Strong relationships are built on trust.

At HealthFitness, we want to earn your trust by informing you of the personal information we collect from you, the purposes for which we collect that information, the types of parties we share it with, the measures we take to protect your information, and the rights and choices you have with respect to the information we process about you. We encourage you to read through the privacy notice (“Notice”) to learn more about our privacy practices.

If you have any questions about our privacy practices, you may contact us at the following address:
Health Fitness Corporation
Privacy Request
Attn: Privacy Office
PO Box 7961
Lake Forest, IL 60045-7961
Email: privacysecurityoffice@trustmarkbenefits.com

Privacy Notice

Last Updated: December 29, 2022
PDF version

This Notice is issued on behalf of Health Fitness Corporation* (“HealthFitness”, “we”, “our” “us”) and provides specific information about how we collect, use, share, retain, and protect personal information through the offering of, applying for, and enrolling in “HealthFitness Products”, including the use of our websites or mobile applications. (“Online Platforms”).

Personal information, also known as “personal data” or “personally identifiable information”, is any information about, or that can reasonably be expected to be related to, associated with, or linked directly or indirectly to an identifiable individual.  Personal information does not include data that has been rendered in such a way that the individual is not or no longer identifiable.

HealthFitness will only process your personal information for the purposes described within this Notice. We do not sell your personal information to third parties, and we do not allow third parties to use the personal information we provide to them to offer you their products or services.

Depending on where you live, you may have additional rights afforded to you. Please review the U.S. state-specific information and privacy rights or International resident information and privacy rights sections below for more information.

*This Notice does not apply to Trustmark Mutual Holding Company and its subsidiaries, Midtown Health, LLC, or PFT Employee Benefits Solutions, Inc. which have their own privacy notices.

For the purposes of this Notice, “HealthFitness Products” include, but are not limited to:

  • Group fitness (in-person or virtual)
  • Personal and small group training (in-person or virtual)
  • Recreation sports and activities
  • Challenges (in-person or virtual)
  • Injury prevention and early intervention services, including ergonomics and line-side coaching (on-site, virtual, and digital)
  • Treatment with physical, occupational and massage therapy
  • Health Coaching (on-site, virtual, and digital)
  • Nutrition services (on-site, virtual, and digital)
  • Mental health education services
  • Benefits advocacy
  • Screenings or immunizations
  • Education (seminars, meet ups and series classes)
  • Wellness services
  • Communications about products
  • Registering for or participating in events, classes, and other activities offered either directly with HealthFitness or HealthFitness acting as a service provider for your employer, community center, or their authorized representatives (“Clients”). When HealthFitness acts as a service provider, data collection and privacy practices may depend on a Client’s contractual requirements.  

This Notice will address the following:

  1. The categories of personal information we collect
  2. Purposes for processing personal information
  3. Sharing your personal information
  4. Data Retention
  5. How we protect your personal information
  6. U.S. state-specific information and privacy rights
  7. How to submit a privacy rights request under U.S. state law
  8. International resident information and privacy rights
  9. Online Platforms and Cookie Policy
  10. Changes to our Notice
  11. How to contact us

The categories of personal information we collect

The personal information we collect depends upon things such as the nature of our relationship, the method you communicate with us, and the type of HealthFitness Product you have or use. We only collect personal information as required or permitted by law, and only to the extent necessary to fulfill the purpose for collection.

The tables below describe the categories of personal information that we may collect and that we have collected from individuals in the previous twelve (12) months.

From members/participants
For example, when you engage in our products or services such as apply for, enroll in, and/or participate in HealthFitness Products directly or through a Client.
 
