In the scope of Fully, clients may expect their information to be maintained accurately and protected against manipulation and errors, as well as against crimes and improper disclosure.
Client data safety is protected in compliance with the General Law of Personal Data Protection (Law nº 13.709/2018) and all other applicable local laws, ensuring the fulfillment of safety and confidentiality strict standards. For data to be sent, it will depend on prior express consent of the client to Wellness and the effective registration to the Fully program app.
1. GENERAL CLARIFICATION ON THE FULLY PROGRAM PLATFORM AND PARTIES RESPONSIBLE FOR HANDLING YOUR DATA 1
2. GENERAL CLARIFICATION ON THE FULLY PROGRAM DATA HANDLING 2
2.1. WHICH PERSONAL DATA IS COLLECTED, WHY IS IT COLLECTED AND HOW CAN IT BE USED? 2
2.2. WITH WHOM IS YOUR PERSONAL DATA SHARED AND FOR WHAT PURPOSES? 5
2.3. DURATION OF THE HANDLING, RETENTION AND REMOVAL OF PERSONAL DATA 6
2.4. PERSONAL DATA STORAGE 6
2.5. INTERNATIONAL TRANSFER OF DATA 7
2.6. HOW IS DATA MAINTAINED SAFE? 7
2.7. DATA OF MINORS 8
2.8. WHAT ARE YOUR RIGHTS? 8
3. HANDLING PERSONAL DATA BY PARTNERS 8
3.1 GOOGLE FIT INTEGRATION 8
4. DIGITAL MARKETING 11
6. HOW TO CONTACT US 12
7. IMPORTANT DEFINITIONS 12
1. GENERAL CLARIFICATION ON THE FULLY PROGRAM PLATFORM AND PARTIES RESPONSIBLE FOR HANDLING YOUR DATA
The information provided by the user to the Marketplace presented in Fully program (Global Points), includes, but is not limited to the full name, address, phone number, email and Individual Taxpayer Identification Number (CPF) and will only meet the specific purposes of identifying users to the stores and, in the event a product is purchased, enable the logistics and delivery to the address mentioned.
2. GENERAL CLARIFICATION ON THE FULLY PROGRAM DATA HANDLING
For the services related to the Fully program to be provided, it is necessary to handle and share some of your sensitive and personal data. In this document, we detail to you the reason why your data is collected, what the purposes are in which they are used, to whom your personal data may be provided, from whom they may be collected and how to access, revise, change and request suspension of your data handling. The act of providing your sensitive and personal data is free, clear and informed and the use of the Fully program will only be possible after receiving your consent to handle the personal data.
2.1. WHICH PERSONAL DATA IS COLLECTED, WHY IS IT COLLECTED AND HOW CAN IT BE USED?
Personal data and sensitive personal data is collected under a series of circumstances, including the registration in the app and the advertisement activation, when you contact us, ask a question, make comments, use or request our products or services or those of our strategic partners. The personal data is collected to process, manage, implement and perform membership requests, transactions or services within the scope of the Fully program, as well as to other possible programs that may be made available in the future.
The data to be collected and handled, sometimes in an automated way, may fit in the following example categories of personal data: personal and contact identification (for example: Individual Taxpayer Identification Number (CPF), address, date of birth, complete name, sex, phone number, email, account login information, technical information on the mobile device and financial and payment information, among others), physical health information, mental wellness information, financial information of personal budget and nutritional and food information.
Furthermore, some sensitive personal data is collected, such as data from your physical activity, medical and health information, for the selection of the wellness journey(s) presented to Fully program users.
- Wellness and the Fully program may use and share personal information with strategic partners within the scope of medical and/or health examinations and/or consultations and studies performed for and during the wellness journeys. This personal information may be related to your health, medicine, nutrition, tobacco use, alcohol consumption habits, physical activity and information on your physical and mental wellness. This personal information and data will be used to determine and qualify the status of each member in the platform, among other functionalities. The remaining data has the purpose of showing the current health state, as well as providing proper recommendation and to award coins.
The Fully app may collect personal data, including wellness and physical conditioning data, when you use a mobile device, wearable product or partner app connected to the internet (such as Google Fit, Apple Health, Samsung Health, Strava, Garmin, etc.), such as heart rate monitors, activity trackers and other devices or wearable devices which are part of the Services.
