Confirmidy Logo Schedule a Conversation

Privacy Policy

Effective: May 18, 2026

Confirmidy, LLC (referred to as “Confirmidy”, “we”, “us”, or “our”) takes your privacy seriously. When you visit confirmidy.com or its benefit technology platform (referred to as the “Sites”), we take steps to protect your privacy and the information you provide us. Confirmidy collects, uses, discloses, and protects Personal Information in connection with our benefit enrollment technology (the “Services”).

This Policy applies to all individuals whose Personal Information we process, including employees, plan participants, beneficiaries, brokers, and employers who use the Sites. Please read this policy in its entirety. By accessing or using our Sites or Services you acknowledge you have read and understood this Privacy Policy.

Definitions

Cookies” means pieces of information that a web site transfers to an individual’s hard disk for record keeping purposes.

“Cross-Context Behavioral Advertising” means advertising that is targeted to you based on Personal Information obtained from your activity across businesses, distinctly branded internet websites, applications, or services.

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

“Sensitive Personal Information” means Personal Information that reveals an individual’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; genetic data; biometric information processed for the purpose of uniquely identifying a consumer; personal information collected and analyzed concerning a consumer’s health; or personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

Services” means the provision, maintenance, and improvement of the benefit technology platform for the enrollment and administration of employee benefits.

Types of Personal Information we collect.

We may collect one or more of the following categories of Personal Information:

  • Information You Provide Directly:

    • Identifiers (i.e. full legal name, date of birth, Social Security Number or Tax Identification Number, home address, email address, phone number, online identifier, IP address, user ID);

    • Plan elections, coverage tier selections, dependent information, beneficiary designations, and qualifying life event documentation;

    • Professional or employment related information (i.e. employer name, position title, hire date, employment status, compensation data, and termination date); and

    • Usernames, passwords, and multi-factor authentication data.

  • Information We Collect Automatically:

    • IP Address, browser type and version, operating system, device identifiers, geolocation data, referring URLs, pages visited, and other similar device data;

    • Feature interactions, session duration, clickstream data, search queries within the Sites, as well as error logs; and

    • Cookies, web beacons, as well as similar technologies.

  • Information from Third Parties:

    • Eligibility files, payroll data, employment verification data, claims data, EOB information, and plan-specific eligibility confirmations;

    • Identity verification and fraud prevention data; and

    • Characteristics of protected classification (i.e. sex, age, etc.).

How we use your Information.

We collect and use your Personal Information for the following business purposes:

  • Benefit Administration:

    • Processing benefit enrollments, changes, qualifying life event changes, and terminations;

    • Verifying eligibility for insurance plans and other ancillary benefit programs;

    • Generating and distributing required employee benefit notices and plan documents; and

    • Coordinating with insurance carriers and third-party administrators.

  • Legal and Regulatory Compliance:

    • Complying with ERISA, HIPAA, ACA, COBRA, FMLA, and other applicable federal and state laws;

    • Responding to audits, government inquiries, and regulatory examinations;

    • Fulfilling tax reporting obligations; and

    • Maintaining records as required by applicable law.

  • Platform Operations and Security:

    • Authenticating users and preventing unauthorized access;

    • Detecting, investigating, and preventing fraud, abuse, and security incidents;

    • Monitoring platform performance and diagnosing technical issues; and

    • Improving and developing platform features and functionality.

  • Communications:

    • Sending enrollment confirmations, plan change notifications, and deadline reminders;

    • Providing customer support and responding to inquiries;

    • Sending required legal notices and plan communications on behalf of employer plan sponsors; and

    • Delivering services updates and policy change notifications.

  • Analytics and Business Intelligence:

    • We may use de-identified and aggregated data for internal analytics, benchmarking, and improving our Services.

    • To provide and maintain our Site, products, and services;

    • To communicate with you about our products, services, and promotions, including any new features;

    • Improving our marketing and promotional efforts; and

    • To personalize your experience on our Site and with our product and services, including customizing our Site, content, products and services.

  • For any other purpose disclosed to you at the time of collection.

We use Sensitive Personal Information only as necessary to provide the Services, comply with legal obligations, or as otherwise permitted by law. We do not use Sensitive Personal Information for inferring characteristics unrelated to our Services. De-identified data is not Personal Information and is not subject to this Privacy Policy.

Legal Basis for Processing.

Depending on your location and the nature of the processing activity, we process Personal Information to meet contractual obligations, legal obligations, and legitimate interests. We process Personal Information:

  • as necessary to administer benefit plans on behalf of your employer;

  • to comply with ERISA, HIPAA, ACA, tax law, as well as other applicable regulations; and

  • to prevent fraud, enhance platform security, and perform internal analytics.

When required by law, we obtain your consent for specific uses, such as electronic delivery of plan documents. You may withdraw consent at any time without affecting prior processing.