Category Categories of Sources Disclosed for a Business Purpose? Sold or Shared with Third-Party so They can Market to You?
Personal identifiers or records.
  • Such as name, alias, postal address, telephone number, email address, date of birth, gender, physical description, your signature, unique personal identifiers such as Social Security numbers or employee IDs, payment information (bank account number, credit or debit card numbers), medical information (including health risk status and other health/wellness-related information), or health insurance information.
  • Directly from you.
  • From our Client (i.e., your employer).
Yes No
Protected classification characteristics.
  • Such as gender or pregnancy.
  • Directly from you.
  • From our Client (i.e., your employer).
Yes No
Commercial information.
  • Such as payment history or voluntary questionnaires, survey responses, and feedback.
  • Directly from you.
Yes No
Internet or other similar network activity.
  • Such as Internet Protocol (IP) addresses, browser type, internet service provider (ISP), device identifier, device type, operating system versions, or clickstream data.
  • Directly from you.
  • Indirectly from you by observing your actions through our websites or mobile applications. See our Online Platforms and Cookies Policy for more information.
Yes No
Geolocation data.
  • Such as device location or location data when allowing the use of certain functionalities through applications.
  • Directly from you.
Yes No
Sensory data.
  • Such as audio or video recordings or photographs.
  • Directly from you.
Yes No
Professional or employment-related information
  • Such as employment history or employer name.
• Directly from you.
• From our Client (i.e., your employer).
Yes No
Health information.
  • Such as your current and past fitness level/habits, injuries, health status, nutrition, sleep, motivation level, overall well-being, health goals, as well as measurements including, but not limited to, blood pressure, heart rate, cholesterol levels, blood sugar, etc.
  • Directly from you.
  • From third parties you authorize us to collect from.
Yes No
From B2B contacts
For example, when you have a business relationship with us, such as when you interact with us as an employee or contact person of one of our Clients or when you interact with us when providing your services to us as vendor.
 
Category Categories of Sources Disclosed for a Business Purpose? Sold or Shared with Third-Party so They Can Market to You
Personal identifiers or records.
  • Such as name, postal address, email address, telephone number, government or taxpayer identification number, or signature.
  • Directly from you.
  • From your employer.
Yes No
Commercial information.
  • Such as voluntary questionnaires, survey responses or feedback, assessments, or audits.
  • Directly from you.
  • From your employer.
Yes No
Internet or other similar network activity.
  • Such as Internet Protocol (IP) addresses, browser type, internet service provider (ISP), device identifier, device type, operating system versions, or clickstream data.
  • Directly from you.
  • Indirectly from you by observing your actions through our websites or mobile applications. See our Online Platforms and Cookies Policy for more information.
Yes No
Sensory data.
  • Such as information collected through call recordings, recorded meetings, or CCTV footage on company premises.
  • Directly from you.
Yes No
Professional or employment-related information.
  • Such as job title, role, company name, occupation, or other related information.
  • Directly from you.
  • From your employer.
  • From publicly available sources.
Yes No

Purposes for processing personal information

As further detailed throughout this Notice, to the extent permitted by applicable law, we may use your personal information for the following purposes:
  • To operate, manage, and maintain our business including performing necessary and appropriate internal functions such as accounting, auditing, risk management, information technology and security, legal, compliance, and records maintenance.
  • To comply with our legal and regulatory obligations, or to respond to a subpoena or court order.
  • To fulfill our contractual obligations as a data processor.
  • To resolve disputes.
  • To help maintain the safety, security, and integrity of our products and services, websites, databases and other technology assets, and business.
  • As necessary or appropriate to protect the rights, property, or safety of us, our clients, or others.
  • To improve our existing websites, applications, products, and services.
  • For the research and development of new products, services, and functionalities.
  • To prepare for and complete corporate transactions, such as a merger, acquisition, financing, bankruptcy or other sale of all or a portion of our assets or that of a Trustmark group entity; investments by or in HealthFitness or other Trustmark group entities, or reorganization of assets or operations.
For our B2B contacts, we additionally process this personal information for the following purposes:
  • For our Client contacts, to perform our contractual obligations to your employer, communicate with you and your employer about our products and services, answer questions and other requests from you, provide customer support, and communicate with you and your employer about business opportunities, including new products or services and other information we think may be of interest to you.
  • For vendor contacts, to manage our contracts with your employer, to ensure we are receiving products or services appropriately and on terms most beneficial to us, for vendor management purposes, including vendor risk management.
  • To facilitate transactions and payments.
  • To operate and expand our business activities and evaluate, develop, and improve the quality of our products and services.
For members/participants, we additionally process personal information for the following purposes:
  • To provide you with HealthFitness Products you requested directly, or under an agreement established with a Client, or reasonably anticipated within the context of our ongoing relationship.
  • To provide you with support and to respond to your inquiries or requests, including to investigate and address your concerns.
  • To facilitate transactions and payments.
  • To verify your identity for security purposes.
  • To create, maintain, customize, and secure user accounts on our platforms or applications.
  • To tailor and improve our services to you, for analytics, and to improve functionalities.
  • To engage in customized outreach regarding products and services you or the Client have requested, are eligible to receive, but are not currently utilizing, or may be of interest to you.
  • To ensure your physical safety or otherwise inform health personnel in cases of medical emergency.
  • For other purposes for which we obtain your consent.

