Last Updated and Effective Date: January 1, 2023
Xchange Benefits, LLC (“Xchange Benefits” or
“XB”), a Delaware limited liability company, together with
its affiliates and divisions (“Xchange”), are a diverse
group of business units focused on the global insurance and reinsurance
industry. Xchange Benefit provide risk underwriting and administration
services for stop loss insurance, which provides protection for employers
who self-fund their employee medical benefit plans. Xchange Benefit and its
divisions also provide a variety of insurance related services, such as,
Business Travel Accident and Travel and Trip Cancellation Insurance (Xchange
Travel), bespoke insurance programs services for affinity groups (Xchange
Affinity), and insurance and reinsurance program consulting (Xchange
Consulting). Xchange Benefits’ subsidiaries Xchange Re Underwriting Agency
LLC (“Xchange Re”), specializes in Personal Accident Catastrophe and Special
Risk reinsurance as a managing general underwriter and Distribution Re LLC
provides captive solutions for Xchange’s clients.
Xchange respects the privacy concerns of the visitors to our website at
http://www.xbllc.com/
(such website visitors, the “Website Visitors”, and such
website, the “Xchange Website”). This privacy policy
(“Privacy Policy”) describes how Xchange collects and uses
our Website Visitors’ personal information. In addition, this Privacy Policy
describes our practices regarding any personal information (including
protected health information as defined below) that we may collect, receive
or have access to in connection with our provision of certain stop loss
services, and electronic communications related to other business matters.
The Xchange Website is not intended for persons under 18 years of age. No
information should be submitted to the Xchange Website by a user under the
age of 18 years except by such individual’s parent or guardian. Xchange does
not sell or share personal information, as described in Section VI and
Section VII below and Xchange has no knowledge that it sells or shares the
personal information of anyone under the age of 18.
Xchange may collect, receive or have access to personal information in three
ways. First, in connection with Xchange providing its stop loss services to
employers, businesses and other self-funded entities, and insurance carriers
and business associates and other entities that are subject to the Health
Information and Portability Accountability Act of 1996, as amended
(“HIPAA”) and the Health Information Technology for
Economic and Clinical Health Act (“HITECT”) (“Stop Loss Services”), and Xchange may receive, or third party administrators
(“TPAs"), insurance carriers and business associates may
provide directly or indirectly to Xchange, or give Xchange access to,
protected health information (as defined below) in connection with our
provision of our Stop Loss Services. Second, Xchange may collect limited
personal information from our Website Visitors when individuals visit the
Xchange Website or request information on the Xchange Website (“Website Data”). Third, Xchange may collect or receive in connection with email and
electronic communications to Xchange limited personal information from
vendors, service providers, brokers, TPAs, policyholders or their
representatives, self-funded entities, insurance carriers, business
associates, reinsurance entities, and other entities with respect to the
Stop Loss Services, Xchange Re’s reinsurance business, current and
prospective business contacts, and other related communications. More
information regarding each of these categories of personal information is
described below.
As used in this Privacy Policy, “personal information” is
information that identifies, relates to, describes, is reasonably capable of
being associated with, or could reasonably be linked, directly or
indirectly, with a particular consumer or household. For purposes of this
Privacy Policy, personal information does not include publicly available
information from government records, information that is made available to
the general public by you or from widely distributed media, or information
you make available without restricting to a specific audience, or
de-identified or aggregated information.
As used in this Privacy Policy, “protected health information” or “PHI” is protected health information that is
collected by a covered entity or business associate governed by the privacy,
security, and breach notification rules issued by the United States
Department of Health and Human Services, established pursuant to the HIPAA
and HITECT.
I. Personal Information Collected for Stop Loss Services
In connection with our provision of Stop Loss Services, Xchange may receive,
have access to, or be provided with, certain protected health information.
Any protected health information we use in connection with our provision of
the Stop Loss Services is processed only in connection with the provision of
the Stop Loss Services to our clients and in accordance with our agreements
with them and applicable HIPAA and HITECT requirements.
