Ceris Privacy Policy 

Effective Date: January 1, 2020 

We refer to the above websites and all related websites as “sites” and to each of them as a “site.” When we refer to “we,” “us,” or “our,” we mean CorVel, or the specific division, subsidiary, or affiliate that operates a site, provides its content, or processes information received through it, each as appropriate and applicable. When we refer to “you” or “your,” we mean the person accessing the site. If the person accessing the site does so on behalf of, or for the purposes of, another person, including a business or other organization, “you” or “your” also means that other person, including a business organization. 

This Privacy Policy applies to your use of our Services, and covers information collected in connection with your access to and use of our Services, including those Services provided through our sites and/or online. Please read this Privacy Policy carefully. By continuing to interact with our Services, you are consenting to the practices described in this Privacy Policy. 

I. OUR PRIVACY POLICY INCLUDES: 

 GENERAL DISCLOSURES 

 WHAT INFORMATION WE COLLECT 

 HOW WE USE YOUR INFORMATION 

 WHEN AND WITH WHOM DO WE SHARE YOUR INFORMATION 

 COOKIES POLICY 

 HOW TO RESTRICT COOKIES 

 THIRD-PARTY ADVERTISING AND ANALYTICS 

 LINKING SITES 

 SOCIAL MEDIA 

 HOW LONG WE RETAIN YOUR INFORMATION 

 MARKETING AND PROMOTIONAL COMMUNICATIONS 

 CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA) COMPLIANCE AND RELATED INFORMATION 

 SECURITY 

 CALIFORNIA CONSUMERS 

 CHANGES TO THIS PRIVACY POLICY 

 CONTACT US 

 INTERNATIONAL PRIVACY POLICY 

 TABLE OF COOKIES 

II. GENERAL DISCLOSURES 

Each of the sites is hosted in the United States and their intended use is Business to Business. If you are visiting the sites from outside of the United States, please note that by providing your information it is being transferred to, stored or processed in the United States and other countries, where our data center and servers are located and operated. This section sets forth the general privacy policy for the United States and other jurisdictions not otherwise specifically covered by the below jurisdiction-specific policies. Depending on your state or country of residence, applicable privacy laws may provide you the ability to request access to, correction of or deletion of your information, as further outlined below. If you are outside the United States please see the provisions in our INTERNATIONAL PRIVACY POLICY. If you are outside the United States and do not wish to allow the transfer of your personal information to the United States, you should not use these sites and you should opt-out of the collection of cookies. View our COOKIES POLICY. 

Business information. We collect your business contact information, such as your full name and your business name, email address, telephone number, address and other work-related information you provide to us in the course of providing our Services to you or your organization. 

We take your privacy and the protection of your personal information seriously. We will only store, process and disclose your personal information in accordance with applicable law. We will make it clear when we collect personal information and will explain what we intend to do with it. We do our best to protect your privacy through the appropriate use of information security measures. 

III. WHAT INFORMATION WE COLLECT 

1. Information You Provide To Us Directly 

CorVel may collect different information from or about you depending on the manner in which you use our sites or Services. The following examples are provided to help you better understand the information we may collect through your use of the sites or in the course of us providing our Services. 

For Individuals: We may collect, use, store and transfer different kinds of personal information about you, which we have grouped together as follows:  

 Identity Information includes first name, middle initial, last name, date of birth, gender, race, Social Security number, driver’s license number, tax identification number, marital status, signature. 

 Contact Information includes personal mailing address, email address, telephone number. 

 Medical Information includes medical condition, psychological trends, disabilities, behavioral information, aptitudes, hospital reports, physical characteristics/description, sleep and exercise information, injury information. 

 Insurance Information includes health insurance number, policy/plan information, Health Insurance Claim Number/Medicare Beneficiary Identifier. 

 Social Media Information includes a search of your social media accounts. 

 Employment Information includes work history and military or veteran status. 

 Biometric Information includes gait patterns or rhythms, voice recordings. 

 Financial Information includes bank account information and payment card details. 

 Technical Information includes internet protocol (IP) address, geolocation. your login data, time zone setting and location (geocodes), auth0 logs, pages visited, pages viewed, events and page loads, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. 

