Privacy Notice

Effective: January 1, 2023
PDF version

Strong relationships are built on trust. At PFT Employee Benefit Solutions Inc., we want to earn your trust by informing you of the personal information we collect from you, the purposes for which we collect that information, the types of parties we share it with, the measures we take to protect your information, and the rights and choices you have with respect to the information we process about you. We encourage you to read through the privacy notice (“Notice”) to learn more about our privacy practices.

Policy scope

This Notice is issued on behalf of PFT Employee Benefits Solution Inc.* (“PFT”, “we”, “our” “us”) and provides specific information about how we collect, use, share, retain, and protect personal information through the offering of, applying for, and enrolling in “PFT Products”, including the use of our websites or mobile applications. (“Online Platforms”).

Personal information, also known as “personal data” or “personally identifiable information”, is any information about, or that can reasonably be expected to be related to, associated with, or linked directly or indirectly to an identifiable individual. Personal information does not include data that has been rendered in such a way that the individual is not or no longer identifiable.

PFT will only process your personal information for the purposes described within this Notice. We do not sell your personal information to third parties, and we do not allow third parties to use the personal information we provide to them to offer you their products or services.

Depending on where you live, you may have additional rights afforded to you. Please review the U.S. state-specific information and privacy rights sections below for more information.

*This Notice does not apply to Trustmark Mutual Holding Company and its subsidiaries, Health Fitness Corporation, GoRecess, Inc. (and its affiliates, FitReserve and FitReserve.com), or Midtown Health, LLC which have their own privacy notices.

For the purposes of this Notice, “PFT Products” include, but are not limited to:

Health assessment questionnaire
Recommended plans of workouts and exercises
Group fitness
Personal and small group training
Recreation sports and activities
Community social and activity-based events
Challenges
Health Coaching
Education (seminars, meet ups and series classes)
Wellness services
Communications about products
Registering for or participating in events, classes, and other activities offered either directly with PFT or PFT acting as a service provider. (“Clients”). When PFT acts as a service provider, data collection and privacy practices may depend on a Client’s contractual requirements.

This Notice will address the following:

The categories of personal information we collect
- Members/Participants
- B2B Contacts
Purposes for processing personal information
- Members/Participants
- B2B Contacts
Sharing your personal information
Data Retention
How we protect your personal information
U.S. state-specific information and privacy rights
How to submit a privacy rights request under U.S. state law
Online Platforms and Cookie Policy
Changes to our Notice
How to contact us

The categories of personal information we collect

The personal information we collect depends upon things such as the nature of our relationship, the method you communicate with us, and the type of PFT Product you have or use. We only collect personal information as required or permitted by law, and only to the extent necessary to fulfill the purpose for collection.

The tables below describe the categories of personal information that we may collect and that we have collected from individuals in the previous twelve (12) months.

From members/participants
For example, when you engage in our products or services such as apply for, enroll in, and/or participate in PFT Products directly or through a Client.

Category	Categories of Sources	Disclosed for a Business Purpose	Sold or Shared with Third-Party So They Can Market to You?
Personal identifiers or records Such as name, alias, postal address, telephone number, email address, date of birth, gender, physical description, unique personal identifiers, medical information (including health risk status and other health/wellness-related information).	Directly from you. From our Client.	Yes	No
Protected classification characteristics Such as gender	Directly from you. From our Client.	Yes	No
Commercial information Such as voluntary questionnaires, survey responses, and feedback.	Directly from you.	Yes	No
Internet or other similar network activity Such as Internet Protocol (IP) addresses, browser type, internet service provider (ISP), device identifier, device type, operating system versions, or clickstream data.	Directly from you. Indirectly from you by observing your actions through our websites or mobile applications. See our Online Platforms and Cookies Policy for more information.	Yes	No
Sensory data Such as audio or video recordings or photographs.	Directly from you.	Yes	No
Professional or employment-related information Such as employment history or employer name.	Directly from you. From our Client (i.e., your employer).	Yes	No
Health information Such as your current and past fitness level/habits, injuries, health status, nutrition, sleep, motivation level, and overall well-being, health goals.	Directly from you. From third parties you authorize us to collect from.	Yes	No

From B2B contacts
For example, when you have a business relationship with us, such as when you interact with us as an employee or contact person of one of our Clients or when you interact with us when providing your services to us as vendor.

