LAST MODIFIED: February 2025
Symbeo Inc., a wholly owned subsidiary of CorVel Corporation, (“Symbeo”, “us,” “we” or “our”) has created this privacy policy (“Policy”) in order to comprehensively inform individuals about our privacy practices and to demonstrate our firm commitment to privacy. This Policy describes how we collect, use, disclose, transfer, store, retain or otherwise process your personal information in the course of performing our business and operational activities, which includes the administration of the symbeo.com web domain (the “Website”) and our business-to-business Online Document Center at www.odc4.com (the “ODC”). Collectively, we shall refer to our business and operational activities, the Website and the ODC as our “Services.”
When we refer to “you” or “your,” we mean the person about whom we collect personal information or data. If the person accessing the Services does so on behalf of, or for the purposes of, another person, including a business or other organization, “you” or “your” also means that other person, including a business organization, if applicable.
We provide our Services to businesses and not to individual consumers. However, in the course of providing our Services, we may process personal information of individuals, as will be described in this Policy. This may include personal information contained in the documents that we process for our customers, that we collect about you when you visit our Website or log into the ODC, your business contact information if we provide our Services to a company that you work with, or your personal information if you are a sole proprietorship and you engage with our Services.
Please read this Policy carefully. Our Policy includes:
This Policy is supplemented by our:
The intended use of this Website is business to business. Our data centers and Website are hosted in the United States, which may not have privacy laws as protective as those in your home country. If you are visiting this Website or ODC from outside of the United States, please note that by providing us your information it is being stored or processed in the United States. If you are outside the United States and do not wish to allow the collection and storage of your personal information within the United States, you should not use the Website or ODC and you should opt-out of the collection of cookies by following the guidelines in our section titled How To Restrict Cookies. For more information about how we utilize cookies, view our Cookies Policy.
This Policy sets forth our data policies and practices for the United States. If you are outside of the United States, please also review the provisions of our International Privacy Policy. Depending on your country of residence, applicable privacy laws may provide you with a right to additional disclosures as well as special data subject rights with regards to your personal information.
This Policy applies only to Symbeo’s Website, ODC and Services, and not to other companies’ or organizations’ websites, mobile applications and services. We are not responsible for the privacy practices of other businesses or the content of other websites, including any websites that may indicate a special relationship or partnership with us (such as co-branded pages or “in cooperation with” relationships). To ensure protection of your privacy, always review the privacy policy of the companies with whom you engage.
In the course of performing our Services, we collect a variety of different kinds of personal information from a variety of different individuals. What information we collect and the purposes for which it is collected will depend on the context of our activities or the Service that is being performed. Therefore, just because this Policy lists a particular data collection practice does not mean that we have necessarily collected that data from you. Instead, please review the applicable disclosures below to learn about how we may have collected personal information from you depending on how you have interacted with us.
Symbeo provides accounts payable automation, data capture and data imaging services for our business customers. Other than through our Website and ODC, we generally do not directly interact with individual consumers or collect personal information directly from them. Rather, we receive your personal information from our customers and affiliates and we process personal information on their behalf.
Under certain state laws, Symbeo is required to disclose whether we sell, share, or use your personal data for targeted advertising purposes. Please note that Symbeo does not sell your personal information in the usual sense of the word. That is, we do not give your information to third parties in exchange for money. However, under certain state laws, disclosure of your personal information to certain third parties (such as social media providers, ad networks, analytics vendors, and providers of online marketing and advertising services), including via automated technologies such as cookies, pixels, and tags, for advertising or analytics purposes may be considered a “sale” of personal information. These kinds of disclosures may constitute “targeted advertising,” or a “sale” when the personal information is exchanged for non-monetary consideration, or “sharing” when the personal information is disclosed for cross-context behavioral advertising purposes. We do not knowingly sell, share, or process personal information of consumers under 16 years of age.