 Profile Information includes your username and password, your preferences. 

 Usage Information includes information about how you use our website, products and services. 

2. Information Received Through Third-Party Platforms 

You may access our sites through third-party platforms, such as Facebook. If you use our sites on or through a third-party platform, including via any mobile and/or other Internet connected devices (“Wireless Devices”), or click on third-party links, the collection, use, and disclosure of your information and your use of the sites will also be subject to the privacy policies and other terms of such third parties or third-party platforms. You should review such privacy policies, terms and other agreements. 

3. Collection Of Technical Information And Usage Information 

When you access CorVel’s sites, we automatically collect certain information. This information may include without limitation: (a) technical information about your computer or Wireless Device, such as your IP address, geolocation information, device type, operating system type and version, unique device ID, browser, browser language, domain and other systems information or platform types (collectively “Technical Information”); and (b) usage statistics about your interaction with CorVel’s sites, including pages accessed, referring website address(es) time spent on pages, pages visited, search queries, click data, date and time and other information regarding your use of CorVel’s sites (collectively “Usage Information”). 

This Technical Information and Usage Information, which may be linked to your personal information, is collected through the use of server logs and tracking technologies, including: (i) cookies, which are small pieces of code that websites send to your computer or Wireless Device to uniquely identify your browser or mobile device or to store information in your browser setting; and (ii) web beacons, which are small objects that allow us to measure the actions of visitors using the CorVel’s sites. For more detailed information regarding how we use cookies and other technology, please review the additional information in our COOKIES POLICY. 

IV. HOW WE USE YOUR INFORMATION 

We may use information about you for a number of purposes, including: 

1. Providing, Improving And Developing Our Services 

 Providing CorVel’s Services, including completing the transaction for which the personal information was collected, such as processing your claims; 

 Facilitating medical care and payment of medical claims, including enrolling individuals in Medicare services; 

 Performing our contractual obligations with our customers; 

 Maintaining and improving our Services, including performing safety and quality controls of the Services; 

 Developing new products and Services; 

 Delivering the information and support you request; 

 Improving, personalizing and facilitating your use of our Services; and 

2. Communicating With You About Our Services 

 Responding to questions or concerns; and 

 Sending you information we think you may find useful or which you have requested from us about our Services. 

3. Protecting Our Services And Maintaining A Trusted Environment 

 Enforcing our Terms of Service or other applicable agreements or policies; 

 Complying with any applicable laws or regulations, or in response to lawful requests for information from the government or through legal process; 

 Fulfilling any other purpose disclosed to you in connection with our Services; and 

 Contacting you to resolve disputes and provide assistance with our Services. 

4. Advertising And Marketing 

 Marketing of our Services; and 

 Communicating with you about opportunities, products and services offered by us and select partners. 

 If we send you marketing emails, each email will contain instructions permitting you to “opt out” of receiving future marketing or other communications. 

 If we obtain any personal information from you we will not sell it to third parties, nor will we allow third parties with whom we share your personal information to sell it. 

 Measuring, tracking and analyzing trends and usage in connection with your use or the performance of our Services. 

5. Other Uses 

 For any other purpose disclosed to you in connection with our Services from time to time. 

V. WHEN AND WITH WHOM DO WE SHARE YOUR INFORMATION 

1. We Do Not Sell Your Information 

We do not sell your personal information to third parties. CorVel does not sell the personal information of minors under sixteen (16) years of age. 

2. When And How We May Share/Disclose Your Information With Third-Parties 

We will share your information with the following third parties and under the circumstances described below or as otherwise described in this Privacy Policy: 

 We may share your information with third parties at various stages of processing your claims, including with healthcare providers who provide independent medical examinations, insurance carriers, legal counsel, your employer, medical equipment companies, claims adjusters, companies that structure settlements/annuities and determine lifespans and state and other government agencies; 

 We may share your information with third parties, such as the Centers for Medicare and Medicaid Services, for purposes of mandatory reporting; 

 We may share your information with third parties for purposes of monitoring individuals throughout the claims process; and 

 We may share your information with third-party companies that perform services on our behalf, including for payment processing, data analysis, marketing services, advertising services, email and hosting services, and customer services and support. These service providers may access your personal information and may only use it as directed by us for the purpose of our requested service. 