Category	Categories of Sources	Disclosed for a Business Purpose	Sold or Shared with Third-Party So They Can Market to You?
Personal identifiers or records Such as name, postal address, email address, telephone number, government or taxpayer identification number, or signature.	Directly from you. From your employer.	Yes	No
Commercial information Such as voluntary questionnaires, survey responses or feedback, assessments, or audits.	Directly from you. From your employer.	Yes	No
Internet or other similar network activity Such as Internet Protocol (IP) addresses, browser type, internet service provider (ISP), device identifier, device type, operating system versions, or clickstream data.	Directly from you. Indirectly from you by observing your actions through our websites or mobile applications. See our Online Platforms and Cookies Policy for more information.	Yes	No
Sensory data Such as information collected through call recordings, recorded meetings, or CCTV footage on company premises.	Directly from you.	Yes	No
Professional or employment-related information Such as job title, role, company name, occupation, or other related information.	Directly from you. From your employer. From publicly available sources.	Yes	No

Purposes for processing personal information

As further detailed throughout this Notice, to the extent permitted by applicable law, we may use your personal information for the following purposes:

To operate, manage, and maintain our business including performing necessary and appropriate internal functions such as accounting, auditing, risk management, information technology and security, legal, compliance, and records maintenance.
To comply with our legal and regulatory obligations, or to respond to a subpoena or court order.
To fulfill our contractual obligations as a data processor.
To resolve disputes.
To help maintain the safety, security, and integrity of our products and services, websites, databases and other technology assets, and business.
As necessary or appropriate to protect the rights, property, or safety of us, our clients, or others.
To improve our existing websites, applications, products, and services.
For the research and development of new products, services, and functionalities.
To prepare for and complete corporate transactions, such as a merger, acquisition, financing, bankruptcy or other sale of all or a portion of our assets or that of a Trustmark group entity; investments by or in PFT or other Trustmark group entities, or reorganization of assets or operations.

For members/participants, we additionally process personal information for the following purposes:

To provide you with PFT Products you requested directly, or under an agreement established with a Client, or reasonably anticipated within the context of our ongoing relationship.
To provide you with support and to respond to your inquiries or requests, including to investigate and address your concerns.
To facilitate transactions and payments.
To verify your identity for security purposes.
To create, maintain, customize, and secure user accounts on our platforms or applications.
To tailor and improve our services to you, for analytics, and to improve functionalities.
To engage in customized outreach regarding products and services you or the Client have requested, are eligible to receive, but are not currently utilizing, or may be of interest to you.
To ensure your physical safety or otherwise inform health personnel in cases of medical emergency.
For other purposes for which we obtain your consent.

For our B2B contacts, we additionally process this personal information for the following purposes:

For our Client contacts, to perform our contractual obligations to your employer, communicate with you and your employer about our products and services, answer questions and other requests from you, provide customer support, and communicate with you and your employer about business opportunities, including new products or services and other information we think may be of interest to you.
For vendor contacts, to manage our contracts with your employer, to ensure we are receiving products or services appropriately and on terms most beneficial to us, for vendor management purposes, including vendor risk management.
To facilitate transactions and payments.
To operate and expand our business activities and evaluate, develop, and improve the quality of our products and services.

Sharing your personal information

To the extent permitted by applicable law, we may share your personal information with the following categories of data recipients. We do not share your personal health information with any data recipients without your explicit consent. However, we may share personal health information in cases of emergency, where you are unable to provide consent and the disclosure is necessary to protect your life.

Our Clients
We may share personal information through agreements with Clients who deliver PFT Products. Clients may include your employer, plan sponsors, your community center, or other business entity.