Sharing your personal information

To the extent permitted by applicable law, we may share your personal information with the following categories of data recipients. We do not share your personal health information with any data recipients without your explicit consent. However, we may share personal health information in cases of emergency, where you are unable to provide consent and the disclosure is necessary to protect your life.

Our Clients
We may share personal information through agreements with Clients who deliver HealthFitness Products. Clients may include your employer, plan sponsors, your community center, or other business entity.

Service providers
We may share personal information with service providers that perform services on our behalf, and with whom we have a contractual relationship and are bound to keep your personal information confidential and use it only for the purposes for which we disclose it to them. We may also share personal information through agreements with our Clients’ service providers.

Fitness or healthcare personnel
We may share personal information with fitness or healthcare personnel in furtherance of HealthFitness Products, or where it is necessary to protect your life.

Authorized parties
We may share personal information with third parties that you affirmatively authorize, or direct us to share with, or as otherwise permitted by law.

Regulatory bodies
We may share personal information with regulators, licensing authorities, law enforcement authorities, or tax authorities.

HealthFitness’ parent company or affiliated companies of Trustmark Benefits
We may share personal information with HealthFitness’ parent company, Trustmark Benefits, or other companies affiliated with Trustmark Benefits.

Successor companies
We may share personal information with another entity acquiring all, or a portion of, our business. The information shared will remain subject to this Notice and the privacy preferences you have expressed to us. However, personal information submitted or collected after a transfer may be subject to a new privacy policy adopted by the successor entity.

Data retention

We retain personal information for only as long as is necessary, which may be for the duration of the relevant business relationship to provide you with services, receive services from you or your employer, for our own business purposes, or where required or allowed under applicable law. We may also retain personal information for longer than the duration of the business relationship should we need to retain it to protect ourselves against legal claims, use it for analysis or historical record-keeping, comply with our information management policies and schedules, or as may be permitted or required by applicable laws.

How we protect your personal information

We have implemented physical, technical, and administrative security measures designed to safeguard and protect your data from unauthorized access and use.

The security of your data also depends on you. Where we have given you, or where you have chosen, a password for access to certain parts of our website, you are responsible for keeping this password confidential. Please do not share your password with anyone. If you suspect someone else obtained access to your password, please immediately change it.

No security measures are impenetrable. We cannot guarantee the security of your personal information transmitted to us. If you choose to communicate with us by email, you should be aware that internet email is not secure. We strongly encourage you to use encrypted email when sending sensitive, personal, private and/or confidential information by email. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on our websites, systems, or services.

U.S. state-specific information and privacy rights

Depending on where you live, you may have additional rights afforded to you. To protect you and your personal information, we will only respond to requests after reasonably verifying a requestor’s identity or their authority to make the request. To exercise your rights, please use this form.