We require all third parties to respect the security of your personal information. We do not allow our third-party service providers to use your personal information for their own purposes and they are only permitted to process your personal information in accordance with our instructions. 

3. Corporate Transactions 

We may share all or part of your personal information with other business entities in connection with the sale, assignment, merger or other transfer of all or a portion of CorVel’s business or assets to such business entity (including due to a sale in connection with a bankruptcy). We will require any such purchaser, assignee or other successor business entity to honor the terms of this Privacy Policy. 

4. Disclosure Of Information For Legal Purposes 

CorVel may disclose all or part of your personal information when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating any agreement with CorVel, or may be causing injury to or interference with (either intentionally or unintentionally) our rights or property, other users of our sites, or anyone else that could be harmed by such activities. We may disclose information in response to a subpoena, search warrant, in connection with judicial proceedings, or pursuant to court orders, legal process or other law enforcement measures. CorVel may disclose or access personal information when we believe in good faith that the law requires it, to establish our legal rights or to defend against legal claims, and for administrative and other purposes that we deem necessary to maintain, service and improve our Services. 

5. Analytics And Data Enrichment Services 

We use third-party analytics such as Google Analytics to help understand your usage of our sites and to improve our Services. 

6. Aggregated, Anonymized Or De-identified Information 

We may disclose or use aggregated, anonymized or de-identified information for any purpose. Aggregated, anonymized or de-identified information is information that can no longer reasonably identify a specific individual. Although such information may be derived from your personal information, it can no longer directly or indirectly reveal your identity. 

VI. COOKIES POLICY 

Like many online platforms, CorVel and its analytics vendors use server logs and automated data collection tools, such as browser cookies, pixel tags, scripts and web beacons. These tools are used for analytics purposes to enable CorVel to understand how users interact with the sites and Services. CorVel and its analytics vendors may tie the information gathered by these means to the identity of users. 

Cookies are small text files placed on a computer or device while browsing the Internet. Cookies are used to collect, store and share bits of information about user activities. CorVel uses both session cookies and persistent cookies. 

Session cookies are used to identify a particular visit to CorVel’s sites and collect information about your interaction with the sites. These cookies expire after a short time or when the user closes their web browser after using the sites. CorVel uses these cookies to identify a user during a single browsing session, such as when you log into the sites. This helps CorVel improve the sites and Services as well as improve the users’ browsing experience. 

A persistent cookie will remain on a user’s device for a set period of time specified in the cookie. CorVel uses these cookies to identify and recognize a specific user over a longer period of time. They allow CorVel to: 

 analyze the usage of the sites (e.g. what links users click on) in order to improve our offering; 

 test different versions of the sites to see which particular features or content users prefer to optimize the sites; 

 provide a more personalized experience to users with more relevant content and course recommendations; and 

 allow users to more easily log in to use the sites and Services. 

Examples of persistent cookies include: (i) preferences cookies to remember information about a user’s browser and settings preferences, such as preferred language – preference cookies make a user’s experience more functional and customized, (ii) authentication and security cookies to enable a user to log in or stay logged in to access the sites and Services, to protect user accounts against fraudulent log-ins by others and to help detect and protect against abuse or unauthorized usage of user accounts and (iii) functional cookies to make the experience of using the sites and Services better, like remembering the sound volume level selected by the user. 

CorVel uses tracking technology to: (i) determine if a certain page was visited or whether an email sent by CorVel was opened or clicked on by a user; and (ii) to customize the experience of individual users by recommending specific content. 

We also use clear gifs in HTML-based emails sent to our users to track which emails are opened and clicked on by recipients. We may use the information we obtain from the cookie in the administration of the sites, to improve the usability of the sites and for marketing purposes. We may also use that information to recognize your computer when you visit our sites, and to personalize our sites for you. 

Cookies and information captured through our sites are stored for a certain retention period, however you can eliminate these cookies any time before the expiration date. Below is our

TABLE OF COOKIES. 