Service providers
We may share personal information with service providers that perform services on our behalf, and with whom we have a contractual relationship and are bound to keep your personal information confidential and use it only for the purposes for which we disclose it to them. We may also share personal information through agreements with our Clients’ service providers.

Fitness or healthcare personnel
We may share personal information with fitness or healthcare personnel in furtherance of PFT Products, or where it is necessary to protect your life.

Authorized parties
We may share personal information with third parties that you affirmatively authorize, or direct us to share with, or as otherwise permitted by law.

Regulatory bodies
We may share personal information with regulators, licensing authorities, law enforcement authorities, or tax authorities.

PFT’s parent company or affiliated companies of Trustmark Benefits
We may share personal information with PFT’s parent company, Trustmark Benefits, or other companies affiliated with Trustmark Benefits.

Successor companies
We may share personal information with another entity acquiring all, or a portion of, our business. The information shared will remain subject to this Notice and the privacy preferences you have expressed to us. However, personal information submitted or collected after a transfer may be subject to a new privacy policy adopted by the successor entity.

Data retention

We retain personal information for only as long as is necessary, which may be for the duration of the relevant business relationship to provide you with services, receive services from you or your employer, for our own business purposes, or where required or allowed under applicable law. We may also retain personal information for longer than the duration of the business relationship should we need to retain it to protect ourselves against legal claims, use it for analysis or historical record-keeping, comply with our information management policies and schedules, or as may be permitted or required by applicable laws.

How we protect your personal information

We have implemented physical, technical, and administrative security measures designed to safeguard and protect your data from unauthorized access and use.

The security of your data also depends on you. Where we have given you, or where you have chosen, a password for access to certain parts of our website, you are responsible for keeping this password confidential. Please do not share your password with anyone. If you suspect someone else obtained access to your password, please immediately change it.

No security measures are impenetrable. We cannot guarantee the security of your personal information transmitted to us. If you choose to communicate with us by email, you should be aware that internet email is not secure. We strongly encourage you to use encrypted email when sending sensitive, personal, private and/or confidential information by email. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on our websites, systems, or services.

U.S. state-specific information and privacy rights

Depending on where you live, you may have additional rights afforded to you. To protect you and your personal information, we will only respond to requests after reasonably verifying a requestor’s identity or their authority to make the request. To exercise your rights, please use this form.

For California residents

California Consumer Privacy Act (CCPA) Notice of Collection
The California Consumer Privacy Act of 2018, as amended, and its implementing regulations (“CCPA”) provide consumers residing in California (“California Consumers”) with specific rights regarding their personal information. This section supplements the information contained in our Notice and applies solely to California Consumers. For the purposes of this section, personal information does not include:

Information lawfully made available from government records;
Information made available to the general public by you or widely distributed media;
Deidentified or aggregated consumer information;
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), or clinical trial data; and
Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) the California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994

Purposes and Use and Disclosure of Personal Information, No Sale or Sharing
We may disclose personal information we collect for one or more business purposes as described in the Notice. In the preceding twelve (12) months, we have not sold any of your personal information nor shared it for cross-contextual behavioral advertising. In addition, we do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Authorized Agents. You may designate someone as an authorized agent to submit privacy rights requests and act on your behalf. Authorized agents will be required to provide proof of their authorization in their first communication with us, and we may also require that the requestor directly verify their identity and the authority of the authorized agent.

Businesses operating as an authorized agent on behalf of a California resident must provide both of the following:

Certificate of good standing with its state of organization; and
A written authorization document, signed by the California resident, containing the California resident’s name, address, telephone number, and valid email address, and expressly authorizing the business to act on behalf of the California resident.

Individuals operating as an authorized agent on behalf of a California resident must provide either of the following:

A notarized power of attorney signed and dated by the California resident naming the authorized agent as the California resident’s representative; or
A written authorization document, signed by the California resident, containing the California resident’s name, address, telephone number, and valid email address, and expressly authorizing the individual to act on behalf of the California resident.

