Effective Date: November 13, 2023
Last Reviewed on: November 13, 2023
Consistent with the CCPA, the term “personal information” as used in this Notice does not include deidentified information. With respect to deidentified information, we: (1) take reasonable measures to ensure that deidentified information cannot be associated or reassociated with the consumer or household that that it was originally about, (2) maintain and use deidentified information only in deidentified form and do not attempt to reidentify it (except as necessary as part of the process of confirming the information cannot be reidentified); and (3) do not disclose deidentified information to any third party unless the third party enters into a contract obligating it to comply with the earlier two points.
Collection, Use, Disclosure, and Sharing of PI
Generally, we collect, retain, use, disclose, and share your PI to provide you with our products and services (collectively, “Services”) and as otherwise related to the operation of our business. In addition, we may collect, use, disclose, and share your PI as required or permitted by applicable law, or as directed by you, in accordance with this Notice. More detailed information is provided below.
Collection, Use, and Disclosure of PI
We collect PI from healthcare practitioners, other resellers of our products, and vendors (collectively, “Business Partners”) that assist us in providing Services, running our internal business operations, and identifying potential customers. We may also collect PI from you, your device or browser, our corporate affiliates, government entities, social networks, data brokers, and data analytics providers.
We collect, use, and disclose PI for the CCPA-defined business purposes in the bulleted list below, and also for the purposes described in our General Privacy Notice and Well World Mobile App Privacy Notice (our operational purposes) (collectively, our “Business Purposes”).
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards
- Detecting security incidents, protecting against malicious, deceptive, or illegal activity, and prosecuting those responsible for that activity
- Debugging to identify and repair errors that impair existing intended functionality
- Short-term, transient use in which PI is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction
- Providing Services, including maintaining and servicing your account with us, verifying your information, processing payments, analytic services, and similar functions and services
- Providing advertising and marketing services to you, other than cross-context behavioral advertising
- Undertaking internal research for technological improvement and demonstration
- Quality and safety assurance, and improving, upgrading, and enhancing the Services
The categories of third parties to which we disclose PI for Business Purposes include our Business Partners and government entities. We make disclosures to government entities, for example, in connection with investigating fraud, enforcing our rights, or as required by law. The table below describes the CCPA-defined categories of PI that we collect, use, and disclose for Business Purposes.
|Category of PI Collected, Used, and Disclosed for Business Purposes||Examples|
|A. Identifiers||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))||Name, signature, physical characteristics or description, address, telephone number, bank account number, credit card number, debit card number, and similar financial information, medical information, or health insurance information.|
|C. Protected classification characteristics under California or federal law||Age (40 years or older), medical condition, physical or mental disability, sex (including gender and pregnancy or childbirth and related medical conditions), and genetic information.|
|D. Commercial information||Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|E. Biometric information||Genetic, physiological, behavioral, and biological characteristics.|
|F. Internet or other similar network activity||Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.|
|G. Geolocation data||Physical location or movements.|
|H. Sensory data||Audio, electronic, and visual information.|
|I. Professional or employment-related information||Professional licensure and other credentials, for instance to verify resellers’ status as qualified healthcare practitioners|
|J. Inferences drawn from other personal information||Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.|
Sensitive Personal Information
We also collect, from the sources earlier described, the following CCPA-defined categories of “sensitive personal information,” and we disclose the information for Business Purposes to the same categories of third parties identified above. The list below provides more details about the contexts in which this occurs.
- With consent, we may collect the social security, drivers’ license, state identification card, or passport number of a reseller of our products to investigate fraud or verify his or her identity and/or professional credentials.
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, for example to process purchases and link them to your account
- With consent, a consumer’s genetic data, if the consumer submits such data or genetic material for analysis through our Genomic Spotlight® service, described in more detail below.
- With consent, a consumer’s biometric information, to the extent that you submit urine, stool, or saliva for analysis through our Spotlight Tests, defined below, to the extent such biological samples could have the potential to identify you when used singly or in combination with each other or with other identifying data.
- PI collected and analyzed concerning a consumer’s health, including for example health and fitness data the consumer inputs into the Well World Mobile App.
- We may also collect any of the foregoing categories of sensitive personal information, as well as a consumer’s racial or ethnic origin, religious or philosophical beliefs, union membership, sex life or sexual orientation, or the contents of a his or her mail, email, or text messages if: (i) the consumer happens to disclose such PI to our Customer Experience team; (ii) the consumer happens to include such PI in a message or other transfer of information to the consumer’s healthcare practitioner via the Well World Mobile App; or (iii) if we collect such PI by subpoena or other legal process due to investigating fraud or enforcing our rights.
We do not use or disclose sensitive personal data for any purposes that would require a consumer to exercise a right to limit processing according to California law. We also do not use algorithms or profiling to make any decision that would significantly affect you without the opportunity for human review.