VII. HOW TO RESTRICT COOKIES 

You can adjust the settings in your browser in order to restrict or block cookies that are set by the sites (or any other website on the Internet). Your browser may include information on how to adjust your settings. Alternatively, you may visit www.allaboutcookies.org to obtain comprehensive general information about cookies and how to adjust the cookie settings on various browsers. This site also explains how to delete cookies from your computer. 

You can control and delete these cookies through your browser settings through the following: 

 Google Chrome 

 Mozilla Firefox 

 Safari 

 Opera 

 Microsoft Internet Explorer 

 Microsoft Edge 

 Safari for iOS (iPhone and iPad) 

 Chrome for Android 

Or you can also use the following cookie management and disposal tool from Google Analytics by downloading and installing the browser plug-in from the following link: http://tools.google.com/dlpage/gaoptout. 

Please be aware that restricting cookies may impact the functionality of the Services. Most browsers allow you to refuse to accept cookies. Additional general information about cookies, including how to be notified about the placement of new cookies and how to disable cookies, can be found at www.allaboutcookies.org. 

VIII. THIRD-PARTY ADVERTISING AND ANALYTICS 

We may use third-party service providers to provide site metrics and other analytics services. These third parties may use cookies, web beacons and other technologies to collect information, such as your IP address, identifiers associated with your device, other applications on your device, the browsers you use to access our sites and Services, webpages viewed, time spent on webpages, links clicked and conversion information (e.g., transactions entered into). This information may be used by CorVel and third-party service providers on behalf of CorVel to analyze and track usage of our sites and Services, to determine the popularity of certain content and to better understand how you use our sites and Services. The third-party service providers that we engage are bound by confidentiality obligations and other restrictions with respect to their use and collection of your information. 

This Privacy Policy does not apply to, and we are not responsible for, third-party cookies, web beacons or other tracking technologies, which are covered by such third-parties’ privacy policies. For more information, we encourage you to check the privacy policies of these third-parties to learn about their privacy practices. For more information about targeted advertising specifically, please visit http://www.aboutads.info/choices. 

IX. LINKING SITES 

The sites contain links to other websites. CorVel is not responsible for the privacy practices or the content of such websites, including any websites that may indicate a special relationship or partnership with us (such as co-branded pages or "powered by" or "in cooperation with" relationships). We do not share information we gather with other websites or any other entities or individuals unless such sharing is disclosed to you in advance through this Privacy Policy. Other linked websites, however, may collect personal information from you that is not subject to our control. To ensure protection of your privacy, always review the privacy policy of the websites you may visit by linking from the sites. Please note that this Privacy Policy applies only to our sites, and not to other companies' or organizations' websites to which we link. 

For instance, information collected through Google Analytics is shared with Google and its partners who may combine it with other information you provided to them or they collected from your use of their services. This information is stored in Google’s servers according to their privacy practices. 

X. SOCIAL MEDIA 

We may collect information from other sources, such as social media platforms that may share information about how you interact with our social media content. We do not control how your personal information is collected, stored or used by such third-party websites or to whom it is disclosed. You should review the privacy policies and settings on any social media website that you subscribe to so that you understand the information they collect and may be sharing. If you do not want your social media websites to share information about you, you must contact that website and determine whether it gives you the opportunity to opt-out of sharing such information. CorVel is not responsible for how these third-party websites may use information collected from or about you. 

Further, our sites may include social media features, such as the Facebook Like button. Our integration of these features may allow third-party social media to collect certain information, such as your IP address and which page(s) you are visiting when using our sites and Services, and to set a cookie to enable that feature to function properly. Your interactions with these features are governed by the privacy policy of the company providing it. 

XI. HOW LONG WE RETAIN YOUR INFORMATION 

We generally retain your information as long as reasonably necessary to provide you the Services or to comply with applicable law and in accordance with our document retention policy. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means and the applicable legal requirements. We may retain copies of information about you and any transactions or Services you have used for a period of time that is consistent with applicable law, applicable statute of limitations or as we believe is reasonably necessary to comply with applicable law, regulation, legal process or governmental request, to detect or prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce other applicable agreements or policies or to take any other actions consistent with applicable law. 