Xchange has no direct relationship with the individuals to whom the personal
information (including PHI) we receive or access in connection with our Stop
Loss Services may pertain. Rather, an employer, health care providers,
claims processors, or other parties involved in the self-funded medical
coverage, including business associates, collect the personal information
(including PHI) in connection with providing medical coverage or services,
such as medical billing and processing claims.
This Privacy Policy does not apply to any PHI — instead, any PHI we receive,
access or obtain is subject to the privacy policy of the entity who
initially collected the PHI or a business associate, or an assignee of such
entity. If you are an individual about whom the PHI concerns, please consult
the policies of the provider of the self-funded plan for information on how
they collect, processes, and disclose your PHI, and please contact them if
you have any questions regarding any rights you may have with respect to
your PHI.
II. Personal Information Collected from the Xchange Website
When you visit the Xchange Website or fill out webforms on the Xchange
Website (such as to request information from us), we may collect, and we may
have collected in the twelve (12) months prior to the date of this Privacy
Policy, certain personal information from you, as described below. The types
of personal information we collect from you will depend on your interaction
with us.
III. Personal Information Collected from Business Communications
When you contact Xchange such as by email or telephone, we may collect, and
we may have collected in the twelve (12) months prior to the date of this
Privacy Policy, certain personal information from you in connection with
business communications related to the Stop Loss Services, Xchange Re’s
reinsurance business, or communications related to other business
initiatives as described below. The types of personal information we collect
from you will depend on your interaction with us.
IV. Other Use and Disclosure of Personal Information
In addition to the uses described above with respect to the Xchange Website
and business communications, Xchange may also use or disclose your personal
information (and may have done so in the twelve (12) months prior to the
date of this Privacy Policy):
-
to comply with applicable laws and regulatory requirements, or as
requested by government or regulatory authorities
- in connection with pending litigation
-
in connection with a merger, divestiture, acquisition, restructuring,
reorganization, dissolution, or other sale or transfer of some or all of
our assets, whether as a going concern or as part of bankruptcy,
liquidation, or similar proceeding, in which personal information held
by us is among the assets transferred
-
to detect security incidents, protect against malicious, deceptive,
fraudulent, or illegal activity, and prosecute those responsible for
that activity
-
to debug to identify and repair errors that impair existing intended
functionality in the Xchange Website or information systems
We may have also used or disclosed your personal information for other
purposes with your consent and at your direction.
V. Retention
We store personal information for as long as necessary to carry out the
purposes for which we originally collected it and for other legitimate
business purposes, including to meet our legal, regulatory, or other
compliance obligations, and to comply with document preservation
requirements relating to litigation.
VI. No Sale of Personal Information
Xchange has not sold your personal information to third parties in the
twelve (12) months prior to the date of this Privacy Policy. In addition,
Xchange will not sell your personal information to third parties (including
for their own direct marketing purposes). If you are entitled to any
disclosure rights in your jurisdiction regarding our sale of your personal
information to third parties or our disclosure of your personal information
to third parties for their own direct marketing purposes, this disclosure
satisfies those requirements. If we change our practices in the future for
any new information that we collect from you, we will update this Privacy
Policy accordingly. If you still wish to learn more about our compliance
with this requirement, please contact us using the information provided in
the “Contact Us” section below.
VII. No Sharing of Personal Information
Xchange has not shared your personal information with third parties for
cross-context behavioral advertising in the twelve (12) months prior to the
date of this Privacy Policy. In addition, Xchange has no intention of
sharing your personal information with third parties for cross-context
behavioral advertising. If you are entitled to any disclosure rights in your
jurisdiction regarding our sharing of your personal information to third
parties for cross-context behavioral advertising, this disclosure satisfies
those requirements. If we change our practices in the future for any new
information that we collect from you, we will update this Privacy Policy
accordingly. If you still wish to learn more about our compliance with this
requirement, please contact us using the information provided in the
“Contact Us” section below.