When You Visit Our Website
| Categories Collected
The personal information we collect may include: | Sources of Collection
We may collect your personal information from: | Business Purpose of Collection
The purposes of collection include: | Categories of Third Parties to Which Personal Information is Disclosed
We may disclose your personal information to: | Business Purpose of Disclosure
The purposes of disclosure include: | Is This Information Sold Or Used For Targeted Advertising? | |
| Identifier Information*
| • you directly | • facilitating your use of our Website
• enforcing any applicable terms of service or other applicable agreements or policies • securing our networks, systems and databases against external threats
| • our service providers**
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes
| • facilitating your use and our provision of the Website
• enforcing any applicable terms of service or other applicable agreements or policies • preventing attacks and intrusions on our systems • securing our networks, systems and databases against external threats • conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • yes, in the context of online tracking technologies when you visit our Website, we may sell or share this information to our marketing and analytics vendors for the purposes of online marketing. However, any such information you directly submit through our website is not sold to any third parties | |
| * The personal information we collect may include your internet protocol (IP) address.
**We may disclose your personal information to our security monitoring providers, data analytics providers, database hosting vendors and our auditors. | ||||||
| Geolocation Information†
| • you directly | • personalizing and facilitating your use of our Website
• measuring, tracking and analyzing trends and usage in connection with your use or the performance of our Website | • our service providers††:
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes
| • facilitating your use and our provision of the Website
• measuring, tracking and analyzing trends and usage in connection with your use or the performance of our Website • securing our networks, systems and databases against external threats • conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • yes, in the context of online tracking technologies when you visit our Website, we may sell or share this information to our marketing and analytics vendors for the purposes of online marketing. However, any such information you directly submit through our website is not sold to any third parties | |
| †The information we collect may include your geolocation.
††We may disclose your personal information to our security monitoring providers, data analytics providers, database hosting vendors and our auditors. | ||||||
| Internet or Other Electronic Network Activity Information ‡
| • you directly | • maintaining and improving our Website
• personalizing and facilitating your use of our Website • measuring, tracking and analyzing trends and usage in connection with your use or the performance of our Website • providing marketing and advertising services | • our service providers ‡‡
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • facilitating your use and our provision of the Website
• maintaining and improving our Website • measuring, tracking and analyzing trends and usage in connection with your use or the performance of our Website • engaging in marketing and advertising • securing our networks, systems and databases against external threats • conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • yes, in the context of online tracking technologies when you visit our Website, we may sell or share this information to our marketing and analytics vendors for the purposes of online marketing. However, any such information you directly submit through our website is not sold to any third parties | |
| ‡The information we collect may include your time zone setting, auth0 logs, pages visited, pages viewed, events and page loads, browser plug-in types and versions.
‡‡We may disclose your personal information to our marketing services vendors, security monitoring providers, data analytics providers, database hosting vendors and our auditors. | ||||||
| Device Information⁂
| • you directly | • maintaining and improving our Website
• personalizing and facilitating your use of our Website • measuring, tracking and analyzing trends and usage in connection with your use or the performance of our Website | • our service providers ⁂⁂
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • facilitating your use and our provision of the Website
• measuring, tracking and analyzing trends and usage in connection with your use or the performance of our Website • securing our networks, systems and databases against external threats • conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • yes, in the context of online tracking technologies when you visit our Website, we may sell or share this information to our marketing and analytics vendors for the purposes of online marketing. However, any such information you directly submit through our website is not sold to any third parties | |
| ⁂The information we collect may include your operating system and platform and other technology on the devices you use to access the Website.
⁂⁂We may disclose your personal information to our security monitoring providers, data analytics providers, database hosting vendors and our auditors. | ||||||
Further, we may collect personal information from you in the form of cookies when you visit the Website. For information regarding how we collect, process and disclose personal information in the context of cookies, view our Cookies Policy.
When You Engage With The ODC
| Categories Collected
The personal information we collect may include: | Sources of Collection
We may collect your personal information from: | Business Purpose of Collection
The purposes of collection include: | Categories of Third Parties to Which Personal Information is Disclosed
We may disclose your personal information to: | Business Purpose of Disclosure
The purposes of disclosure include: | Is This Information Sold Or Used For Targeted Advertising? |
| Sensitive Personal Information (log-in information)⸸ | • you directly | • facilitating your use of the ODC
• securing the ODC and the information contained therein from unauthorized access | • our service providers⸸⸸
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes
| • facilitating your use of the ODC
• securing the ODC and the information contained therein from unauthorized access preventing attacks and intrusions on our systems • securing our networks, systems and databases against external threats • conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| ⸸ The personal information we collect may include your login username and password.