In a free and informed way, you may choose to connect and share your information from other partner apps with the Fully program. Therefore, the Fully app allows you to interact in other ways with other mobile apps through our services, and through that, collecting data you share with these partners. Instructions to perform such integration are present in the Fully Program App.
Examples of personal data collected through other services or partner or third-party apps: weight, height, heart rate, calories burned, steps taken, nutritional information, sleep activity, other activity data (type, length and frequency of physical activities, distance, speed, rhythm, pace, step counting), injuries, running experience and ability, performance, training program and running type.
The information collected by these partners and third parties are subject to their terms and policies. The Fully program is not liable for terms and policies of partners and third parties.
Apart from any personal data obtained directly from you and from devices previously authorized by you, Wellness may need to collect and share information on the use of products and your participation in services (including progress and results) provided by strategic and benefit partners, as can be seen below:
- to share for external audit purposes;
- for the regular exercise of rights in legal, administrative or arbitration processes;
- to fulfill legal or regulatory obligation;
- to design new services or improve existing services to be provided within the scope of the Fully program;
- to design new services within the scope of eventual programs that may be made available to you;
- to provide other services related to the Fully program and/or loyalty programs, such as purchases in the Marketplace (Global Points);
- for statistical or actuarial studies performed by Wellness, by our partners providing products and services within the scope of the Fully program (Fully’s partners), by the financial service industry or our respective regulators;
- to facilitate payment for products and/or services provided by Wellness or any other member of Fully partners aiming at, for example, checking credit card details with credit card operators or other third party service providers, obtaining credit reports for the customer, of positive and/or negative registrations of credit protection and driving correspondence procedures with a database of fraudulent transactions known and maintained by Wellness or any other member of Fully’s partners or third parties;
- to assist law enforcement in police investigations or other government organ or regulatory authorities and to meet the requirements established by law or agreed to by the government or regulatory authorities;
- for commercial or marketing purposes, such as newsletters, surveys, offers and other promotional material related to the Fully program and other Wellness marketing purposes;
- to facilitate the creation and protect your account in our network;
- to identify you as a user in our system;
- to improve the experience quality when using Fully;
- to send a welcome email to verify ownership of the email address provided when your account was created; and
- to send administrative notifications by email, with safety or support warnings and maintenance.
Wellness may also share your data with companies assisting it to provide services to you, as long as they are compliant with its privacy standards and agree to be contractually obligated to maintain your data in secrecy and use it only as authorized.
Another purpose for the data handling is to supply the Wellness database data lake, used to generate reports and dashboards for strategic partners. It is solely related to sharing data, in an objective manner, aiming at proceeding with the elaboration of surveys and analyses related to the improvement of products and customer experience with the strategic partner.
Wellness may share your personal data with any of its Strategic Partners, such as usage data and redeemed rewards. Such sharing will enable its partners to obtain information, including through automated handling, in order to improve products and their customer experience, including: i) profile analysis to customize marketing campaigns, benefit offers and other communication; ii) analytical surveys; iii) identification of opportunities for Prudential do Brasil; and iv) preparation of basis to launch campaigns.
Any sensitive personal medical information or information directly related to health provided by you as part of your membership to the Fully program will not be shared with our Strategic Partners and, therefore, will not be used to make any future underwriting or claim decisions related to you.
Rest assured, your personal data will never be commercialized.
As the general purposes for the handling of Fully’s personal data have been presented, it is established that nothing in the physical, mental, nutritional and health orientation and care wellness journeys should be understood in a way to imply that they should be used as a substitute for medical or nutritional treatments or other specialized health treatments, as well as nothing in the financial wellness journey should be interpreted as a substitute for the specialized financial/investment advice provided by a qualified professional with recognized competence.