How to submit a privacy rights request under U.S. state law

You may initiate a privacy rights request under the state law where you reside by using this request form or by contacting us toll-free at 866-816-1727. If you are enjoying our HealthFitness Products through one of our Clients (i.e., your employer, a community center, or their authorized representative), you should submit a privacy rights request through them, and we will assist them with responding to your request.

Verification process. To protect you and your information, we must reasonably verify that you are the person that is the subject of the request. You will be asked to provide us with your full name, the last four digits of your social security number, your birthdate (day and month), your email address, and your mailing address. If the personal information you provide is inadequate based on the sensitivity of the request, we may request additional information from you. The information you provide us with for this purpose will not be further processed. If after a good faith attempt, we cannot reasonably verify your identity, or the authority under which the request is made, we will not be able to fulfill your request.

If allowable under applicable law, and subject to limitations, you may designate an authorized agent to submit a privacy rights request on your behalf. We may request that you provide evidence that establishes the agent’s authority or may ask you and your agent to verify your identity directly with us. We will deny a request from an authorized agent that does not submit evidence that they have been authorized by you to act on your behalf.

Response timing and process. We will confirm receipt of requests within ten (10) business days. We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time or additional information to fulfill your request, we will tell you why.

  • If we are unable to fulfill your request, or if we deny your request in whole or in part, we will provide you with an explanation. We may direct you to our general business practices for collecting personal information.
  • Under no circumstances will we provide a requestor with a Social Security number, driver’s license number, or other government-issued identification number, financial account numbers, any health insurance or medical identification numbers, any account passwords, or any security questions and answers.
  • We will use reasonable security measures when transmitting information to a requestor and will deliver data in a readily useable format.
  • We are not required to retain any personal information about you that we collected for a single one-time transaction if we do not retain that information in the ordinary course of business. We are also not required to re-identify or otherwise link data that we do not maintain in a manner that would be considered personal information in the ordinary course of business.
  • Where permitted under the law, we may charge you a reasonable fee to process your request.
  • Please note, we may not be able to fulfill your request to delete your personal information if it falls within a legal exception, including, but not limited to retaining such information to:
    • Comply with federal, state, or local laws, rules, or regulations.
    • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.
    • Investigate, establish, exercise, prepare for, or defend legal claims.
    • Provide a product or service specifically requested by you; perform a contract to which you are a party, including fulfilling the terms of a written warranty, or take steps at the request of you prior to entering into a contract.
    • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report, or prosecute those responsible for any such action.
    • Identify and repair technical errors that impair existing or intended functionality.
    • Perform internal operations that are reasonably aligned with your expectations based on your existing relationship with us.

International resident information and privacy rights

For residents of the European Economic Area (EEA) or United Kingdom
This section supplements the information contained in the Notice and provides additional information to persons who are in the European Economic Area (EEA) or the United Kingdom (“you”) as required by the General Data Protection Regulation and the UK General Data Protection Regulation (collectively, “GDPR”). We encourage you to review the Notice in its entirety. To the extent the Notice conflicts with this section, this section will control. To exercise your rights, please use this request form.

The GDPR requires that we provide you with the contact details of our organization, the purposes for processing your personal information, the lawful basis for the processing, the categories of recipients of personal information, the details of transfers of personal information to any third countries, the retention periods for the personal information, the rights available to you with respect to processing, the right to lodge a complaint with a supervisory authority, and details of the existence of automated decision-making or profiling.

Where you can reach us
Privacy Officer
Trustmark Companies
PO Box 7961
Lake Forest, IL 60045-7961
Email: privacysecurityoffice@trustmarkbenefits.com
 
Purposes for processing personal information
As discussed in the Purposes for processing personal information section of this Notice, we process your personal information to manage our customer relationships, to manage our products, and for business operations.

Lawful basis for processing personal information
We process personal information to provide our services, improve our products, and comply with legal requirements and our internal policies as detailed in our Notice. We will only process your personal information if we have a lawful basis for doing so. Lawful bases for processing include affirmative consent, contractual necessity, pursuit of our legitimate interests or the legitimate interests of others, or compliance with an EEA or UK legal obligation, as further described below.