⸸⸸We may disclose your personal information to our security monitoring providers, database hosting vendors and our auditors. |
If You Are An Employee Of One Of Our Business Partners Who Is Involved In Symbeo’s Relationship With Symbeo
| Categories Collected
The personal information we collect may include: | Sources of Collection
We may collect your personal information from: | Business Purpose of Collection
The purposes of collection include: | Categories of Third Parties to Which Personal Information is Disclosed
We may disclose your personal information to: | Business Purpose of Disclosure
The purposes of disclosure include: | Is This Information Sold Or Used For Targeted Advertising? |
| Identifier Information* | • you directly
• your employer | • administrating and facilitating our relationship with your employer | • our service providers**
• individuals or entities you authorize • governmental authorities • our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • corresponding with you
• providing business event planning, provision and operation services • conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| *The information we collect may include your full name, business mailing address, business e-mail address and business telephone number.
**We may disclose your personal information to our client event management providers, e-mail services vendor, database hosting vendors and auditors |
When You Interact With Symbeo’s Social Media
| Categories Collected
The personal information we collect may include: | Sources of Collection
We may collect your personal information from: | Business Purpose of Collection
The purposes of collection include: | Categories of Third Parties to Which Personal Information is Disclosed
We may disclose your personal information to: | Business Purpose of Disclosure
The purposes of disclosure include: | Is This Information Sold Or Used For Targeted Advertising? |
| Internet or Other Electronic Network Activity Information* | • social media websites with whom you have engaged | • developing new products and Services
• measuring, tracking and analyzing trends in connection with our marketing • marketing of our Services • communicating with you about opportunities, products and services offered by us and select partners | • our service providers**
• individuals or entities you authorize • governmental authorities • our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • developing new products and Services
• measuring, tracking and analyzing trends in connection with our marketing • marketing of our Services • communicating with you • conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • yes, we may sell this information to our marketing and analytics vendors for the purposes of online marketing.
• we also may share this information with our marketing vendors for the purposes of targeted advertising or cross-contextual behavioral advertising. |
| *The information we collect may include information about how you interact with our social media content.
**We may disclose your personal information to our data analytics providers, marketing service providers, database hosting vendors and auditors. |
When We Process Medical Bills On Behalf Of Our Customers
| Categories Collected
The personal information we collect may include: | Sources of Collection
We may collect your personal information from: | Business Purpose of Collection
The purposes of collection include: | Categories of Third Parties to Which Personal Information is Disclosed
We may disclose your personal information to: | Business Purpose of Disclosure
The purposes of disclosure include: | Is This Information Sold Or Used For Targeted Advertising? |
| Identifier Information* | • our customers
• our affiliates | • providing our medical bill automation, data capture and data imaging services
• complying with any applicable laws or regulations | • our service providers**
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • providing our medical bill automation, data capture and data imaging services
• conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| *The information we collect may include your full name, date of birth, gender, race, marital status, signature, personal mailing address, personal e-mail address, personal telephone number, business mailing address, business e-mail address, business telephone number and employee ID.
**We may disclose your personal information to our document imaging, capture and extraction providers, data analytics vendors, payment processing vendors, file and data conversion vendors, file transfer vendors, database hosting vendors and our auditors. | |||||
| Medical Insurance Information† | • our customers
• our affiliates | • providing our medical bill automation, data capture and data imaging services
• complying with any applicable laws or regulations | • our service providers††
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • providing our medical bill automation, data capture and data imaging services
• conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| †The information we collect may include your insurance coverage information, health insurance number, policy/plan information, workers’ compensation claim number, health insurance claim numbers and Medicare beneficiary identifiers.
††We may disclose your personal information to our document imaging, data capture and extraction providers, data analytics vendors, payment processing vendors, file and data conversion vendors, file transfer vendors, database hosting vendors and our auditors. | |||||
| Sensitive Personal Information (health information)# | • our customers
• our affiliates | • providing our medical bill automation, data capture and data imaging services
• complying with any applicable laws or regulations | • our service providers##
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • providing our medical bill automation, data capture and data imaging services
• conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| #The information we collect may include your medical conditions, medical treatments, medical diagnoses, medications, physical and mental disabilities, medical, provider or hospital reports, physical characteristics/descriptions, sleep and exercise information and family medical history.