We reserve the right to reject: 1) requests from authorized agents who have not fulfilled the above requirements, or 2) automated CCPA requests where we have reason to believe the security of the requestor’s personal information may be at risk.

Privacy Rights
California Consumers have privacy rights available as described in this section. Instructions for making a privacy rights request may be found here. We encourage you to read through this entire section before submitting a request.

Right to know and request access. Subject to the exceptions set forth in the CCPA, you have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and confirm your verifiable consumer request, we will disclose to you:

the categories of personal information that we collected;
the categories of sources from which we collected your personal information;
our business or commercial purposes for collecting your personal information;
The categories of third parties to whom we disclose your personal information; and
a copy of the specific pieces of your personal information we have collected, subject to whether it involves disproportionate effort on our part to obtain these specific pieces of personal information.

Right to request deletion. Subject to exceptions set forth in the CCPA, you have the right to request that we delete personal information we collected from you. Once we receive and confirm your verifiable request, we will delete and direct our service providers to delete your personal information from our records, unless an exception applies. As an alternative to deletion, your information may be de-identified rather than deleted at our option.

Right to request correction. You have the right to request we correct inaccurate personal information. We will make reasonable efforts to correct your personal information upon request, but if we determine such a request would result in false or inaccurate information, we may reject your request.

Non-discrimination rights. You have the right not to receive discriminatory treatment for exercising your rights under the CCPA. We comply with the non-discrimination provisions of the CCPA.

Right to opt-out. You have the right to opt-out of “sales” and “sharing” of your personal information, as those terms are defined under the CCPA. We do not sell your personal information to third parties, and we do not allow third parties to use the personal information we provide to them to offer you their products or services, so there is no need to exercise these rights.

Right to request limitation of use and disclosure of sensitive personal information. We do not engage in uses or disclosures of sensitive personal information as defined under the CCPA that would trigger the right to limit use of sensitive personal information. Therefore, there is no need to exercise this right.

Other Rights
California Shine the Light. California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose your personal information to third parties for their marketing purposes.

For Colorado residents

Commencing July 1, 2023, under the Colorado Privacy Act (“CPA”), Colorado residents have the right to receive certain disclosures regarding a business’ processing of personal information or “personal data”, as defined under the CPA, as well as certain rights with respect to our processing of such personal information.

To the extent the personal information we collect and store is subject to the CPA, and to the extent no other carveout applies, you have the following rights:

Right to access. You have the right to confirm whether we are processing your personal information and request access to it.

Right to request correction. You have the right to request we correct inaccuracies in your personal information, considering the nature of the personal information, and the purposes of the processing of your personal information.

Right to request deletion. Subject to certain exceptions, you have the right to request we delete your personal information.

Right to request data portability. You have the right to request a copy of the personal information that you previously provided to us in a portable and to the extent technically feasible, readily usable format that allows you to transmit your personal information to another controller without hindrance, where the processing is carried out by automated means.

Instructions for making a privacy rights request may be found here.

For Connecticut residents

Commencing July 1, 2023, under the Connecticut Data Privacy Act (“CTDPA”), Connecticut residents have the right to receive certain disclosures regarding a business’ processing of personal information or “personal data”, as defined under the CTDPA, as well as certain rights with respect to our processing of such personal information.

To the extent the personal information we collect and store is subject to the CTDPA, the following applies.

We may share de-identified information about individuals with third parties. We commit to maintaining and using de-identified data without attempting to re-identify a Connecticut consumer, except as permitted by law.

Right to request deletion. Subject to certain exceptions, you have the right to request we delete personal information provided by or obtained about you.

Right to request data portability. You have the right to request a copy of the personal information that you previously provided to us in a portable and to the extent technically feasible, readily usable format that allows you to transmit your personal information to another controller, or business where the processing is carried out by automated means.

Right to opt-out of profiling resulting in legal or significant effects. You have the right to opt out of the processing of your personal information by us for profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

Instructions for making a privacy rights request may be found here.