Consent. Your informed, affirmative consent allows is to use your personal information, including health data to:

  • Provide you with HealthFitness Products you requested directly or under an agreement with an established Client.
  • Market HealthFitness Products through surveys, contests, or drawings.
  • Participate in surveys, contests, or drawings.
Contractual necessity. In some cases, we need to process personal information to perform our contractual obligations to you, or to take steps at your request before you enter into a contract with us. When we process data based on contractual necessity, failure to provide the personal information we request, and that we indicate is required, will result in your inability to use some or all portions of the services that require such data to:
  • Provide you with HealthFitness Products you requested directly or under an agreement with an established Client.
  • Communicate with you and Clients to administer benefits to you.
  • Facilitate transactions and payments with you.
  • Provide technical support for users and track performance issues.
  • Contact you about service announcements and updates.
  • Otherwise manage our relationship with you.

Legitimate interests. We process personal information when we believe it furthers the legitimate interest of us or third parties, in particular our interest in performing our agreement with your employer, or in promoting and improving our products and services, in each case in order to grow our business, increase our profitability and enhance our reputation. We process personal information on the basis of those interests, taking into consideration your reasonable expectations and the potential impact to you. Those interests are described in the Purposes for processing personal information section of this Notice.

EEA/UK legal obligations. We process personal information to comply with our EEA or UK legal obligations:

  • Identify you and associate you with the information you provide if you make a verifiable request to exercise your privacy rights under state or federal law as further described in this Policy.
  • Manage and administer our EEA or UK accounts and tax reporting.
  • Respond to an EEA or UK subpoena or court order.

Other lawful bases for processing. In limited circumstances, we may also need to process personal information because it is necessary to protect the vital interests of you or other persons, for example in the event of an emergency.

Categories of recipients of your personal information
As discussed in the Sharing your personal information section of this Notice, we may share your personal information with others for the purposes listed above.

Transfers of personal information
Our services are hosted and operated in the United States, which does not offer the same level of protection to your personal information as the laws in the EEA and UK. By using the services, you acknowledge that any personal information about you, regardless of whether provided by you or obtained from a third party, is being provided to us in the U.S. and will be hosted on U.S. servers. Transfers of personal information to the U.S. are made on the basis of your explicit consent directly from you or through a Client, or where necessary to perform our contract with you or pre-contractual steps that you have requested, or pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission with accompanying Transfer Impact Assessments.

How long we retain your personal information
In accordance with applicable data protection laws, we will only keep your personal information for as long as is necessary to fulfill the specific purposes that we collected it for. We determine the appropriate retention period for personal information with reference to the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, any applicable legal requirements, and the relevant period for bringing claims that may implicate that personal information. Following expiry of the applicable retention period, we will take steps to ensure that your personal information is (as applicable) securely deleted or destroyed; or anonymized. If you want information about specific retention practices, please contact PrivacySecurityOffice@trustmarkbenefits.com.

Your rights regarding your personal information
You have rights with respect to your personal information as described below. In some circumstances, we may not be able to fully comply with your request, such as if it is unfounded or excessive, or if it jeopardizes the rights of others. We may also need you to provide us with additional information, which may include personal information, if necessary, to verify your identity or the nature of your request.

Access. You have the right to request more information about the personal information we hold about you and request a copy of such personal information.

Rectification. If you believe that any personal information we are holding about you is incorrect or incomplete, you have the right to request that we correct or supplement such data.

Erasure. You have the right to request that we erase some or all of your personal information from our systems under specific conditions set forth in the GDPR.

Withdrawal of consent. You have the right to withdraw consent at any time for future processing of your personal information.

Portability.  Where we process your personal information to perform a contract with you, you can ask for a copy of your personal information in a machine-readable format. You can also request that we transmit the data to another controller.

Objection. You have the right to object to the further processing of your personal information that we process in furtherance of our legitimate interests, on grounds relating to your particular situation. 

