that Personal Information; and (v) a copy of the specific pieces of your Personal Information we have collected.
• Right to Correct: You have the right to request that we correct inaccuracies in your Personal Information.
• Right to Delete: Subject to certain conditions and exceptions, you may have the right to request deletion of Personal Information that we have collected about you. 
• Right to Opt-Out of Sale/Sharing: You may have the right to opt-out of the “sale” or “sharing” of your Personal Information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of the rights described in this section.
• Authorized Agent: You may designate someone as an authorized agent to submit requests and act on your behalf. To do so, you must provide us with written permission to allow the authorized agent to act on your behalf.

In order to opt out of sharing information for targeted marketing, if applicable, please click on the Opt-Out Link titled “Do Not Sell or Share My Personal Information” on the bottom of the website homepage. To make a request for the other rights described above, please fill out our form at Privacy Web Form (onetrust.com) write to us at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office, or contact us toll-free at the number on the back of your member ID card or customer service at 877-279-6391. Please indicate you are making a request pursuant to your “California Privacy Rights.” You must provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your request or, where necessary, to process your request. If we are unable to adequately verify a request, we will notify the requestor. If we are unable to adequately verify a request, we will notify the requestor.

Additional Information

Changes to this Privacy Notice

The Notice is current as of the date set forth above. We may change, update, or modify this Notice from time to time, so please be sure to check back periodically. We will post any updates to this Notice here. A different version number and/or updated date indicates that a change has been made. If we make any changes to this Notice that materially affect our practices regarding our use of the personal information we previously collected, we will endeavor to provide you with notice, such as by posting prominent notice on our website.

Links to Other Websites

Our Services may contain links to unaffiliated websites. Any access to and use of such linked websites is not governed by this Privacy Notice, but instead is governed by the privacy policies of those websites. We are not responsible for the information practices of such websites, including their collection of your personal information. You should review the privacy policies and terms for any third parties before proceeding to those websites or using those features.

Our Online Privacy Notice for Children

Our Services are designed for a general audience and are not directed to children under the age of 13. We do not knowingly collect personal information online f3. rom any person we know to be under the age of 13. If we discover that a child under 13 has provided us with information, we will delete such information from our systems. If you believe we have impermissibly collected personal information from someone under the age of 13, please contact us using the information below.

Contacting Us

If you have any questions about this Privacy Notice, please contact us by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office or call us toll-free at 877-279-6391.