2.2. WITH WHOM IS YOUR PERSONAL DATA SHARED AND FOR WHAT PURPOSES?
Your personal data will be kept in secrecy but may be provided to the following parties, when disclosure is needed to satisfy any of the abovementioned purposes and provided the necessary data governance and security standards are met:
- any of our affiliates and/or any affiliate from DSY (Discovery Limited or its affiliates. A licensed controlling company of the designated Discovery Insurance Group. Registry number: 1999/007789/06), controlling company of the physical health component and Wellness’s, for the purposes previously specified;
- Fully program partners and its agents in order to provide products and/or services to platform users, as well as platform management;
- any agent, hired party or third party service providers offering maintenance support to the platform users, including – but not limited to -, management, data processing, data storage, call center services, mail, infrastructure and system operation, website management, marketing, finance, rewards, revenue and training;
- other companies helping to collect your information or who communicate with you, as research companies and rating agencies, aiming at improving the services to be provided within the scope of the Fully program;
- regulatory and government organs or any person to whom Wellness or its partners may have a legal obligation to disclose;
- to potential new partners of Wellness, aiming at designing new services within the scope of possible programs that may become available to you; and
- as mentioned in the previous item, in case you are also a client of Prudential do Brasil, some of your data may also be shared with this insurance company.
In addition to paragraphs “b” and “c”, we clarify that your personal data will be shared with the partners responsible for the technologies applied to the journeys of physical wellness, financial wellness, nutritional wellness and health and mental orientation and care wellness.
We clarify that your personal data may be shared through the partner API integration (App Programming Interface). One of them is Google and we perform integration of your available personal data in the Fully program through Google Fit’s API. You will be informed accurately and clearly when this integration is needed in the wellness journeys, and you may choose to allow it or not. In case users do not consent to integration, some Fully program features will become unavailable or will have their functioning jeopardized.
Use of information received through Google Fit’s APIs will be compliant with the Developer Data and Google Fit’s User Policy. Including the Requirements of Limited Use, which are stated in the Developer Data and Google Fit’s User Policy, available at https://developers.google.com/fit/policy.
Wellness does not license nor sell your personal data to third party companies for their marketing purposes. However, this may occur with some benefit partners – who provide weekly vouchers or exclusive purchases in the app.
2.3. DURATION OF THE HANDLING, RETENTION AND REMOVAL OF PERSONAL DATA
Wellness and the Fully program will keep your personal data while you are registered with Fully and will eliminate or make them anonymous when the handling is completed in relation to the purposes to which they were collected or when you request its elimination, except when there is a need to meet a regulatory or legal obligation, for the exercise of rights in legal or administrative processes, or other hypothesis provided in the applicable legislation.
2.4. PERSONAL DATA STORAGE
Personal data handled may be stored in Wellness’s own server, in São Paulo, in the United States of America or in Germany, or third party servers hired for this purpose, located in Brazil or abroad.
2.5. INTERNATIONAL TRANSFER OF DATA
Personal data collected by Wellness will be shared with servers hosted in Germany and Brazil. Subsequently, the data will be processed and consolidated in Wellness’s cloud computing in the United States, where it will be filed together with the strategic partner data in the so-called Wellness data lake.
Even when sharing client personal data internationally, Wellness observes all requirements established in current law and adopts the best market practices aiming at ensuring the protection and privacy of such data.
By accepting these terms and conditions, you authorize, consent and agree, in a free, clear and informed way, to share your personal data according to any information previously described. It is important to highlight that you have the option to remove your consent to share personal data at any time, however, in this case, whenever the handling activity requires your consent, we will inform you about the consequences for revoking the consent – mainly that your access to the Fully program may be interrupted.
2.6. HOW IS DATA MAINTAINED SAFE?
Wellness has and demands from its partners, internal policies and procedures, whose objective is to preserve your privacy, ensuring safety and protection of your personal data. In this context, we have adopted technical measures able to maintain your personal data safe and protected from unauthorized accesses and accidental or illicit events of destruction, loss, change, communication or any other form of improper or illicit handling, always considering the applicable rules of data protection and information security.
In this particular case, Wellness maintains and, periodically, will improve the technical, administrative and organizational measures, in order to ensure the safety of the Personal Data stored and mitigate possible risks.
Appropriate safety measures have been used since their conception to ensure personal data protection and prevent access of unauthorized individuals.
Wellness submits to safety systems and policies, as well as periodic analyses aiming to protect data.
The partner procedures to maintain your data safe include, but are not limited to: a) conclusion of confidentiality agreements with the companies they hire to assist them on providing services to you; b) maintenance of strict confidentiality policies which apply to all their employees; c) use of protected access passwords to the files stored in the partner’s computers; as well as d) limitation of access to your personal data to employees and hired parties who need to know this information to operate, develop or improve services.