Disclosure of Personal Information.

We may disclose your Personal Information to service providers, processors, and agents who perform services on our behalf, to affiliates and subsidiaries, as well as to government entities or law enforcement agencies. Service providers are contractually required to use your information only as directed and to implement appropriate safeguards. We enter into data processing agreements as required by applicable law.

As a benefit administration platform, we process information on behalf of employer plan sponsors acting as plan administrators. We share plan participant information with the sponsoring employer to the extent necessary to administer benefit plans, subject to applicable HIPAA and ERISA restrictions.

We share enrollment, eligibility, and other required data with insurance carriers and third-party administrators to effectuate coverage and process claims.

We also share Personal Information for legal and regulatory purposes to comply with applicable federal, state, or local law. Such disclosures may be in response to lawful subpoenas, court orders, or government requests, or to protect our rights, property, or safety, or that of other users. Further, you authorize us to disclose any information about to law enforcement or other government officials as we, in our sole discretion believe necessary or appropriate.

Personal Information may also be disclosed in connection with a merger, acquisition, asset sale, or other corporate transaction. Further, Personal Information may be transferred to a successor entity, subject to the same privacy commitments described in this Policy.

We share aggregated demographic and profile data collected via our Sites, with our advertisers. This information is in aggregate form and does not identify individuals.

We cannot ensure that all your private communication or other Personal Information will never be disclosed in ways not otherwise described under this policy. For example, we may be forced to disclose information to the government or third parties under certain circumstances, or third parties may unlawfully intercept or access transmissions or private communications. Although we use industry standard practices to protect your privacy, we do not promise, nor should you expect, that your Personal Information or private communications will remain private.

Except as otherwise stated in this policy, we do not sell, rent, lease, or share Personal Information.

HIPAA and Health Information.

To the extent we receive, maintain, or transmit Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), we do so in our capacity as a Business Associate of Covered entity plan sponsors. Our use and disclosure of PHI is governed by our Business Associate Agreement (“BAA”) and applicable HIPAA regulations.

We implement HIPAA-required administrative, physical, and technical safeguards to protect PHI, and we comply with the HIPAA privacy Rule, Security Rule, and Breach Notification Rule. Requests relating to PHI should be directed to your employer plan administrator, who serves as the Covered Entity under HIPAA.

HIPAA Notice. If you are a plan participant and have questions about your rights under HIPAA, including your right to access or amend your PHI, please contact your employer’s plan administrator. If you believe your HIPAA rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr.

Data Retention.

We retain Personal Information for as long as necessary to provide the Services, fulfill the purposes described in this Policy, and comply with applicable legal, regulatory, and contractual obligations. Retention periods vary based on:

  • the type of information and applicable legal retention requirements;

  • the nature of the employer-employee relationship and applicable state law;

  • applicable statute of limitations periods for potential legal claims; and

  • instructions from employer plan sponsors regarding their record retention policies.

When Personal Information is no longer required, we securely delete or anonymize it in accordance with our data retention schedule. Backup copies may be retained for a limited additional period before secure deletion.

We review our retention periods for Personal Information on a regular basis. We will securely delete or anonymize Personal Information that is no longer needed for the purposes for which it was collected.

Cookies and Tracking Technologies.

We use Cookies and similar tracking technologies to operate and improve our Sites. Our Site uses Cookies during your online session to deliver content specific to your interests. Cookies allow us to avoid showing you the same ad or other message repeatedly and allow us to tailor the Sites to better match your interest and preferences.

We use the following categories of Cookies:

  • Necessary Cookies: Essential for platform authentication and session management. These cannot be disabled.

  • Functional Cookies: Enable personalization features such as language preferences and saved settings.

  • Analytical Cookies: Used to understand how users interact with our platform and identify areas for improvement. These use aggregated data only.

  • Security Cookies: Used to detect fraudulent activity and protect the integrity of our platform.

Additionally, the information we may collect through cookies and similar tracking technologies include:

  • Pages visited;

  • Time spent on pages;

  • Links clicked;

  • Preferences selected;

  • Device information (i.e. browser type, operating system); and

  • IP address and approximate location derived from IP address.

Use of advertising and analytics technologies.

Confirmidy uses third-party advertising and analytics platforms to enhance user experience, track website performance, and improve marketing efforts. Some of the technologies we use include, but are not limited to Google Tag Manager, Google Analytics 4, Google Ads, LinkedIn Ads, ChatGPT, Claude, Gemini, and other similar platforms. These platforms collect and analyze data regarding user interactions with our website, such as page visits, time spent on pages, conversion tracking, and ad effectiveness. Some of this data may be used for personalized advertising based on user interests and behaviors.

Data Security.