In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. This allows the specific information collected (name, email, address, phone number, etc.) to become anonymous, but allows CorVel to keep the transaction or engagement data. For example, CorVel will not be able to tell if John Smith registered for an event, but we will be able to tell that a person registered for an event and maintain headcount and transactional history. This will allow CorVel to maintain a level of information that helps us develop and improve our sites and Services. 

XII. MARKETING AND PROMOTIONAL COMMUNICATIONS 

You may opt-out of receiving marketing and promotional messages from CorVel, if those messages are powered by CorVel, by following the instructions in those messages. If you decide 

to opt-out, you will still receive non-promotional communications relevant to your use of our Services. 

XIII. CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA) COMPLIANCE AND RELATED INFORMATION 

The Children’s Online Privacy and Protection Act (COPPA) regulates online collection of information from persons under the age of 13. It is our policy to refrain from knowingly collecting or maintaining personal information relating to any person under the age of 18. If you are under the age of 18, please do not supply any personal information through the sites. If you are under the age of 18 and have already provided personal information through the sites, please have your parent or guardian contact us immediately using the information provided under CONTACT US so that we can remove such information from our files. 

XIV. SECURITY 

We take reasonable measures, including administrative, technical, and physical safeguards, to protect your information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. We hold information about you both at our own premises and with the assistance of third-party service providers. Further public disclosure here of our security measures could aid those who might attempt to circumvent those security measures. If you have additional questions regarding security, please feel free to contact us directly using the information provided under CONTACT US. To ensure that our employees comply with our privacy policies, we have developed a training program that provides all employees with the tools and knowledge to protect your personal information in all aspects of their work. Any employee who violates our privacy policies is subject to disciplinary action, including possible termination and civil and/or criminal prosecution. 

XV. CALIFORNIA CONSUMERS 

The California Consumer Privacy Act (“CCPA”) permits residents of California to have the following additional rights. For more information, or if you have questions, you can contact us using the information provided under CONTACT US. For your protection, CorVel is required to collect certain information from you to verify your identity before we respond to any request submitted by you. The information you provide to verify your identity will only be used for verification purposes, and a record of your request, including certain information contained within it, will be maintained by CorVel for its files. 

1. California Residents Have The Right To Request CorVel Disclose What Information It Collects, Uses And Discloses 

California residents have the right to request that CorVel disclose what personal information CorVel collects, uses and discloses about them. The general categories of personal information CorVel collects about California residents are listed above under WHAT INFORMATION WE COLLECT. If you are a California resident and would like to request the specific personal information that CorVel collects, uses and discloses about you, please complete this REQUEST 

FORM and send it to CorVel using the information provided under CONTACT US or contact CorVel at this toll-free number. 

2. California Residents Have The Right To Request The Deletion Of Their Personal Information Maintained By CorVel 

California residents have the right to request that CorVel delete the personal information CorVel maintains about them. CorVel will make every effort to comply with California residents’ requests to delete their personal information, however, certain laws or other legal requirements might prevent some personal information from being deleted. If you are a California resident and would like to request the deletion of your personal information, please complete this REQUEST FORM and send it to CorVel using the information provided under CONTACT US or contact CorVel at this toll-free number. To verify any request to delete personal information, you will be required to provide the information contained in the request form. Failure to do so could result in CorVel’s inability to comply with your request. 

3. California Residents Have The Right To Non-Discrimination For The Exercise Of Their Privacy Rights Under The CCPA 

Under the CCPA, California residents have the right not to receive discriminatory treatment by CorVel for the exercise of their privacy rights. However, the exercise of certain privacy rights by California residents will make it so that CorVel is no longer able to provide those residents with certain services. For example, if, at the request of a California resident, CorVel deletes all of the California resident’s personal information that it maintains, CorVel will no longer be able to send marketing communications to that California resident. 

4. California Residents Can Designate An Authorized Agent To Make A Request Under The CCPA On Their Behalf 

California residents can designate an authorized agent to make requests under the CCPA related to the residents’ personal information. CorVel can deny any request made by an agent who does not submit proof that he or she has been authorized by the California resident to act on the California resident’s behalf. For more information on submitting a request on behalf of a California resident as an authorized agent, you can contact us using the information provided under CONTACT US. 