VIII. Cookies and Other Data Collection Tools
The Xchange Website uses cookies to collect information. Cookies are small
data files that can be transferred to your browser, computer or other
electronic devices as you browse the Xchange Website. When you use the
Xchange Website, one or more cookies may be placed on your computer or other
electronic device to distinguish you from other Website Visitors. Xchange
may use cookies for a number of purposes – for example, to maintain
continuity during a user session, to gather data about the usage of the
Xchange Website, for analytical purposes and other purposes, and to store
your preferences for certain kinds of information. The cookies used on the
Xchange Website will track only your online activity on the Xchange Website
while you are visiting the site and will not track your other Internet
activity, such as activity on a non-Xchange Website. The cookies used by the
Xchange Website do not gather other personally identifiable information and
the cookies are anonymized.
At any time, you may adjust the settings on your browser to refuse cookies
according to the instructions related to your browser. However, if you
choose to disable cookies, many of the features on the Xchange Website will
not operate properly. Also, the pages on the Xchange Website may include web
beacons or pixels, which are electronic files to count users who have
visited that page, track activity over time and across the Xchange Website,
identify certain cookies on the computer or other electronic devices
accessing the Xchange Website, or collect other related information. This
information may be associated with your unique browser, device identifier,
or IP address.
Lastly, Xchange may use other companies to set analytical cookies on the
Xchange Website and gather cookie information on our behalf. Xchange has
implemented analytics and impression reporting on our Xchange Website, which
tracks and manages cookie information so that Xchange can collect anonymized
site analytics data through the Xchange Website. This information is not
used for advertising purposes. Xchange uses the cookie information gathered
by these companies in the same manner as stated above.
IX. Tracking
Certain web browsers may provide a do-not-track (“DNT”)
option, where you may be able to set your browser to inform websites that
you do not wish your activities to be tracked. The Xchange Website does not
engage any third parties that collect personal information about an
individual consumer’s online activities over time and across different
websites when the consumer uses the Xchange Website. Accordingly, the
Xchange Website currently does not respond to DNT signals.
X. Exclusions
The Xchange Website may contain links to websites owned by other companies,
including affiliates of its ultimate parent company. Because Xchange has no
control over the privacy practices or content of these linked sites, we
recommend that you carefully review the privacy policy of each website you
visit. Xchange is not responsible for the content or privacy practices of
websites owned by other companies.
Xchange does not seek to, nor do we knowingly collect, information directly
from children under the age of 18. If a child has directly provided us with
personal information, a parent or guardian of that child may contact us to
have the information deleted from our records. To do so, contact Xchange
through the information provided below in the “Contact Us” section.
XI. International Transfer
To facilitate Xchange Re’s global operations, Xchange may store, transfer
and access the personal information that you submit on the Xchange Website
to or from Xchange’s offices or service providers or contractors in the
United States and around the world, including, but not limited to, Xchange
Re’s clients located in the United States, the United Kingdom, Europe, and
Asia. This Privacy Policy shall apply even if Xchange transfers such
information to other countries. By using the Xchange Website and providing
any information through the Xchange Website, you consent to the transfer of
your information and personal information to Xchange Re’s clients in these
countries, including those located outside your home country. Do not use the
Xchange Website if you do not want your personal information to be
transferred to the United States or to other countries, or if the laws in
your country restrict these types of transfers.
XII. CCPA Rights for California Consumers
The California Consumer Privacy Act of 2018, as amended by the California
Privacy Rights Act of 2020 (collectively, the “CCPA”)
provides California consumers with certain rights with regard to their
personal information. This Section explains those rights. If you are a
California consumer and would like to exercise any of those rights under the
CCPA, please see subsections H, I and J of this Section below for more
information on how to submit a request.
For purposes of this Privacy Policy, a “California consumer” is a natural person who resides in California.
