This version of the Privacy Policy is valid for existing Level Customers through December 10, 2023.
Deutsch | Español | Français | Português | Türkçe
We at Level take your privacy seriously. We know that we have a lot of information about you and want to be sure that we use it the right way. This Privacy Policy describes how Level collects, uses, and handles (“Processes”) your information, including information that can be used to identify you (“Personal Information”) when you use our websites, software, and other services (“Services”). Your use of the Services is also subject to the Level Terms of Service available at level.com/legal/terms.
If you are a Level Member or a Logged-In User of Level’s Services (as these terms are defined below), Level Benefits, Inc. is your service provider. If you are otherwise accessing Level’s website or engaging with Level in a marketing capacity, Level Insurance Agency LLC is your service provider. In this policy, references to “Level,” “we,” or “us” are to the applicable service provider.
The types of information we collect about you depends on whether you interact with our Services as a Member, a Logged-In User, or a Visitor (as defined below).
“Members” are individuals who receive Services from Level as an employee or dependent of an employee of one of Level’s customers (the “Customer”). We receive Personal Information about Members when they are enrolled in our Services, when they set up a Level Account, and when they use our Services. Depending on where they live, who the relevant Level Customer is, the type of benefit included in the Level Services that they use or are enrolled in, and what kind of information we receive about them, laws such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other data privacy laws (“Data Privacy Laws”) may apply to our Processing of Members’ Personal Information. Level Processes Personal Information in compliance with all applicable Data Privacy Laws.
In the course of providing our Services to Members, we may receive protected health information (PHI) about them. This PHI could come from the Members themselves, from Customers, or from or on behalf of health care providers and related healthcare specialists, professionals, or organizations (“Providers”). We are committed to maintaining the confidentiality of Members’ PHI, and under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we must take measures to protect any PHI we Process. As a HIPAA “Business Associate,” we comply with the specific privacy and security protections that HIPAA requires for PHI. Under some other Data Privacy Laws, health information is also treated as a sensitive category of Personal Information.
Sources of Member Information. If you are a Level Member, we receive information about you when the Customer that sponsors your benefits enrolls you, and when you set up your account. The information needed to give you access to our Services includes data such as your name, physical address, date of birth, email address, employee identification number, the last four digits of your Social Security number, bank account information, and information about your dependents, if applicable. For some Level-administered benefits, the Customer will automatically enroll you if you are eligible; for other types of benefits, you will be enrolled when you choose to receive them. You and the Customer can update or change your account information when necessary.
When you use our Services, including in some cases the Level Card, we collect information about your activities that we need to process your purchases and to verify that you are spending your funds on goods or services that are covered by your benefits. This type of information includes transaction records providing the cost, date, and location of your purchases, the specific good or service you purchased, and the name of the Provider or merchant who provided the good or service. For some transactions, we may ask you to upload receipts documenting your purchases. If you use a Service that requires pre-authorization, we maintain records demonstrating you have been authorized to purchase a good or service. You may choose to provide feedback on our Services or contact us for support, and we will keep a record of that communication. We also collect information about how you use the Level app and website when you access your benefits.
Where we need to collect Personal Information by law, or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have with you and shall be relieved from all obligations thereunder.
“Logged-In Users” are any users (other than Members) who access Level’s Services with an account. In order to provide Logged-In Users secure access to these Services, we collect a limited amount of Personal Information about them (such as name and email address).
“Visitors” are persons who access our web resources without creating a Level account. They also include people who sign up to receive our marketing emails.
Online Activity Whether you are a Member, a Logged-In User, or a Visitor, we use cookies and similar technologies to collect information about how you use our Services or otherwise interact with us. For example, we log the websites you visit before or after our websites and whether you have opened or forwarded our emails. We also use cookies and similar technologies to collect information from or about the computers, phones, or other devices you use to access the Services, depending on the permissions you’ve granted. Here are some examples of the device information we may collect:
If you are located in the European Economic Area ("EEA") or the United Kingdom ("UK"), we will obtain your consent to collect this information where cookies and similar technologies are not essential to provide the service you request. For essential cookies, we rely on the lawful basis of the performance of a contract. You can learn more about how we use cookies and similar technologies in our Cookie Policy (available at level.com/legal/cookie-policy).