5. Do Not Track 

Do Not Track (“DNT”) is an optional browser setting that allows you to express your preferences regarding tracking across websites. Most modern web browsers give you the option to send a Do Not Track signal to the websites you visit, indicating that you do not wish to be tracked. However, there is no accepted standard for how a website should respond to this signal, so we do not take any action in response to this signal. CorVel does not have a mechanism in place to respond to DNT signals. Instead, in addition to publicly available third-party tools, we offer you the choices described in this Privacy Policy to manage the collection and use of information about you. 

CorVel does track some activity across websites (including your search terms, the website you visited before you visited or used the Services and other clickstream data) and we may continue to collect information in the manner described in this Privacy Policy from web browsers that have enabled DNT signals or similar mechanisms. 

XVI. CHANGES TO THIS PRIVACY POLICY 

This Privacy Policy may be revised from time to time as we add new features and Services, as laws change and as industry privacy and security best practices evolve. We display an effective date on this Privacy Policy at the top of this Privacy Policy so that it will be easier for you to know when there has been a change. If we make any material change to this Privacy Policy regarding use or disclosure of personal information, we will provide notice on our sites. Changes will apply to information collected after the change is effective. Please check this Privacy Policy periodically for changes. Small changes or changes that do not significantly affect individual privacy interests may be made at any time and without prior notice. Your use of the sites constitutes acceptance of the provisions of this Privacy Policy and your continued usage after such changes are posted constitutes acceptance of each revised Privacy Policy. If you do not agree to the terms of this Privacy Policy or any revised Privacy Policy, please exit the sites immediately. If you have any questions about this Privacy Policy, the practices of the sites or your dealings with the sites, you can contact us by using the information provided under CONTACT US. 

XVII. CONTACT US 

Please contact CorVel with any questions or concerns regarding this Privacy Policy. 

Attention: Privacy Officer 

CorVel Corporation 

111 SW Fifth Ave., Suite 200 

Portland, OR 97204 

Toll-Free Number: 855-872-6674 

PrivacyInquiry@CorVel.com 

If you have any questions or concerns regarding our Privacy Policy, or if you believe our Privacy Policy or applicable laws relating to the protection of your personal information have not been respected, you may file a complaint with CorVel using the contact information listed above, and we will respond to let you know who will be handling your matter and when you can expect a further response. We may request additional details from you regarding your concerns and may need to engage or consult with other parties in order to investigate and address your issue. We may keep records of your request and any resolution. 

XVIII. INTERNATIONAL PRIVACY POLICY 

THIS INTERNATIONAL PRIVACY POLICY ONLY APPLIES TO SYMBEO.COM. 

Both the above general Privacy Policy and this International Privacy Policy (the “International Policy”) apply to those visiting the site(s) or using our Services from Canada and member states of the European Union except that, for such persons (and only for such persons), where the provisions of the general Privacy Policy and the International Policy cannot be construed consistently, the International Policy will govern. 

The Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the European Union General Data Protection Regulation (“GDPR”) impose requirements regarding the collection, use, and disclosure of personal data in relation to our commercial activities, as does private-sector privacy legislation in their local jurisdictions, provinces and territories. 

THIS INTERNATIONAL POLICY APPLIES TO ALL PERSONAL DATA ABOUT YOU THAT WE COLLECT, HOLD, USE AND DISCLOSE, REGARDLESS OF THE WAY IN WHICH WE COLLECT IT (I.E. WHETHER THROUGH A SITE OR OTHERWISE). 

1. Personal Data 

In this International Policy, personal data is as defined by applicable European Union and Canadian law. It generally means any information about an identifiable individual. It may include your name, age, mailing address, residential phone number, or e-mail address, personal history (including financial and credit information, personal health information, billing history, personal family and relationship matters, and penal or criminal information), personal information related to corporate involvements, work experience (past and present), discipline, income and benefits, medical records, tax records and security clearances. 

2. Collection Of Personal Data 

We collect personal data from the site(s), as well as through correspondence, faxes, live chats, e-mails, telephone inquiries, web forms, and other means of communication. We collect such information when we provide publication services, digital services and other lawful purposes. 

We (and our affiliates and authorized service providers) may collect, store and use the information discussed above in WHAT INFORMATION WE COLLECT. 