We implement a comprehensive information security program designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our security measures include:

  • Encryption of Personal Information in transit (TLS 1.2 or higher) and at rest (AES-256);

  • Roles based access control limiting access to personal information to authorized personnel with a business need;

  • Multi-factor authentication for platform access;

  • Regular penetration testing, vulnerability scanning, and security audits;

  • Employee security awareness training; and

  • Incident response and breach notification procedures compliant with applicable state and federal law.

While we take this measure seriously, no method of transmission or storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. If a data breach affects your Personal Information, we will notify you and applicable regulators, as required by applicable law.

No international data transfers.

We primarily operate in the United States and do not transfer personal information to countries other than the country in which the data was originally collected for the purposes described in this privacy policy. If we transfer Personal Information across borders, we take appropriate safeguards to protect your information and comply with applicable legal requirements.

Children’s Privacy.

Our Services are not directed to children under the age of 13, and we do not knowingly collect Personal Information from children under 13. We may collect information about minor dependents enrolled in benefits plans sponsored by their parent’s or guardian’s employer. Such information is collected and used solely for benefit administration purposes in accordance with this Policy.

If you believe we have inadvertently collected personal information from a child under 13 without appropriate consent, please contact us at the information provided below, and we will take steps to delete such information.

We do not knowingly sell or share the Personal Information of consumers under 13 years of age.

Your Rights.

Depending on your state of residence, you may have the following rights with respect to your Personal Information:

  • Right to Know or Access. You may request access to the Personal Information we have collected about you.

  • Right to Delete. You may request we delete Personal Information we have collected from you, subject to exceptions.

  • Right to Correct. You may request we correct inaccurate Personal Information we maintain about you.

  • Right to Opt-Out. You may opt-out of the sale or sharing of your Personal Information for cross-context behavioral advertising purposes. We do not currently sell or share your Personal Information for cross-context behavioral advertising purposes.

  • Right to Limit Use and Disclosure. You may direct us to limit our use and disclosure of your Sensitive Personal Information, if any, to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer.

  • Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

  • Right to Appeal. Where applicable by state law, you have the right to appeal our decision regarding your rights request.

We will respond to your requests within the timeframe required by applicable law, which is generally 45 days, unless an extension is permitted. In addition, the Sites give you the opportunity to opt-in to receive communications from us and our partners at the point where we request information about you.

Residents of certain states have the option to have an authorized agent exercise certain of these rights on their behalf. If you are an authorized agent, you will be required to submit your contact information and a certification, as well as provide certain information about the consumer for whom you are making a request. Residents of certain states may also have the right to appeal our denial of one or more of the above requests. To submit an appeal, please contact us using the information provided above.

How to Exercise Your Privacy Rights.

To submit a privacy request or inquiry, please use one of the following methods:

  • Email: compliance@confirmidy.com

  • Phone: 1-866-405-6531

  • Mail: Confirmidy

ATTN: Privacy Officer

116 Agnes Rd

Suite 200

Knoxville, TN 37919

  • Hours: 8:00 AM – 5:00 PM, Monday – Friday

Verification Process.

To protect your privacy and security, we take reasonable steps to verify your identity before granting access to your Personal Information or complying with your request. Our verification process may vary depending on the nature and sensitivity of the request. We may require you to provide:

  • Name and email address associated with your account;

  • A description of your request; or

  • A declaration under penalty of perjury that you are the individual whose Personal Information is the subject of the request.

For requests related to particularly sensitive information, we may require additional proof of identification, such as a copy of a government-issued ID or a recent utility bill.

For certain requests, we may use a third-party identity verification service to confirm your identity. This service may ask you questions based on public records or credit reports to verify your identity.

If we are unable to verify your identity to a reasonable degree of certainty, we may deny your request and explain the reasons for the denial.

We will verify your identity before processing your request using information we already have on file. We will not require you to create an account to submit a request. Authorized agents may act on your behalf with written authorization and identity verification. We will respond within the timeframe required by applicable law and will not discriminate against you for exercising your rights.

Contact Us.

If you have questions, concerns, or requests regarding this policy or our privacy practices, please contact us at the email, phone, physical mail address above.

For HIPAA related inquiries, please also contact your employer’s plan administrator as the Covered Entity under HIPAA.

To file a complaint with the FTC: www.ftc.gov/complaint

To file a complaint with HHS OCR (HIPAA): www.hhs.gov/ocr/complaints

Changes to this privacy policy.

We may update this policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. The date of the most recent revision to this policy will be provided at the top of the policy. We will notify you, as well as employer plan sponsors, of any material changes by posting the updated policy on our site and seeking your consent if required by law. Please review this policy periodically to stay informed of our privacy practices. This policy is not intended to, and does not, create any contractual or other legal rights in or on behalf of any party. Your continued use of our Services following the effective date of a revised Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

Terms and Conditions of Use.