Below, we describe how we use the Personal Information we collect about you. If you are located in the EEA or the UK, we also provide the lawful basis under the GDPR for using your Personal Information in this way where we act as controller.
Provision of the Services. We use the information we collect to provide, maintain, and protect and improve the Services, to develop new ones, and to protect Level and our users. If you are a Level Member, we use your information to administer benefits on behalf of the Customer that provides your benefits, pursuant to our agreement with that Customer.
Services Improvement. We use your information for business analytics (to improve the Services) and product development (to build new Services).
Transactional Communications. As a Level Member or Logged-In User, you may communicate with us or we may communicate with you about your account, your benefits, or the status of your transactions. For example, we may email you that we are processing a transaction you have made with your Level Card. These communications are part of the way we provide you benefits on behalf of the Customer.
Marketing. We may use your information to send you marketing communications about our Services. If you do not want to receive marketing communications from us, indicate your preference by contacting us at legal@level.com. If you are in the US, you may unsubscribe from our marketing emails at any time.
Security. We may use Personal Information to detect data security incidents and protect against malicious, deceptive, fraudulent, or illegal activity on our systems.
Legal Requirements. We may need to use your Personal Information to comply with legal obligations to which we are subject, including regulatory, judicial, tax, accounting or reporting requirements.
To Provide the Services. You may choose to use our Services to interact with people or organizations other than Level, such as Providers, or Members, but only to the extent that each such service provider needs to access your information in the provision of the Services as outlined above. We will share information about you with these service providers, but only to the extent reasonably necessary to provide the Services.
Your Employer. If you are a Level Member, Level is likely providing these Services to you on behalf of the employer that sponsors your benefits, who is our Customer. We share information about goods or services purchased through your benefits with your employer so your employer can adequately fund and responsibly administer your benefits, and so your employer understands how you and other employees are utilizing the benefits.
Others Working for Level. Level uses certain trusted third-party service providers (for example, providers of cloud-based storage and processing services, or a payment provider used to process payment of transactions and fees) to help us provide, improve, protect, and promote our Services. These service providers will access your information only to perform tasks on our behalf in compliance with this Privacy Policy, and we remain responsible for their handling of your information per our instructions.
If you are located in the United States and these service providers access your PHI, they are Business Associates of Level. Under the CCPA and other US laws, they are known as “service providers” or other similar terms. If you are located in the EEA or the UK, these service providers are processors (where Level acts as a controller) and sub-processors (where Level acts as a processor). Business Associates, service providers, processors and sub-processors have written agreements with us that specifically indicate that they will protect your information in accordance with this Privacy Policy and with the Data Privacy Laws that apply to their Processing.
With Your Consent. We may request your consent to share Personal Information about you with additional third parties. In some cases, we may request additional consent from you if we think that there is other information that will help us better coordinate your care or better personalize the Services to fit your needs.
Law & Order. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Level or our users; or (d) protect Level's property rights.
Aggregated and Non-Personal Information. We may also share with third parties information in a manner that has been de-identified or anonymized in accordance with applicable laws.
We will only retain your Personal Information for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for Personal Information, we consider the Services we are providing, the amount, nature and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we Process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Level employs robust technical and organizational security measures to protect the systems that Process your Personal Information. We undergo annual security audits to make sure we are complying with industry best practices and standards. Level’s Security Annex (available at https://level.com/legal/security-annex) has more information about our security measures.
While we have implemented strong safeguards, the internet is not a 100% secure environment, and we cannot guarantee absolute security of the transmission or storage of your information.
Account Settings. Through your account settings, as a Level Member or Logged-In User, you may access, and, in some cases, edit or delete certain profile information you’ve provided to us. When you update information, however, we may maintain a copy of the unrevised information in our records. The information you can view, update, and delete may change as the Services change.
Access, Correction, Deletion, and other Data Rights. Depending on where you live and the nature of your Personal Information, you may have the right to ask Level to take certain actions with regard to the Personal Information we maintain about you, such as disclosing, correcting, restricting the Processing of, or deleting information. If you are located in the EEA or UK or are covered by the CCPA, your rights are described in further detail in sections below. If you are a Level Member, we will usually notify and consult with the Customer sponsoring your benefits (usually your employer) when we respond to such requests.