##We may disclose your personal information to our document imaging, capture and extraction providers, data analytics vendors, payment processing vendors, file and data conversion vendors, file transfer vendors, database hosting vendors and our auditors. | |||||
| Sensitive Personal Information (identity information)⸸ | • our customers
• our affiliates | • providing our medical bill automation, data capture and data imaging services
• complying with any applicable laws or regulations | • our service providers⸸⸸
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • providing our medical bill automation, data capture and data imaging services
• conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| ⸸The information we collect may include your Social Security number, driver’s license number and tax identification number.
⸸⸸We may disclose your personal information to our document imaging, data capture and extraction providers, data analytics vendors, payment processing vendors, file and data conversion vendors, file transfer vendors, database hosting vendors and our auditors. |
When We Process Accounts Payable Invoices on Behalf of Our Customers
| Categories Collected
The personal information we collect may include: | Sources of Collection
We may collect your personal information from: | Business Purpose of Collection
The purposes of collection include: | Categories of Third Parties to Which Personal Information is Disclosed
We may disclose your personal information to: | Business Purpose of Disclosure
The purposes of disclosure include: | Is This Information Sold Or Used For Targeted Advertising? |
| Identifier Information* | • our customers
• our affiliates | • providing our accounts payable automation, data capture and data imaging services
• complying with any applicable laws or regulations | • our service providers**
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • providing our accounts payable automation, data capture and data imaging services
• conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| *The information we collect may include your full name, date of birth, gender, race, marital status, signature, personal mailing address, personal e-mail address, personal telephone number, business mailing address, business e-mail address, business telephone number and employee ID.
**We may disclose your personal information to our document imaging, capture and extraction providers, data analytics vendors, payment processing vendors, file and data conversion vendors, file transfer vendors, database hosting vendors and our auditors. | |||||
| Sensitive Personal Information (identity information)⸸ | • our customers
• our affiliates | • providing our accounts payable automation, data capture and data imaging services
• complying with any applicable laws or regulations | • our service providers⸸⸸
• our affiliates • other entities during a corporate transaction • courts, litigants, regulators, arbitrators, administrative bodies or law enforcement for legal purposes | • providing our accounts payable automation, data capture and data imaging services
• conducting audits of our systems, policies and procedures • as part of sale, assignment, merger or other transfer of all or a portion of our organization or assets to other entities • as required by law or to resolve, investigate or manage actual or suspected legal claims | • No. |
| ⸸The information we collect may include your Social Security number and tax identification number
⸸⸸We may disclose your personal information to our document imaging, data capture and extraction providers, data analytics vendors, payment processing vendors, file and data conversion vendors, file transfer vendors, database hosting vendors and our auditors. |
Deidentified and Aggregated Information
We may process your personal information into aggregated, anonymized or de-identified form for any purpose. Aggregated, anonymized or de-identified information is information that can no longer reasonably identify a specific individual and is no longer “personal information.” We will only maintain and use this type of information in deidentified form and we will not attempt to reidentify this information, except for the purposes of validating our deidentification process.
The Children’s Online Privacy and Protection Act (COPPA) regulates online collection of information from persons under the age of 13. It is our policy to refrain from knowingly collecting or maintaining personal information relating to any person under the age of 13. If you are under the age of 13, please do not supply any personal information through the Website. If you are under the age of 13 and have already provided personal information through the Website, please have your parent or guardian contact us immediately using the information provided under Contact Us so that we can remove such information from our files. Please delete all Symbeo related cookies and restrict further collection of cookies using the methods outlined in the section How to Restrict Cookies in our Cookies Policy.
We generally retain your information as long as reasonably necessary to provide you the Services or to comply with applicable law and in accordance with our document retention policy. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means and the applicable legal requirements. We may retain copies of information about you and any transactions or Services you have used for a period of time that is consistent with applicable law, applicable statute of limitations or as we believe is reasonably necessary to comply with applicable law, regulation, legal process or governmental request, to detect or prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce other applicable agreements or policies or to take any other actions consistent with applicable law.
In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. This allows the specific information collected (name, email, address, phone number, etc.) to become anonymous, but allows Symbeo to keep the transaction or engagement data.