If you choose to visit one of Sites, your visit and any dispute over privacy is subject to this policy and our Terms of Use, including limitations on damages, arbitration of disputes, and application of the law of the State of Tennessee. If you have any concern about privacy at Confirmidy, please send us a thorough description to one of the contact options above, and we will review it. Our business changes constantly. This privacy policy and the Terms of Use will change, from time to time, as our use of the information changes. We may email periodic reminders of our notices and conditions, unless you have instructed us not to, and you should check our Sites frequently to see recent changes.

State-Specific Provisions

In addition to the rights described above, California residents have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA):

  • Right to Know: You may request disclosure of the categories and specific pieces of Personal Information collected, the categories of sources from which personal Information is collected, the business purpose for collecting or selling Personal Information, and the categories of third parties with whom the business shares personal information. However, Confirmidy does not sell your Personal Information, as that term is defined under the CCPA.

  • Right to Delete: You may request deletion of Personal Information we have collected, subject to certain exceptions.

  • Right to Opt-Out of Sale: You may opt-out of the sale of Personal Information to third parties. However, Confirmidy does not sell your Personal Information, as that term is defined under the CCPA.

  • Right to Opt-Out of Sharing: You may opt-out of sharing of Personal Information to third parties.

  • Right to Limit Use of Sensitive Personal Information: You may limit the use and disclosure of sensitive Personal Information for certain purposes.

  • Right to Correct: You may request correction of inaccurate Personal Information.

  • Right to Designate an Authorized Agent: You may designate an authorized agent to make a request on your behalf. Your authorized agent may make a request on your behalf upon our verification of the agent’s identity and our receipt of a copy of a valid power of attorney given to your authorized agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide your agent with signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity, and provide us with written confirmation that you have given the authorized agent permission to submit the request. Authorized agents are required by California law to implement and maintain reasonable security procedures and practices to protect their clients’ information.

California residents may submit requests by contacting us at compliance@confirmidy.com or by calling 1-866-405-6531. We respond to verified requests within 45 days (extendable by an additional 45 days with notice). We verify identity using information already on file. Authorized agents may submit requests on your behalf with written permission.

California Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosures of Personal Information to third parties for direct marketing purposes. We do not disclose information for direct marketing purposes.

Residents of Colorado, Connecticut, Virginia, Texas, and other Comprehensive State Privacy Laws.

Residents of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), Montana (MCDPA), Nevada, Oregon, Delaware, Iowa, Indiana, Tennessee, and other states with comprehensive consumer privacy laws may have the following rights, subject to applicable exceptions and limitations:

  • Right to Access: Confirm whether we process your Personal Information and access such data.

  • Right to Correct: Request correction of inaccurate Personal Information.

  • Right to Delete: Request deletion of Personal Information we have collected from you.

  • Right to Data Portability: Receive a copy of your Personal Information in a portable format.

  • Right to Opt-Out: Opt-out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects. We do not engage in these activities with respect to benefit administration data.

  • Right to Appeal. If we decline to act on your request, you may appeal our decision by contacting us as described below.

To exercise these rights, please submit a request to compliance@confirmidy.com. We respond to verified requests within the timeframes required by your state’s applicable law.

Residents of Nevada.

Nevada residents have the right to opt out of the sale of their covered information. We do not sell covered information as defined under Nevada law. Nevada residents may still submit an opt-out request to compliance@confirmidy.com.

Residents of Illinois – Biometric Information Privacy Act (BIPA).

We do not collect biometric identifiers or information as defined under the Illinois Biometric Information Privacy Act.

Residents of New York.

We comply with the New York SHIELD Act requirements, including reasonable administrative, technical, and physical safeguards for private information of New York Residents. In the event of a breach, we notify affected New York residents and applicable regulators as required.

Residents of Washington – My Health My Data Act.

Washington residents have additional protections for consumer health data under the My Health My Data Act. We do not sell consumer health data, and we obtain consent before collecting health information beyond what is strictly necessary for the requested service. Washington residents may request deletion of consumer health data and opt out of its collection when permitted by law.

Residents of Other States.

We monitor evolving state privacy law requirements across all 50 states and update our practices accordingly. If your state has enacted a consumer privacy law not addressed above, we will honor legally required rights in your state. Please contact us for more information about your specific state rights.

Additional Information.

  • Do Not Track Signals. Some web browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. Our Site does not currently respond to “Do Not Track” signals.

  • Third Party Links. Our Site may contain links to third-party websites or services. This privacy policy does not apply to such third-party content or services, which are subject to their own privacy policies. We encourage you to read the privacy policies of any third-party websites you visit.

  • Accessibility. We are committed to ensuring our privacy policy is accessible to individuals with disabilities. If you need assistance accessing our privacy policy, please contact us using the information above.

By using our Sites, you acknowledge you have read and understood this privacy policy and agree to our collection, use, and disclosure practices as described herein. If you do not agree with our policies and practices, you may choose not to use our Sites.