You also have the right to object at any time to processing of personal information for direct marketing purposes.

Restriction of Processing. You have the right to ask us to restrict further processing of your personal information under specific conditions set forth in the GDPR.

Object to automated decision-making and profiling. While you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, we do not make decisions based on these circumstances.

Right to File Complaint. You have the right to lodge a complaint about our practices with respect to your personal information with the supervisory authority of your country.

You may submit a privacy rights request by filling out this request form.

Changes to this Notice

We may change, update, or modify this Notice from time to time. If we make changes to this Notice, we will revise the Last Updated date identified at the top of the first page. Any changes will become effective upon our posting of the revised Notice on our websites.

Online Platforms and Cookies Policy

This Policy applies to certain privacy practices while using our websites and mobile applications (“Online Platforms”). It includes the use of technologies such as cookies, beacons, tags, or similar tracking technologies (collectively, “cookies”) to collect information from individuals when using Online Platforms.

What is a cookie? Cookies are small text files placed on your browser, device, or the page you are viewing, that enables the cookie owner to recognize the device when it visits websites or uses online services.

  • Session cookies are temporary bits of information that are erased once you exit your web browser window, or otherwise turn your computer off. Session cookies are used to improve navigation on websites and to collect aggregate statistical information. Trustmark websites use session cookies.
  • Persistent cookies are more permanent bits of information that are placed on the hard drive of your computer and stay there unless you delete the cookie. Persistent cookies store information on your computer for several purposes, such as retrieving certain information you have previously provided (for example, passwords), helping to determine what areas of the website visitors find most valuable, and customizing the website based on your preferences. Trustmark websites use persistent cookies.

Most browsers allow you to control cookies through their settings preferences. However, if you limit the ability of websites to set cookies, you may worsen your overall user experience, since it will no longer be personalized to you. It may also stop you from saving customized settings like login information.

Why we use cookies. Trustmark uses cookies in a range of ways to improve your experience on our website(s), including:

  • keeping you signed in,
  • to allow for single sign on,
  • understanding how you use our website, and
  • improving your experience when you use our website.

Cookie choices. If you visit our websites, you consent to our use third-party cookies such as Google Analytics, which uses cookies to collect non-personally identifiable information. Google Analytics uses cookies to track visitors, providing reports about website trends without identifying individual visitors.

If you use our mobile applications, you consent to our use of Azure Application Insights, which uses telemetry data, including IP addresses to track visitors, providing reports about mobile usage, and performance trends without identifying individual visitors.

We use information received from Google Analytics and Azure Application Insights as aggregate data to help us maintain and improve our websites and mobile applications. We do not send such information to other third parties. You can opt out of Google Analytics without affecting how you visit our websites. For more information on opting out of Google Analytics tracking across all websites you use, visit this Google page: https://tools.google.com/dlpage/gaoptout.

Do not track. Some web browsers and mobile operating systems offer a “Do Not Track” setting you can activate to signal your preference not to have data about your online browsing activities monitored and collected. Currently, our Online Platforms may not recognize “Do Not Track” signals.

Children’s online privacy. We do not knowingly collect personal information online or otherwise from any person under the age of 18, and we do not offer, otherwise market or direct our products or services to any person under the age of 18. If you suspect that we have collected personal information from a person under the age of 18, please contact us.

Privacy policies and notices of other sites. Our Online Platforms may link to and from third-party websites. If you click on a link to another website, that third party’s privacy policy/notice will apply to your use of their website. We do not have control over the content or operation of these third-party sites. We recommend that you review all third parties’ terms of use agreements and privacy policies before using their websites, goods, or services.

How to contact us

If you have any questions about this Notice or the ways in which we collect or use your personal information, please contact us at:

Privacy Officer
Privacy Request
Trustmark Companies
PO Box 7961
Lake Forest, IL 60045-7961
 
Email: privacysecurityoffice@trustmarkbenefits.com