For Utah residents

Commencing January 1, 2024, under the Utah Consumer Privacy Act (“UCPA”), Utah residents have the right to receive certain disclosures regarding a business’ processing of personal information or “personal data”, as defined under the UCPA, as well as certain rights with respect to our processing of such personal information.

To the extent the personal information we collect and store is subject to the UCPA, the following applies.

We may share de-identified information about individuals with third parties. We commit to maintaining and using de-identified data without attempting to re-identify a Utah consumer except as permitted by law.

Right to request deletion. Subject to certain exceptions, you have the right to request we delete personal information provided by or obtained about you.

Right to request data portability. You have the right to request a copy of the personal information that you previously provided to us in a portable and to the extent technically feasible, readily usable format that allows you to transmit your personal information to another controller or business where the processing is carried out by automated means.

Instructions for making a privacy rights request may be found here.

For Virginia residents

Commencing January 1, 2023, under the Virginia Consumer Data Protection Act (“VCDPA”), Virginia residents have the right to receive certain disclosures regarding a business’ processing of personal information or “personal data”, as defined under the VCDPA, as well as certain rights with respect to our processing of such personal information.

To the extent the personal information we collect and store is subject to the VCDPA, the following applies.

We may share de-identified information about individuals with third parties. We commit to maintaining and using de-identified data without attempting to re-identify a Virginia consumer except as permitted by law.

Right to request deletion. Subject to certain exceptions, you have the right to request we delete personal information provided by or obtained about you.

Right to request data portability. You have the right to request a copy of the personal information that you previously provided to us in a portable and to the extent technically feasible, readily usable format that allows you to transmit your personal information to another controller, or business where the processing is carried out by automated means.

Right to appeal. If you are a Virginia resident and we decline to act on your request, we will notify of our reasons and instructions for appealing the decision. If the appeal is denied, we will provide a way for you to contact the Virginia Attorney General to submit a complaint.

Instructions for making a privacy rights request may be found here.

How to submit a privacy rights request under U.S. state law

You may initiate a privacy rights request under the state law where you reside by using this request form or by contacting us toll-free at 866-816-1727. If you are enjoying our PFT Products through one of our Clients (i.e., your employer, a community center, or their authorized representative), you should submit a privacy rights request through them, and we will assist them with responding to your request.

Verification process. To protect you and your information, we must reasonably verify that you are the person that is the subject of the request. You will be asked to provide us with your full name, the last four digits of your social security number, your birthdate (day and month), your email address, and your mailing address. If the personal information you provide is inadequate based on the sensitivity of the request, we may request additional information from you. The information you provide us with for this purpose will not be further processed. If after a good faith attempt, we cannot reasonably verify your identity, or the authority under which the request is made, we will not be able to fulfill your request.

If allowable under applicable law, and subject to limitations, you may designate an authorized agent to submit a privacy rights request on your behalf. We may request that you provide evidence that establishes the agent’s authority or may ask you and your agent to verify your identity directly with us. We will deny a request from an authorized agent that does not submit evidence that they have been authorized by you to act on your behalf.

Response timing and process. We will confirm receipt of requests within ten (10) business days. We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time or additional information to fulfill your request, we will tell you why.

If we are unable to fulfill your request, or if we deny your request in whole or in part, we will provide you with an explanation. We may direct you to our general business practices for collecting personal information.
Under no circumstances will we provide a requestor with a Social Security number, driver’s license number, or other government-issued identification number, financial account numbers, any health insurance or medical identification numbers, any account passwords, or any security questions and answers.
We will use reasonable security measures when transmitting information to a requestor and will deliver data in a readily useable format.
We are not required to retain any personal information about you that we collected for a single one-time transaction if we do not retain that information in the ordinary course of business. We are also not required to re-identify or otherwise link data that we do not maintain in a manner that would be considered personal information in the ordinary course of business.
Where permitted under the law, we may charge you a reasonable fee to process your request.
Please note, we may not be able to fulfill your request to delete your personal information if it falls within a legal exception, including, but not limited to retaining such information to:
- Comply with federal, state, or local laws, rules, or regulations.
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.
- Investigate, establish, exercise, prepare for, or defend legal claims.
- Provide a product or service specifically requested by you; perform a contract to which you are a party, including fulfilling the terms of a written warranty, or take steps at the request of you prior to entering into a contract.
- Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report, or prosecute those responsible for any such action.
- Identify and repair technical errors that impair existing or intended functionality.
- Perform internal operations that are reasonably aligned with your expectations based on your existing relationship with us.