Note that the CCPA excludes from its scope any protected health information
that is subject to and governed by the privacy, security, and breach
notification rules established pursuant to HIPAA or HITECT and certain other
regulated data. Accordingly, the rights described in this Section do not
apply to any PHI (subject to HIPAA or HITECT) we receive or access in
connection with our provision of the Stop Loss Services (which information
is subject to the privacy policy of the entity who initially collected the
PHI). Rather, the rights described in this Section only apply to personal
information we receive that is not PHI or otherwise subject to the HIPAA or
HITECT— specifically Website Data that we collect from our Website Visitors
and business contacts that are California consumers. If you are an
individual about whom the PHI concerns, please consult the policies of your
employer or other entity that provided the self-funded medical plan, your
medical provider, or claims servicer for information on any rights you may
have to your personal information.
A. Right to Know About and Access Your Personal Information
If you are a California consumer, you may have the right to request that
Xchange provide you with information regarding what personal information
about you we have collected, used, disclosed, sold or shared. Once we
receive your request and verify your identity, we will disclose to you the
following as applicable:
- The categories of personal information we have collected about you.
-
The categories of sources from which we collected your personal
information.
-
The business or commercial purposes for collecting, selling or sharing
your personal information.
-
The categories of third parties to whom we disclose your personal
information.
-
The categories of personal information that we have sold, shared or
disclosed for a business purpose, and for each category identified, the
categories of third parties to whom we sold, shared or disclosed for a
business purpose that particular category of personal information.
- The specific pieces of personal information we collected about you.
B. Right to Delete Your Personal Information
If you are a California consumer, you may have the right to request that
Xchange delete certain of your personal information that we have collected
from you. However, this right to deletion does not apply to any of your
personal information that is subject to an exception under the CCPA (as
described below). In addition, there may be other legal exemptions
applicable to your personal information other than as described below. Once
we receive your request and verify your identity, we will delete (and notify
our service providers and contractors to delete), unless the deletion is
impossible or involves a disproportionate effort, your personal information
in our records that is not subject to any of the CCPA exceptions.
CCPA Exceptions
We may deny your deletion request where your personal information is
required for any of the following reasons, which we will identify in our
response to you if we deny your request:
-
Complete the transaction for which we collected, received or accessed
the personal information, fulfill terms of a written warranty or product
recall, provide a good or service that you requested, take actions
reasonably anticipated within the context of our ongoing business
relationship with you, or otherwise perform our contract with you.
-
Help to ensure security and integrity, when the use of personal
information is reasonably necessary and proportionate.
-
Debug to identify and repair errors that impair existing intended
functionality.
-
Enable solely internal uses that are reasonably aligned with your
expectations based on your relationship with us and compatible with the
context in which information was provided.
- Comply with a legal obligation.
- Deletion is impossible or involves a disproportionate effort.
C. Right to Correct Your Personal Information
If you are a California consumer, you may have the right to request that
Xchange correct inaccurate personal information that we maintain about you.
Once we receive your request to correct inaccurate personal information and
verify your identity, we will use commercially reasonable efforts to correct
(and direct our service providers and contractors to correct) your personal
information in our records as you have directed.
D. Right to Opt-Out of the Sale of Your Personal Information
If you are a California consumer, you may have the right to opt-out of the
sale of your personal information. However, as indicated in Section VI
above, we have not sold personal information about you to third parties in
the twelve (12) months prior to the date of this Privacy Policy, and we will
not sell personal information about you without further notice. If we change
our practices in the future for any new information that we collect from
you, we will update this Privacy Policy accordingly. As such, we do not
offer a right to opt-out of sale.
E. Right to Opt-Out of the Sharing of Your Personal Information
If you are a California consumer, you may have the right to opt-out of the
sharing of your personal information for cross-context behavioral
advertising. However, as indicated in Section VII above, we have not shared
personal information about you for cross-context behavioral advertising with
third parties in the twelve (12) months prior to the date of this Privacy
Policy, and we will not share personal information about you for
cross-context behavioral advertising without further notice. If we change
our practices in the future for any new information that we collect from
you, we will update this Privacy Policy accordingly. As such, we do not
offer a right to opt-out of sharing.