We also may collect information about your computer and your visits to the site(s) such as your IP address, geographical location, browser type, domain names, referring website addresses, access times, length of visit and number of page views. We may use this information in the administration of the site(s), to improve the usability of the site(s), to provide better service, to send you newsletters, updates, marketing communications, and other information or that may be of interest to you. We also use outside services such Google Analytics to gather data about visitors to our site(s). We may sometimes permit our authorized service providers to have access to aggregate statistics about our customers, sales, traffic patterns, usage and related information. 

We often collect personal data from you or from third-parties and as agents on behalf of third parties, where we have obtained the requisite consent to do so or as otherwise permitted by law. Third parties include, as examples, organizations for whom we provide services to you or on your behalf, and organizations that perform outsourcing and other services for us (such as payment processors, warranty and other service organizations, and systems development and maintenance organizations). 

Where we are the Data Controller with regard to that data you may exercise your rights as data subject, including the right to object to the processing of your personal data when it is processed based on legitimate interests as provided in this International Policy below. 

3. How We Use Personal Data 

As a general matter, we collect your personal data primarily to provide services to our customers, for administrative or management requirements and to enhance our relationship with customers. 

CorVel collects and uses your personal data to operate its site(s) and deliver the Services you have requested. 

CorVel may also use your personal data to inform you of other products or services available from CorVel and its affiliates. 

CorVel does not sell, rent or lease its customer lists to third-parties. 

CorVel may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your personal data (e-mail, name, address, telephone number) is not transferred to the third-party. CorVel may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third-parties are prohibited from using your personal data except to provide services to you, and they are required to maintain the confidentiality of your data. 

CorVel may keep track of the websites and pages our users visit within CorVel, in order to determine what Services are the most popular. This data is used to deliver customized content and advertising within CorVel to customers whose behavior indicates that they are interested in a particular subject area. 

CorVel will disclose your personal data, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on CorVel or the site; (b) protect and defend the rights or property of CorVel; and, (c) act under exigent circumstances to protect the personal safety of users of CorVel, or the public. 

4. The Basis On Which We Process Your Personal Data 

We rely on the following legal grounds to process your personal data, namely: 

a) Performance of a contract – We may need to collect and use your personal data to enter into a contract or to perform a contract that you or your company has with us. 

b) Consent – Where required by applicable laws, we will rely on your consent for collecting your personal data. 

c) Legitimate interests – We may use your personal data for our legitimate interests to improve our services. Consistent with our legitimate interests and any choices that we offer or consents that may be required under applicable laws, we may use technical information as described in this Privacy Policy and International Policy and use personal data for our marketing purposes. 

We will only process personal data for a specific purpose or for any other purposes specifically permitted by applicable data protection legislation. 

5. Obtaining Consent 

Except when otherwise permitted by law, we obtain the requisite consent prior to collecting and, in any case, prior to using or disclosing your personal data for any purpose. You may provide your consent to us orally, in writing, by electronic communication or any other means reasonably capable of conveying your consent. We will obtain your express consent if we collect, use or disclose sensitive personal data in our capacity as a data controller. We may also share data with third-party partners for whom you have given us consent. Your consent may also be intrinsic to the circumstances such as in the case where you have already provided personal data to us and you maintain your relationship with us or where you provide our representatives with your phone number so that we can contact you. Except when otherwise permitted by law, we will only use the data for the purpose for which it was given. From time to time, we may collect, utilize or disclose your personal data based on your consent and as otherwise permitted by law. 

When your consent is required, you may withdraw your consent at any time (unless withdrawing the consent would frustrate the performance of legal obligations) upon providing to us a 30-day notice. However, the withdrawal of your consent may adversely affect our ability to provide Services to you and to maintain our relationship. 

6. Third-Parties 

We remain responsible for all personal data communicated to third parties for processing. As such, we ensure that third-parties that are engaged to provide products or services on our behalf and are provided with personal data are required to observe the intent of this International Policy by having comparable levels of security protection or, when required, by assuring us (through a confidentiality agreement) that they will not use or disclosure the personal data for any purpose other than the purpose for which the personal data was communicated. 