Deletion of PI After Fulfilling the Purpose of Collection
We delete Your PI after retention of the PI is no longer reasonably necessary to fulfill the purposes for which the PI was collected and in accordance with our Records Retention Policy & Schedule. When assessing retention periods, we examine whether it is necessary to retain the personal data collected and, if retention is required, reasonably endeavor to retain the personal data for the shortest possible period permissible under law. We store your personal information as necessary to comply with our legal obligations, resolve disputes, and enforce and exercise our agreements and rights, or if it is not technically and reasonably feasible to delete your personal information. Please see below for information regarding whether you may be entitled to request that your information be deleted.
Sharing, Cookies, and Similar Technologies
- To analyze and understand how our consumers access, use, and interact with the DFH Sites, and our consumer’s preferences (such as country and language choices);
- to assess, secure, protect, optimize, and improve the performance of the DFH Sites, enabling us to provide services to our consumers and practitioners and improve their online experience;
- to obtain aggregate data about traffic and interaction on the DFH Sites, conduct analytics, identify trends, and obtain statistics;
- to target advertising and content across the DFH Sites and third-party sites and services;
- to provide or make available certain features or portions of the DFH Sites;
- to serve you with relevant ads and content;
- to manage, improve, and measure our advertising campaigns;
- to match information that we hold with personal information in third-party platforms’ databases to create custom audiences and tailor advertising to your interests on the Internet, including social media; and
- as necessary to respond to your requests.
Some of these activities require us to share the categories of PI listed in the chart below. The categories of third parties with which we share the PI include advertising networks, data analytics providers, social networks, and data brokers, each of which may use this information for their own advertising and marketing activities.
|Category of PI Shared for Business Purposes||Examples|
|Identifiers||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.|
|Commercial information||Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|Internet or other similar network activity||Domain, browser type, language, operating system, system settings, previously visited websites, referring URLs, and information about your interaction with the DFH Sites such as click behavior, search history, purchases and indicated preferences, and access times|
|Geolocation data||Country and time zone|
|Inferences drawn from other PI||Profile reflecting consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes|
To be clear, DFH does not disclose your PI to third parties in exchange for money or similar compensation, and we do not sell or share: (i) sensitive personal information; (ii) PI about individuals who we know are under the age of 16; (iii) your health, fitness, or activity information obtained from the Well World Mobile App; or (iv) any information derived from your submission of biological samples for laboratory analysis using the Spotlight Tests (defined below). Additionally, we do not share PI to the extent doing so is prohibited by law. Please see “CCPA Privacy Rights” below for information regarding exercising your rights to opt-out of data sharing.
We offer, or will soon offer, Genomic Spotlight®, Metabolomics Spotlight®, and GI Spotlight® (collectively, “Spotlight Tests”) for purchase by healthcare practitioners. The Spotlight Tests enable healthcare practitioners to collect saliva, urine, stool, or other kinds of biological samples from you and submit them for laboratory analysis, which generates data your practitioner may use to offer you health insights and recommendations regarding nutritional supplements and lifestyle changes. Based on the data, your practitioner may recommend that you purchase additional products or services, which may include supplements manufactured by or for DFH. We partner with Diagnostic Solutions Laboratory, LLC (“DSL”) and Datapunk Bioinformatics LLC (“Datapunk”) to provide these services to your practitioner. DFH, DSL, and Datapunk will not share your sample, or any PI derived from it, with any other person except for service providers or contractors that DFH, DSL, or Datapunk engage solely for assistance in performing these services for you. DFH, DSL, Datapunk, and their service providers and contractors will not use or retain your sample or PI except as necessary to facilitate your practitioner’s analysis of the lab data, to comply with legal obligations, or for business purposes permitted by law, such as improving platform functionality. As to each sample collected for genomic analysis, for example, DSL will retain the sample for one month after completing testing, upon which the sample will be destroyed as biomedical waste. If you need to exercise any applicable data privacy rights, such as data deletion requests, regarding your biological sample or the data derived from it, please do not contact DFH directly. Please contact your practitioner, who can ensure that valid requests are forwarded to DFH, DSL, and Datapunk as applicable.
CCPA Privacy Rights
California Consumers have the right to exercise certain privacy rights under the CCPA. California Consumers may exercise these rights via an authorized agent who meets the agency requirements of the CCPA. Any request you submit to us is subject to an identification and residency verification process (“Verifiable Consumer Request”). We will not fulfill your CCPA request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI.
Unless you have provided us with your email address (such as by signing up for an account on the Service), we will be unable to verify your identity to fulfill a request to know, delete, or correct. As a result, to exercise certain CCPA rights, such as your rights to know, delete, or correct, we must be able to verify your identity as the owner of the email address and/or DFH account that is associated with your request. We may not be able to fulfill your request until we can do so. In general, we verify identity by confirming that you are the owner of the email address. We reserve the right to ask you to provide additional information in order to help verify your identity.