You may opt-out of receiving marketing and promotional messages from us, if those messages are powered by us, by following the instructions in those messages. If you decide to opt-out, you will still receive non-promotional communications that are necessary in the performance of our Services.
The Website may have links to other websites. Once you link to another site, you are subject to the privacy policy of the new site and its operator. We encourage you to carefully review the privacy policy of each entity to which you provide information.
We use administrative, technical, and physical safeguards, to protect your information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. We hold information about you at our own premises and with the assistance of service providers. Further public disclosure here of our security measures could aid those who might attempt to circumvent those security measures. If you have additional questions regarding security, please contact us directly using the information provided under Contact Us.
There are a number of U.S. states that provide specific data rights to residents of those jurisdictions regarding their personal information. This section of this Policy describes the rights available to those individuals who are entitled to them under applicable state privacy rights. If you have questions, or want more information about how to exercise your data rights, please contact us using the information provided under the section titled Contact Us.
1. What Data Rights Do You Have?
Depending on your state of residence, you may have the below rights with regards to your personal information. If you are a resident of California, you have access to special data rights and disclosures, which are described in this Policy under a separate section titled Data Rights For California Consumers.
Additionally, in California and Colorado and other states as applicable law requires, residents may use an opt-out preference signal to opt-out of targeted advertising or the sale or personal information. Symbeo recognizes the Global Privacy Control (GPC) browser setting that allows individuals to automatically signal their opt-out of the sale of their personal information or sharing of their personal information for the purposes of targeted advertising. You can opt-out of this sale or share by activating the opt-out preference signal or Global Privacy Control (GPC) on your browser. More information regarding GPC is available here.
2. How To Submit A Request
You can submit your request to exercise a data rights through:
As stated above, you can opt out of the “sale,” “sharing,” or use of your personal data for “targeted advertising” by selecting “Reject All” from our Cookie Banner or by broadcasting a GPC on your browser.
3. How We Process Data Rights Requests
Once we receive your request to exercise a right, we will confirm receipt and begin to evaluate, and if appropriate, process the request.
If you fail or refuse to provide the necessary information, we may not be able to process your request.
If we reject a request for any reason, we will inform you of the basis of the rejection. Not all individuals about whom we possess information will have access to these rights and we may not be able to provide these rights to everyone due to legal and jurisdictional limitations. We may not be able to comply with your request for a number of reasons, including:
If any of the above or other reasons apply, we will let you know in our response to your request.
4. Submitting A Request Through An Authorized Agent
You may designate an authorized agent to make a request to “opt-out” of sale, profiling or targeted advertising, as those rights are described above. Any authorized agent should make a request through the same mechanisms that are available to individuals. The request should clearly identify that the request is being made by an authorized agent and must include evidence of authorization. If we receive a request from an individual or an entity purporting to making the request on behalf of another individual, we can only comply with the request if we are able to sufficiently authenticate both the identity of the individual as well as the authorized agent’s authority to act on that individual’s behalf.
California has special rules regarding submitting requests through agents, so please review the appropriate disclosure in the section titled Data Rights For California Consumers.
5. Appeals And Complaints
If you disagree with our decision to reject your request or to any portion of our request, you have the right to appeal our refusal within a reasonable period of time. If you wish to appeal, please clearly and plainly describe your basis of disagreement with our decision by responding through the same means by which we communicated our refusal or by submitting your appeal through the information provided under Contact Us. We will review your appeal and either change our decision or reject your appeal, and in either case, we will provide a written explanation of the reason for the decision. This decision will be final.
However, if you still disagree with our decision, you have the right to submit a complaint to your attorney general of your state of residence. Your attorney general will have an online portal with details regarding how to submit complaints, and we will provide you with the applicable contact information if we deny your appeal.
The California Consumer Privacy Act (“CCPA”) provides the residents of California with the right to request the data rights as described in this section. For more information, or if you have questions, you can contact us using the information provided under Contact Us.
The categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for which we collect personal information and the categories of third parties to whom we disclose personal information are found in the general Policy under the section: What Information We Collect And Disclose And For What Purposes.