F. Right to Limit the Use or Disclosure of Your Sensitive Personal
Information
If you are a California consumer, you may have the right to limit the use or
disclosure of your sensitive personal information, which is a type of data
that receives heightened protection under California law (e.g., certain
demographic information, government-issued identification numbers, biometric
or health data, etc.). However, we do not offer this right because Xchange
does not collect sensitive personal information of California consumers. If
we change our practices in the future for any new information that we
collect from you, we will update this Privacy Policy accordingly.
G. Right to Non-Discrimination
If you are a California consumer, you may have the right to not receive
discriminatory treatment for exercising your privacy rights. Xchange will
not discriminate or retaliate against any California consumer who exercises
any of the rights described above. Specifically, except as permitted by the
CCPA, we will not deny you goods or services; charge you different prices or
rates, including through granting discounts or other benefits, or imposing
penalties; provide you with a different level of service or quality of goods
or services; or suggest that you may receive a different price or rate for
goods or services or a different level or quality of goods or services.
H. How to Submit a Request
If you are a California consumer and would like to exercise any of the CCPA
rights identified above, you may submit a request by either completing the
webform located at
www.xbllc.com/ccpa-request-form/
or by calling us at (866) 947-7552.
I. Submitting a Request Through Your Authorized Agent
If you are a California consumer, you may exercise your privacy rights
through an authorized agent. If we receive your request from an authorized
agent, we may ask for evidence that you have provided such agent with a
power of attorney or that the agent otherwise has valid written authority to
submit requests to exercise rights on your behalf. If you are an authorized
agent seeking to make a request, please reach out to us through the “Contact
Us” below section.
J. How We Verify Your Request
We cannot fulfill your request or provide you with your personal information
if we cannot, using commercially reasonable methods, verify your identity or
authority to make the request and confirm the personal information relates
to you. Making a verifiable consumer request does not require you to create
an account with us.
Once you have provided the required information to Xchange we will confirm
your identity by conducting a commercially reasonable electronic search of
our internal systems (which may include business applications, digital
files, and corporate emails) to ensure the information provided by you in
your request matches what we have in our systems.
In addition, for a request for specific pieces of information, you (or your
authorized agent) must provide to Xchange a copy of a signed declaration
under penalty of perjury that you are the individual whose information is
the subject of the request.
To verify your identity, we will ask that you provide the following
information when you submit your request:
- Your first and last name
- Your full address
- State of your primary residence
- Country of primary residence
- Your telephone number
- Your email address
- Policy Number (if we provide insurance related services)
- Contract Number (if related to reinsurance)
Depending on your type of request or the information requested by you, we
may require additional information in order to verify your identity and
fulfill your request. If we cannot successfully verify your identity, we
will inform you of that fact.
We will initially confirm receipt of your request within ten (10) business
days. We will then respond to your request within forty-five (45) calendar
days. However, in certain circumstances, we may require additional time to
process your request, as permitted by the CCPA or other applicable law. We
will advise you within forty-five (45) calendar days after receiving your
request if such an extension is necessary and why it is needed. If we cannot
fulfill your request, our response to you will also explain the reason why
we cannot fulfill your request.
We do not charge a fee to process or respond to your consumer request unless
it is excessive, repetitive, or manifestly unfounded. If we determine that
the request warrants a fee (only if permitted by law), we will tell you why
we made that decision and provide you with a cost estimate before completing
your request.
You may only make a consumer request to know about or access your personal
information twice within a twelve (12) month period.
XIII. Contact Us
For questions or comments regarding this Privacy Policy, or to request this
Privacy Policy in another format, please contact us at:
By Phone:
(866) 947-7552
By Postal Mail:
Xchange Benefits, LLC
CCPA Request
200 Business Park Drive, Suite 303
Armonk, NY 10504
By E-mail:
compliance@xbllc.com
XIV. Updates to Privacy Policy
From time to time, we may update this Privacy Policy. If we do, we will note
the date of the revision at the top of this Privacy Policy the date that any
changes are made and/or when they become effective. If the changes being
made are material, we may alert you to the changes in a more prominent way.
By using the Xchange Website after these changes are made, you agree to the
revised version of the Privacy Policy.
Click here
to download a printable PDF copy of the Privacy Policy