Our ability to fulfill these requests may be limited by countervailing legal requirements. For example, we may not be able to honor your deletion request if we are required to retain your Personal Information for a certain period of time by employment, insurance, tax or other laws.
If you would like more information about your data rights and/or Level’s data policies, please contact us at legal@level.com.
We may revise this Privacy Policy from time to time, and will post the most current version on the Site. If we are involved in a reorganization, merger, acquisition or sale of our assets, your information may be transferred as part of that deal.
If you have questions or concerns about Level, our Services and privacy, contact us at legal@level.com.
This section applies to Level Members and other users of our Services who reside in the European Economic Area (EEA) or the United Kingdom (UK). The General Data Protection Regulation (GDPR) and the UK’s version of this law (UK GDPR) apply to our Processing of your Personal Information in these areas.
1. Level as Controller and Processor
The GDPR divides organizations Processing Personal Information into two categories: Controllers and Processors.
If you live in the EEA or the UK, we may act as either a Controller or a Processor of your Personal Information depending on how Level is interacting with you:
2. International Transfers
We process and transfer Personal Information outside of the EEA and the UK, including in the United States and Canada. Whenever we transfer your Personal Information outside of the EEA and UK, we apply protections that are equivalent to those you have in the EEA or UK. We do this using contracts specifically drafted and approved to give your Personal Information the same protection it has in the EEA or the UK. Level’s Data Processing Addendum (https://level.com/legal/dpa) provides more information about these protections.
3. Your Data Choices
If you reside in the EEA or UK, you have the rights to:
Request access to your Personal Information (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Information we hold about you and to check that we are lawfully processing it.
Request correction of the Personal Information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your Personal Information. This enables you to ask us to delete or remove Personal Information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Information where you have successfully exercised your right to object to Processing (see below), where we may have Processed your information unlawfully or where we are required to erase your Personal Information to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are Processing your Personal Information for direct marketing purposes.
Request restriction of processing of your Personal Information. This enables you to ask us to suspend the Processing of your Personal Information in the following scenarios:
Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to Process your Personal Information. However, this will not affect the lawfulness of any Processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Where we act as a Processor on behalf of our Customer (usually your employer), we may need to cooperate with the Customer in responding to your request to exercise your rights. Alternatively, the Customer may choose to handle your request itself.
4. Contact
VeraSafe has been appointed as Level's representative for data protection matters in the EEA and UK. VeraSafe can be contacted on matters related to the Processing of Personal Information using this contact form (available at verasafe.com/public-resources/contact-data-protection-representative). Alternatively, Verisafe may be contacted using the information below.
If you are in the European Economic Area: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland. Telephone: +420 228 881 031.
If you are in the United Kingdom: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom. Telephone: +44 (20) 4532 2003.
You have the right to make a complaint at any time to your data protection authority. We would, however, appreciate the chance to deal with your concerns before you approach the data protection authority so please contact us in the first instance.
The California Consumer Privacy Act (CCPA) applies to “Businesses”, as that term is defined in the CCPA. Level is not a Business under the CCPA, but in some cases, we are a CCPA “Service Provider” because we provide services on behalf of Customers that meet the law’s definition of a Business.
As a CCPA Service Provider, we make commitments to protect your Personal Information and to use it only for limited purposes. Importantly, we promise not to “sell” or “share” the Personal Information we receive from our Customers, as those terms are defined in the law. Level’s California Data Protection Addendum (https://level.com/legal/california-dpa) provides more information about the commitments we have made.
If you are a resident of California (a “Consumer”), you have the right to ask a Business that collects your Personal Information to take certain actions, including giving you access to, correcting, or deleting your Personal Information. As a Service Provider under the CCPA, Level is not required to directly respond to such requests, but we have a duty to assist the Business in responding to your request. If you are a Level Member, we will consult and coordinate our response with your employer (who is our Customer) if we receive such a request.
Please note that these rights may not extend to information that is subject to HIPAA or the federal Gramm-Leach-Bliley Act.
Last Updated: November 10, 2023