California residents have a right to know if we are “selling” or “sharing” their personal information, what categories of personal information are “sold” or “shared,” and to whom. The disclosure of your online, web-browsing information when you visit our website as described in the above chart to our online marketing and analytics providers may constitute a “sale” and “sharing” under California law. However, please note that Symbeo does not sell your personal information in the usual sense of the word. That is, we do not give your information to third parties in exchange for money. We do not knowingly “sell” or “share” the information of individuals under the age of sixteen years old.
However, we do not use or disclose your “sensitive” personal information for any purpose other than for the specific purposes described under the CCPA regulation § 7027(m) and always in a manner reasonably necessary and proportionate for these permitted purposes. For information on how we use or disclose your “sensitive” personal information, please see the applicable disclosures in the section titled: What Information We Collect From You And For What Purposes.
California residents can designate an authorized agent to make requests under the CCPA on their behalf relating to the residents’ personal information. Only you as a California resident, or a person you have designated in writing as your authorized agent, may make a consumer request related to your personal information.
If you wish to have an authorized agent make a verifiable consumer request on your behalf, they will need to provide us with sufficient written proof that you have designated them as your authorized agent, such as a power of attorney pursuant to California Probate Code sections 4000 to 4465. We will still require you to provide sufficient information to allow us to reasonably verify that you are the person about whom we have collected personal information. We can deny any request made by a purported authorized agent who does not submit proof that they has been authorized by the California resident to act on the California resident’s behalf.
We may amend this Policy at any time by posting revisions on our Website. If we make any material changes in the way we collect or process your personal information, we will notify you by prominently posting notice of the changes on our Website.
To submit questions, make a complaint, or to inquire about or submit a request relating to data rights, you can contact us by:
If you have any questions or concerns regarding our Privacy Policy, or if you believe our Privacy Policy or applicable laws relating to the protection of your personal information have not been respected, you may file a complaint with Symbeo using the contact information listed above, and we will respond to let you know who will be handling your matter and when you can expect a further response. We may request additional details from you regarding your concerns and may need to engage or consult with other parties in order to investigate and address your issue. We may keep records of your request and any resolution.
The above general Policy still applies to those individuals who reside outside of the United States. Due to various international regulations, those individuals may be entitled to additional disclosures and rights. This International Privacy Policy (the “International Policy”) supplements the above general Policy, but where the provisions of the general Policy and this International Policy cannot be construed consistently, this International Policy will govern.
Please note that by visiting the Website and ODC, your personal information is being stored or processed in the United States where our data center and servers are located and operated. The United States may not have privacy laws that are as strong or comprehensive as the privacy laws in your own country. Your personal information may also be stored in a multi-tenant cloud environment hosted by our service providers.
Depending on your country of residence, you may have data rights as provided by various laws, regulations and codes, which can include Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial regulations, the European Union General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. An interactive map showing the various privacy and protection laws around the world can be found here.
THIS INTERNATIONAL POLICY APPLIES TO ALL PERSONAL INFORMATION ABOUT YOU THAT WE COLLECT, HOLD, USE AND DISCLOSE, REGARDLESS OF THE WAY IN WHICH WE COLLECT IT (I.E. WHETHER THROUGH THE WEBSITE, THE ODC, THE SERVICES OR OTHERWISE).
Our International Policy includes:
You can find specific details about the personal information that we collect about you in the section What Information We Collect And Disclose And For What Purposes of the general Policy.
Where we are the data controller with regards to the personal information that we process, you may exercise your rights as a data subject, including the right to object to the processing of your personal information when it is processed based on legitimate interests, as described in this International Policy. Where we are collecting your personal information on behalf of another entity (i.e., we are not the data controller), we will provide you with the identity of the data controller to the extent we are required to do so by law.
As a general matter, we collect your personal information to perform our Services and administer our Website and the ODC. You can find specific details about the purposes for which we collect personal information about you in the section titled What Information We Collect And Disclose And For What Purposes.
We will only collect and process your personal information as is reasonably necessary for, or directly related to, administering our Website and the ODC or providing our Services to our customers.
Where we are the data controller with regards to the personal information that we process, we process your personal information upon the legal bases described herein. However, we primarily collect and process your personal information as a processor or service provider on behalf of our customers. This means that we collect, process and disclose your personal information at the direction of our customers. Where we are collecting your personal information on behalf of another entity (i.e., we are not the data controller as we do not exercise control over the purpose for which the data is processed), we will provide you with the identity of the data controller upon request so that you can contact them to understand the legal basis upon which your data is processed, to the extent we are required to do so by law.