2.7. DATA OF MINORS
The Fully program is not available for individuals under age 18. Even if a partner allows the use of the wellness journeys to minors, Wellness does not. As stated in item 6 of the Terms and Conditions, being over 18 years of age is one of the necessary requirements to use the platform. Therefore, there will be no intentional handling of data from minors by Wellness.
2.8. WHAT ARE YOUR RIGHTS?
As the personal data owner and our client, you have the following rights related to your personal data:
- to access, revise and know if we performed any handling of your personal data and request an electronic copy of the information we have on you;
- to correct or request correction of incomplete, inaccurate or outdated personal data, by the means required in the specific regulation, when necessary;
- to request the anonymization, blockage or elimination of unnecessary or excessive data;
- to request the portability of data to other service or product providers, upon express request, in accordance with the national authority regulation, respecting commercial and trade secrets;
- to request elimination of data collected and used with your consent;
- to obtain information on public or private entities with whom we shared your personal data;
- when the handling activity requires your consent, you may decline it. If you decline consent or request us to revoke a previously given consent, we will inform you about the consequences of not performing such activity;
- when the handling activity requires your consent, you may revoke it at any time.
To exercise your rights, please contact the customer support channel. In case you have questions, we remain available through the channels below: Phone number: 0800 725 1016 (from Monday to Friday, from 8 AM to 8 PM). Email: email@example.com. If for any reason you have not yet solved your problem, please contact the Wellness DPO, in care of Claudinei Vieira, at the email address firstname.lastname@example.org.
3. HANDLING PERSONAL DATA BY PARTNERS
Integrator of data among different partners
Partner responsible for the technology
Carevoice API Gateway
Partner responsible for the technology
Vitality Group International, Inc
Partner responsible for the technology
Savvi Financial LLC
Partner responsible for the technology
Jornada de bem-estar
Partner responsible for the technology
As mentioned in items 2.1 and 2.2, your personal data may be shared through partner API integration (App Programming Interface), such as Google Fit, Apple Health, Samsung Health, Strava, Garmin, etc. We allow the integration with third party APIs to offer resources integrated to the different wellness journeys. You may choose to share your personal data or not. In the event you choose not to share it, some features of the Fully program may become unavailable to you or present flaws. The information collected by these third parties is subject to their terms and policies. Wellness is not liable for third parties’ terms and policies belonging.
3.1 GOOGLE FIT INTEGRATION
Google Fit is an app or service with one or more resources to benefit health and fitness users by means of a user interface which allows users to write directly in the journal, to report, monitor and/or analyze, as well as to synchronize their physical activities, sleep, mental wellness and nutrition, health measures, physical descriptions and/or other descriptions and measurements related to health or wellness.
Limited uses of user data:
- By accessing Google Fit APIs for a particular use, the data obtained must fulfill the following requirements. These requirements apply to confidential and strict permissions, to raw data obtained from Google Fit APIs and aggregated, anonymized, or unidentified data or those derived from raw data.
- To limit user data utilization to provide or improve its appropriate use or visible and major resources in user interface of the requesting application.
We only transfer user data to third parties:
- To provide or improve its appropriate use case or resources which are clear from the requesting application user interface;
- If required for safety reasons (for example, to investigate abuses);
- In compliance with applicable laws; or
- As a part of a merger, acquisition, or sale of the developer’s assets after obtaining prior explicit consent from the user.
We do not allow people to read user data, unless:
- Explicit user consent to read specific data is obtained (for example, helping users to re-access the product or a service after losing their password);
- It is required for safety reasons (for example, to investigate abuses);
- To comply with applicable laws; or
- The data (including derivations) is aggregated, anonymized and used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements.
All other transfer, utilization or sale of user data collected from Google API is strictly prohibited, including:
- User data transfer or sale to third parties, such as advertisement platforms, data brokers or any information resellers.
- Transfer, sale, or utilization of user data to run ads, including customized or interest-based advertisement.
- Transfer, sale, or utilization of user data to determine creditworthiness or for loan purposes.
- Transfer, sale, or utilization of user data with any product or service, which may be qualified as a medical device not fulfilling the local legal requirements.