7. Limitations 

We only collect the personal data necessary to fulfill the purposes identified to you prior to or at the time of collection, or any other reasonable and legitimate purposes or as required by law. 

We do not use or disclose your personal data, except for the purposes for which it was collected, or new purposes to which you have consented, or as required or otherwise permitted by applicable law. 

We do not, as a condition of providing services to you or on your behalf, or as an administrative or management requirement, require consent to the collection, use or disclosure of personal data beyond what is reasonably required for such purposes, or to comply with our obligations under applicable law. 

8. Retention Of Personal Data 

We may keep a record of your personal data, including correspondence or comments, in a file specific to you. We will utilize, disclose, or retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and for legal or business requirements. We have established minimum and maximum retention periods and procedures for maintaining and destroying your personal data. When personal data is retained to make a decision about you, we will retain such information for the period required in order to comply with our internal data retention policies. 

9. Access And Rights To Your Personal Data 

Subject to the exceptions provided by the applicable law, we will make available to you any of your personal data that we have collected, utilized or disclosed, upon your written request. We will make such information available to you in a form that is generally understandable, including explaining any abbreviations or codes and using an alternative format, if required. If you are located in the European Economic Area (“EEA”), the GDPR provides you the rights of access, rectification, erasure, restriction, objection or portability in line with the type of services being provided. Simply send your request, using the Request Form provided, to the Privacy Officer listed below. Please be as specific as possible in your request so that we can meet the applicable time lines. REQUEST FORM 

If you are located in the EEA, you also have the right to lodge a complaint to your Supervisory Authority. 

10. Response Times 

We will make every reasonable effort to respond to each of your written requests not later than 30 days after receipt of such requests. When applicable, we will advise you in writing if we cannot meet your requests within this time limit. When applicable, you have the right to make a complaint to the appropriate supervisory authority with respect to this time limit. 

11. Costs 

We expect to be able to respond to your request without charge as a general matter. However, we reserve the right to collect a reasonable charge when you request the transcription, reproduction or transmission of such information. We will notify you, following your request for transcription, reproduction or transmission of the appropriate amount that will be charged. You will then have the opportunity to withdraw your request. 

12. Identifying You In Connection With Requests 

We may require that you provide to us sufficient information to identify yourself before we provide information about the existence, use or disclosure of your personal data in our possession. Any such information shall be used only for this purpose. 

13. Opt-Out And Unsubscribe 

We respect your privacy and give you an opportunity to opt-out of receiving certain information. Users may opt-out of using the instructions located in e-mails sent by CorVel or by contacting us using the information under Contact. 

14. Accuracy 

We will use reasonable efforts to ensure that your personal data is kept as accurate, complete and up-to-date as possible. We will not routinely update your personal data, unless such a process is necessary. In order to help us maintain and ensure that your personal data is accurate and up to date, you must inform us, without delay, of any change in the data you provided to us. 

You can at any time, challenge the accuracy or completeness of the personal data we have about you, subject to the exceptions provided by applicable law. If you demonstrate that the personal data we have on you is inaccurate or incomplete, we will amend the personal data as required. Where appropriate, we will transmit the amended data to third parties to whom we have communicated your personal data. 

15. Safeguards 

We use security safeguards appropriate to the sensitivity of personal data to protect it from loss or theft, as well as unauthorized access, disclosure, copying, use or modification. These safeguards include physical measures, such as restricted access to offices and equipment, organizational measures, such as security clearances and publishing this policy to appropriate personnel with instructions to act in accordance with its principles (for example, limiting access on a “need to know” basis), and technological measures, such as the use of passwords and/or encryption. 

Personal data is generally located at our corporate or divisional offices. A list of corporations, divisions, subsidiaries and affiliates to which this Privacy Policy and International Policy apply is available upon request. 

16. Contact 

Please direct all complaints or other inquiries regarding personal information, the General Policy, or the International Policy to our Privacy Manager as follows. 

Mary Parrinello 

Privacy Officer

CorVel Corporation 

111 SW Fifth Ave., Suite 200 

Portland, OR 97204 

PrivacyInquiry@CorVel.com 

XIX. TABLE OF COOKIES