When we are the data controller with regards to your personal information, we rely on the following legal grounds to process your personal information:
When You Visit Our Website Or Access The ODC
| Information Collected | Legal Basis for Processing |
| Identifier Information, including your internet protocol (IP) address and account log-in/password information.
| We process your personal information based upon:
• fulfilling your request that Symbeo provide you access to the Website and ODC • our legitimate interest in securing the Website and ODC against attacks, bot activity and unauthorized use |
| Geolocation Information | We process your personal information based upon:
• your consent • our legitimate interest marketing our Services to our customers • our legitimate interest in securing the Website and ODC against attacks, bot activity and unauthorized use |
| Internet or Other Electronic Network Activity Information, including your
• time zone setting • auth0 logs • pages visited • pages viewed • events and page loads • browser plug-in types and versions | We process your personal information based upon:
• your consent • fulfilling your request that Symbeo provide you access to the Website and ODC • our legitimate interest in securing the Website and ODC against attacks, bot activity and unauthorized use
|
| Device Information, including your operating system and platform and other technology on the devices you use to access the Website and ODC | We process your personal information based upon:
• your consent • fulfilling your request that Symbeo provide you access to the Website and ODC • our legitimate interest in securing the Website and ODC against attacks, bot activity and unauthorized use |
We may collect personal information from you in the form of cookies. For information regarding how we collect, process and disclose personal information in the context of cookies, view our Cookies Policy.
If You are an Employee of One of Our Customers, Vendors or Other Entity Involved with your Employer’s Business Relationship With Symbeo
| Information Collected | Legal Basis for Processing |
| Identifier Information, including your
• full name • business mailing address • business e-mail address • business telephone number | We process your personal information based upon:
• your consent • our legitimate interest in facilitating a business relationship with your employer |
When You Interact With Symbeo’s Social Media
| Information Collected | Legal Basis for Processing |
| Internet or Other Electronic Network Activity Information, including about how you interact with our social media content | We process your personal information based upon:
• our legitimate interest marketing our Services to our customers |
Except when otherwise permitted by law or binding regulation, we will obtain the requisite consent from you prior to collecting and, in any case, prior to using or disclosing your personal information for any purpose other than as disclosed in this International Policy. You may provide your consent to us orally, in writing, by electronic communication, through your actions or any other means reasonably capable of conveying your consent. However, your refusal to provide consent for collection (or your withdrawal of previously given consent) or to give your personal information when requested, can have negative consequences. For example, if you do not give consent for Symbeo’s collection of cookies, then the Website will not remember your preferences. In another example, if you do not provide your personal information when requested we may not be able to provide you with requested materials or disclosures.
We remain responsible for all personal information communicated to other entities for processing on our behalf. As such, we ensure that other entities that are engaged to provide products or services on our behalf and are provided with personal information are required to observe the intent of this International Policy by having comparable levels of security protection or, when required, by assuring us (through a confidentiality agreement) that they will not use or disclose the personal information for any purpose other than the purpose for which the personal information was communicated. You can find specific details about to whom Symbeo discloses your personal information in the section titled What Information We Collect And Disclose And For What Purposes.
We only collect the personal information necessary to fulfill the purposes identified to you prior to or at the time of collection, or any other reasonable and legitimate purposes or as required by law.
We do not use or disclose your personal information, except for the purposes for which it was collected, or new purposes to which you have consented, or as required or otherwise permitted by applicable law.
We do not, as a condition of providing the Website or performing our Services, or as an administrative or management requirement, require consent to the collection, use or disclosure of personal information beyond what is reasonably required for such purposes, or to comply with our obligations under applicable law or regulation.
We generally retain your information as long as reasonably necessary to provide you the Services or to comply with applicable law and in accordance with our document retention policy. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means and the applicable legal requirements. We may retain copies of information about you and any transactions or Services you have used for a period of time that is consistent with applicable law, applicable statute of limitations or as we believe is reasonably necessary to comply with applicable law, regulation, legal process or governmental request, to detect or prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce other applicable agreements or policies or to take any other actions consistent with applicable law.