Some personal information we maintain about Consumers is not sufficiently associated with a Consumer for us to be able to verify that it is a particular Consumer’s personal information (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA, we do not include that personal information in response to Verifiable Consumer Requests. If we cannot comply with a request, we will explain the reasons in our response.
We will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose, share, and otherwise use and to respond to your California Consumer privacy rights requests. We will typically not charge a fee to fully respond to your requests, but we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome.
A. The Right to Know
- Categories You have the right to send us a request, no more than twice in a twelve-month period, for any of the following for the period that is twelve months prior to the request date:
- The categories of PI we have collected about you.
- The categories of sources from which we collected your PI.
- The business or commercial purposes for our collecting or selling your PI.
- The categories of third parties to whom we have shared your PI.
- A list of the categories of PI disclosed for a business purpose in the prior 12 months, or that no disclosure occurred.
- Specific Pieces You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining.
Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.
B. The Right to Deletion
Except to the extent we have a basis for retention under the CCPA, you may contact us at the phone number or email address posted below to request that we delete your PI that we have collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and services you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement. Note also that we are not required to delete PI that is publicly available, and we are not required to delete lawfully obtained, truthful information that is a matter of public concern.
You may alternatively exercise more limited control of your PI by instead by canceling or modifying our email marketing communications you receive from us. You can do so by following the instructions contained within our promotional emails. This will not affect subsequent subscriptions and if your opt-out is limited to certain types of emails the opt-out will be so limited. Please note that we reserve the right to send you certain communications relating to your account or use of our Service, such as administrative and service announcements and these transactional account messages may be unaffected if you choose to opt-out from receiving our marketing communications.
C. The Right to Opt Out of Sale of PI
We do not knowingly “sell” PI that we collect from you, in accordance with the definition of “sell” in the CCPA, and therefore will not treat personal information we collect from you as subject to a do not sell request.
Another option that may be available for you to exercise your right to opt-out of sharing is to engage Global Privacy Control (“GPC”) settings. On browsers, browser extensions, or devices that support GPC functionality, it can generally be engaged by manipulating the browser or device settings. Not all websites respond to GPC signals in the same way. For example, on websites with which you have created a user account, the effect of GPC signals may depend on whether you are logged into your account with the website during navigation. If you log into a website account while GPC is enabled, then the website may apply your opt-out request to both the device and the account, so from that point on, regardless of the device from which you log into your account, and regardless of whether that device has GPC enabled, your account’s activities will not be tracked. However, if you enable GPC and visit a website without logging in, then the opt-out request may be associated only with your device and not your account, so that if you later return to the webpage on a different device without GPC enabled, the website may track you again because it does not know that you are the same user who browsed earlier on a different device with GPC engaged. Other websites may consider additional variables in determining how to respond to a GPC signal. Websites that process GPC signals in a frictionless manner should not require you to pay a fee, suffer a change in your user experience, or receive a notification or other interstitial content in response to your engagement of a GPC signal.
We may disclose your PI for the following purposes, which are not a sale: (i) if you direct us to share PI; (ii) to comply with your requests under the CCPA; (iii) disclosures amongst the entities that constitute DFH as defined above; (iv) as part of a merger or asset sale; and (v) as otherwise required or permitted by applicable law.
D. The Right to Correct Inaccurate PI You have the right to ask that we correct the personal information we may have collected about you if that information is inaccurate. To correct your PI, please revise the PI yourself by logging into your account or, if that is not possible, please reach out to us at the contact information below.
E. The Right to Non-Discrimination
We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights. However, we may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable data.
Other California Privacy Rights
It is our understanding that “California's "Shine the Light" law (Civil Code Section § 1798.83) may require certain covered businesses, in response to a consumer request, to provide either: (i) information about the business’s disclosure of the consumer’s PI to third parties for those third parties’ direct marketing purposes, or (ii) a cost-free opportunity to opt out of such disclosures. DFH is not covered by “Shine the Light” because it is and has been DFH’s policy not to disclose your PI to any third party that we know or reasonably should know intends to use your PI for the third party’s direct marketing purposes, as those terms are defined by Shine the Light. Therefore, there is no need to submit Shine the Light Requests to DFH. Please note that because consumers’ rights under Shine the Light and the CCPA are not the same and exist under different laws, DFH may not respond to requests that indicate “Shine the Light” in the subject line or body of the request.
Changes to Our Privacy Notice
We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated notice on the Website and update the Notice's effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes. **
If you have any questions or comments about this Notice, the ways in which we collect and use your information described here and in the General Privacy Notice or Well World Mobile App Privacy Notice, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Designs for Health, Inc.
Attn: Customer Experience Department
14 Commerce Blvd., Palm Coast, FL 32164
In order to complete your request, you will be required to respond to any follow up inquires we may make, and we may deny your request if you do not do so.
You may use an authorized agent to submit a consumer rights request. If you use an authorized agent to submit a request, we may require proof that the agent has been authorized by you to do so, and take other steps permissible under the CCPA, to ensure it is a proper request by an authorized agent.