- Transfer, sale, or utilization of user data for any purpose or in any way related to Protected Health Information (as defined by local legislation), unless Wellness receives prior approval in writing from Google for such use.
Minimum scope necessary to access Google Fit APIs:
- We only request access to the required permissions to implement the resources of our product or services. In the event our product or service does not require access to specific permissions, access to these permits will not be requested.
Secure data handling:
- We have taken reasonable and appropriate measures to protect all applications or systems using Google Fit’s API Services against the access, use, destruction, loss, unauthorized or illegal changes or disclosure.
- We have implemented an Information Security Management System, as described in ISO/IEC 27001, in addition to the fact that our application or web service is free from common security issues, as defined by OWASP Top 10.
Our security measures also include:
1 – Use of an encryption standard accepted by the industry to encrypt user data, which is:
- Stored on portable devices or using mobile electronic means;
- Maintained outside of Google or its systems;
- Transferred using any external network not exclusively managed by it; and
- At rest in the system.
2 – Transmission of data using secure modern protocols (for example, HTTPS).
3 – Maintaining user data and credentials, specifically OAuth access tokens and updating encrypted tokens at rest.
4 – To ensure that keys and key-material are properly managed, as they are stored in a hardware security module or in an equivalent power key management system.
Access to the Google Fit APIs cannot be used in violation of this Policy or other terms and conditions or Google’s applicable policies.
Use of information received from Google Fit APIs must be in accordance with the Google Fit’s Developer and User Data Policy, including the Use Requirements Limited Policy.
Access to Google’s API console system follows the standards and tokens requested by Google. The integration system for health data collection meets Google’s authentication and security rules (Goggle API console using OAuth token).
4. DIGITAL MARKETING
By joining and participating in the Fully application, you understand and acknowledge that Wellness may send you marketing communications via social networks such as: Facebook, Instagram, Google, Linkedin, etc. In addition, Wellness may also contact you via Whatsapp. You, however, may opt out of receiving marketing communications by sending a request to the e-mail address email@example.com or by phone at 0800 725 1016. You may also opt-out by clicking on the link that will be included in all e-mail communications. If you opt-out, you may not receive useful information about rewards and benefits.
6. HOW TO CONTACT US
7. IMPORTANT DEFINITIONS
For the purposes of this document, the following definitions and descriptions should be considered for your better understanding:
Benefits are related to discounts, exclusive offers, cashback rewards and other benefits related to products and/or services offered periodically by our partners and available to Fully members through the Fully Program.
Coins (moedas), which means “coins” (moedas) in English, and they are accumulated by meeting objectives and activities throughout the journeys. They have value and may be exchanged within the Marketplace.
Free, informed and clear expression of the owners, who authorize handling of their personal data for a specific purpose.
Anonymized data/anonymous data
Data related to owners who cannot be identified, considering the use of reasonable technical means, available at the moment of its handling.
Information related to the identified or identifiable individual such as name, Individual Taxpayer Identification Number (CPF), email and phone number.
Sensitive personal data
Personal data about racial or ethnic origins, religious belief, political opinion, union membership, religious, philosophical or political organization, data related to health or sexual life, genetic or biometric data when related to an individual.
Reason for which the personal data will be handled or desired objective to be attained through handling of such data.
Products and services store linked to the platform, responsible for performing the exchange of coins for products and sending them to users.
Global Points (Liable Company)
[Insert complete denomination], business company headquartered at [insert headquarter address], [insert registration number and other relevant information]. Fully program Partner is responsible for the Global Points Marketplace.
It is related to the online store present in the Fully program, which is known as Global Points.
Strategic Partners/Fully Program Partners
Companies, associations or any persons, entities, firms or corporations offering products or services as part of the Fully program.
Individual to whom the personal data relates.
Every operation performed containing personal data in its life cycle, such as collection, sharing, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of the information, change, communication, transfer, propagation or extraction.
Wellness Services Ecossistema de Bem Estar Ltda., company headquartered at Av. das Nações Unidas, 14401 – 7º floor - Chácara Santo Antônio, São Paulo - SP, 04730-090, registered under CNPJ/ME 32.300.669/0001-95.
Date of the last update: January 19th, 2023