Online Platforms and Cookies Policy

This Policy applies to certain privacy practices while using our websites and mobile applications (“Online Platforms”). It includes the use of technologies such as cookies, beacons, tags, or similar tracking technologies (collectively, “cookies”) to collect information from individuals when using Online Platforms.

What is a cookie? Cookies are small text files placed on your browser, device, or the page you are viewing, that enables the cookie owner to recognize the device when it visits websites or uses online services.

Session cookies are temporary bits of information that are erased once you exit your web browser window, or otherwise turn your computer off. Session cookies are used to improve navigation on websites and to collect aggregate statistical information. Trustmark websites use session cookies.
Persistent cookies are more permanent bits of information that are placed on the hard drive of your computer and stay there unless you delete the cookie. Persistent cookies store information on your computer for several purposes, such as retrieving certain information you have previously provided (for example, passwords), helping to determine what areas of the website visitors find most valuable, and customizing the website based on your preferences. Trustmark websites use persistent cookies.

Most browsers allow you to control cookies through their settings preferences. However, if you limit the ability of websites to set cookies, you may worsen your overall user experience, since it will no longer be personalized to you. It may also stop you from saving customized settings like login information.

Why we use cookies. Trustmark uses cookies in a range of ways to improve your experience on our website(s), including:

keeping you signed in,
to allow for single sign on,
understanding how you use our website, and
improving your experience when you use our website.

Cookie choices. If you visit our websites, you consent to our use third-party cookies such as Google Analytics, which uses cookies to collect non-personally identifiable information. Google Analytics uses cookies to track visitors, providing reports about website trends without identifying individual visitors.

If you use our mobile applications, you consent to our use of Azure Application Insights, which uses telemetry data, including IP addresses to track visitors, providing reports about mobile usage, and performance trends without identifying individual visitors.

We use information received from Google Analytics and Azure Application Insights as aggregate data to help us maintain and improve our websites and mobile applications. We do not send such information to other third parties. You can opt out of Google Analytics without affecting how you visit our websites. For more information on opting out of Google Analytics tracking across all websites you use, visit this Google page: https://tools.google.com/dlpage/gaoptout.

Do not track. Some web browsers and mobile operating systems offer a “Do Not Track” setting you can activate to signal your preference not to have data about your online browsing activities monitored and collected. Currently, our Online Platforms may not recognize “Do Not Track” signals.

Children’s online privacy. We do not knowingly collect personal information online or otherwise from any person under the age of 18, and we do not offer, otherwise market or direct our products or services to any person under the age of 18. If you suspect that we have collected personal information from a person under the age of 18, please contact us.

Privacy policies and notices of other sites. Our Online Platforms may link to and from third-party websites. If you click on a link to another website, that third party’s privacy policy/notice will apply to your use of their website. We do not have control over the content or operation of these third-party sites. We recommend that you review all third parties’ terms of use agreements and privacy policies before using their websites, goods, or services.

Changes to this Notice

We may change, update, or modify this Notice from time to time. If we make changes to this Notice, we will revise the Last Updated date identified at the top of the first page. Any changes will become effective upon our posting of the revised Notice on our websites.

How to contact us
If you have any questions about this Notice or the ways in which we collect or use your personal information, please contact us at:

Privacy Officer
Privacy Request
Trustmark Companies
PO Box 7961
Lake Forest, IL 60045-7961

Email: privacysecurityoffice@trustmarkbenefits.com