There are a number of data privacy laws that provide specific data subject rights to residents of certain jurisdictions. This section of this International Policy describes the rights available to those individuals who are entitled to them. Not all individuals about whom we possess information will have access to these rights and we may not be able to provide these rights to everyone due to legal and jurisdictional limitations. We may not be able to comply with your request for a number of reasons, including:
If any of the above reasons apply, we will let you know in our response to your request. Note that we may be required to gather additional information from you in order to process your request. We will only use this information in the context of evaluating and responding to your request. If you fail or refuse to provide the necessary information, we may not be able to process your request.
Subject to the exceptions provided by applicable law or regulation, and depending on your country of residence, you may have the following rights regarding your personal information:
You can request to exercise these rights by using the information provided under Contact Us. Please be as specific as possible in your request so that we can meet the applicable handling timelines.
Finally, you have the right to raise a complaint with Symbeo or the appropriate data protection authority of your country of residence if you feel that Symbeo’s processing of your personal information violates your individual rights, is not in line with this International Policy or violates the privacy principals, laws or regulations of your country of residence.
An interactive map showing the various Data Protection Authorities around the world and how to contact them can be found here.
We will make every reasonable effort to respond to your written request not later than 30 days after receipt of such request. We will advise you in writing if we cannot meet your request within this time limit. When applicable, you have the right to make a complaint to the appropriate supervisory authority, as detailed in this International Policy, with respect to this time limit.
We expect to be able to respond to your request without charge as a general matter. However, where allowed by law, we reserve the right to collect a reasonable charge when you request the transcription, reproduction or transmission of such information. We will notify you, following your request of the appropriate amount that will be charged. You will then have the opportunity to withdraw your request.
We may require that you provide to us additional information to identify yourself before we provide information about the existence, use or disclosure of your personal information in our possession. Any such information that you provide to us shall be used only for this purpose.
You may opt-out of receiving marketing and promotional messages from us, if those messages are powered by us, by following the instructions in those messages. If you decide to opt-out, you will still receive non-promotional communications that are necessary to maintain the existing business relationship between you and Symbeo, to the extent there is one.
We will use reasonable efforts to ensure that your personal information is kept as accurate, complete and up to date as possible. We do not routinely update your personal information in our possession, unless such a process is necessary. In order to help us maintain and ensure that your personal information is accurate and up to date, you must inform us, without delay, of any change in the data that you have provided to us.
You can at any time, challenge the accuracy or completeness of the personal information we have about you, subject to the exceptions provided by applicable law. If you demonstrate that the personal information we have on you is inaccurate or incomplete, we will amend the personal information as required. Where appropriate, we will transmit the amended data to third parties to whom we have communicated your personal information.
We use security safeguards appropriate to the sensitivity of personal information to protect it from loss or theft, as well as unauthorized access, disclosure, copying, use or modification. These safeguards include physical measures, such as restricted access to offices and equipment, organizational measures, such as security clearances and publishing this policy to appropriate personnel with instructions to act in accordance with its principles (for example, limiting access on a “need to know” basis), and technological measures, such as the use of passwords and/or encryption.
To provide administer our business and provide our services, we may share your personal information with our affiliates or with third parties in locations around the world. When we transfer your personal information outside your jurisdiction, we will take steps to ensure that such data transfers comply with applicable data privacy laws. If you live in the European Economic Area (EEA) or the UK, your personal information therefore may be stored and processed outside the EEA and the UK and in countries that are not subject to an adequacy decision by the European Commission or the UK’s Information Commissioner’s Office and which may not provide for the same level of data protection. If we transfer or store personal information outside of the EEA, UK or other countries or economies that require legal protection for international data transfer, we will ensure that an adequate level of protection is provided, as further described below, entering into written intra-group data processing agreements with recipients that require them to provide the same level of protection, or relying on other legally-approved transfer mechanisms.
If you are a resident of the UK or European Economic Area (EEA), and your personal information is transferred outside of the UK or the EEA, we will:
To submit questions or to inquire about or submit a request relating to data rights, you can contact us by:
Attention: Privacy Officer
CorVel Corporation
1800 SW 1st Avenue, Suite 600
Portland, OR 97201