What We DoMeet the TeamCase StudiesFAQGet Started
Home / Privacy Policy

Privacy Policy

Your privacy matters. Here's how we protect it.

Last updated: February 1, 2026

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Information Sharing
  4. Data Security
  5. Data Retention
  6. Your Rights and Choices
  7. Cookies and Tracking
  8. Children's Privacy
  9. International Data Transfers
  10. Changes to This Policy
  11. Contact Us

OPM Benefits, Inc. ("OPM Benefits," "we," "us," or "our") is committed to protecting the privacy and security of the personal information entrusted to us by our clients, their employees, and visitors to our website. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website, use our benefits administration platform, or interact with our services.

As a benefits administration provider, we understand the sensitive nature of the data we process, including protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). We maintain strict compliance with HIPAA, the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) where applicable, and all other relevant federal and state privacy laws.

1. Information We Collect

Personal Information

We collect personal information that you or your employer provide directly to us in connection with our benefits administration services. This information may include:

  • Identity information: Full name, date of birth, Social Security number (or last four digits), gender, and marital status
  • Contact information: Email address, mailing address, phone number, and emergency contact details
  • Employment information: Employer name, job title, department, employment status, hire date, salary information, and employee ID
  • Dependent information: Names, dates of birth, Social Security numbers, and relationship to the primary enrollee for any dependents enrolled in benefits
  • Benefits enrollment data: Plan selections, beneficiary designations, coverage levels, contribution elections, and qualifying life event documentation
  • Health-related information: Information necessary for benefits enrollment and administration, which may constitute protected health information (PHI) under HIPAA
  • Financial information: Bank account details for HSA/FSA contributions, payroll deduction authorizations, and billing information

Usage Data

When you access our platform or website, we automatically collect certain technical information, including:

  • Device information: Browser type and version, operating system, device type, screen resolution, and unique device identifiers
  • Log data: IP address, access times, pages viewed, time spent on pages, referral URLs, and clickstream data
  • Platform usage: Features accessed, enrollment progress, session duration, error logs, and interaction patterns within the application

Cookies and Similar Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to enhance your experience, analyze usage patterns, and maintain security. For detailed information about our cookie practices, please see Section 7 below.

2. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery

  • Processing and managing benefits enrollments, changes, and terminations
  • Transmitting enrollment data to insurance carriers via EDI feeds
  • Generating eligibility files and reconciliation reports
  • Administering COBRA continuation coverage notifications and elections
  • Providing employee self-service access to benefits information, digital ID cards, and plan documents
  • Processing qualifying life events and associated coverage changes

Communications

  • Sending enrollment reminders, confirmation notices, and deadline alerts
  • Providing customer support and responding to inquiries from employers and employees
  • Delivering system notifications, security alerts, and account updates
  • Sharing educational content about benefits plans and enrollment options (with appropriate consent)

Platform Improvement

  • Analyzing usage patterns to improve our platform's functionality, performance, and user experience
  • Conducting aggregate statistical analysis and benchmarking (using de-identified data only)
  • Developing new features and services based on user needs and feedback
  • Troubleshooting technical issues and ensuring system reliability

Legal and Compliance

  • Complying with applicable laws, regulations, and legal processes
  • Enforcing our terms of service and other contractual obligations
  • Maintaining audit trails as required by HIPAA, ERISA, and other regulatory frameworks

3. Information Sharing

We do not sell your personal information. We have never sold personal information and have no plans to do so. We share your information only in the following limited circumstances:

Service Providers and Business Partners

We share personal information with third parties who perform services on our behalf or on behalf of our clients, including:

  • Insurance carriers: To process enrollments, changes, and claims as directed by our clients
  • HRIS and payroll providers: To synchronize employee data and payroll deductions as configured by our clients
  • Cloud infrastructure providers: Who host our platform under strict data processing agreements with SOC 2 Type II certification
  • Communication service providers: For sending transactional emails and notifications

All service providers are contractually obligated to protect your data and may only use it for the specific purposes we authorize. Where PHI is involved, we maintain Business Associate Agreements (BAAs) as required by HIPAA.

Legal Requirements

We may disclose your information when required to do so by law, regulation, subpoena, court order, or other legal process. We will notify the affected client and, where possible, the affected individuals before making such disclosures, unless prohibited from doing so by law or court order.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will provide notice of any such transfer and any choices you may have regarding your information.

With Your Consent

We may share your information for purposes not described in this policy with your explicit consent or at your direction.

4. Data Security

We take the security of your data extremely seriously and implement comprehensive administrative, technical, and physical safeguards designed to protect your information from unauthorized access, disclosure, alteration, and destruction.

Encryption

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption. Database fields containing sensitive identifiers such as Social Security numbers are subject to additional application-level encryption with key management through a dedicated hardware security module (HSM).

Access Controls

We enforce role-based access control (RBAC) throughout our platform. Access to personal information is limited to employees and contractors who require it to perform their job functions. All access is logged and subject to regular review. Multi-factor authentication (MFA) is required for all administrative access to our systems.

SOC 2 Compliance

OPM Benefits maintains SOC 2 Type II certification, demonstrating our commitment to the highest standards of security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 report is available to clients and prospective clients upon request and under NDA.

Additional Measures

  • Annual penetration testing by independent third-party security firms
  • Continuous vulnerability scanning and patch management
  • Intrusion detection and prevention systems (IDS/IPS)
  • 24/7 security monitoring through our Security Operations Center (SOC)
  • Comprehensive incident response plan tested through regular tabletop exercises
  • Employee background checks and ongoing security awareness training

5. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, and to support the legitimate business needs of our clients.

Specifically:

  • Active enrollment data is retained for the duration of the client relationship and for a minimum of seven (7) years following termination, consistent with ERISA record-keeping requirements
  • HIPAA-related records are retained for a minimum of six (6) years from the date of creation or the date when the record was last in effect, whichever is later, as required by 45 CFR 164.530(j)
  • Platform usage data and analytics are retained in identifiable form for no more than twenty-four (24) months, after which they are anonymized or deleted
  • Marketing and communication preferences are retained until you update or revoke them

Upon written request from a client following the termination of their service agreement, we will securely delete or return all client data within ninety (90) days, subject to our legal retention obligations. Individual employees may also request deletion of their personal data, subject to our clients' retention requirements and applicable law.

6. Your Rights and Choices

Depending on your location and applicable law, you may have certain rights regarding your personal information:

Access

You have the right to request access to the personal information we hold about you. We will provide this information in a commonly used, machine-readable format upon verified request.

Correction

You have the right to request that we correct inaccurate or incomplete personal information. For benefits-related data, correction requests should typically be submitted through your employer's HR department to ensure proper authorization and carrier notification.

Deletion

You have the right to request the deletion of your personal information, subject to certain exceptions including our legal retention obligations, ongoing service obligations to our clients, and the exercise or defense of legal claims.

Opt-Out

You may opt out of non-essential communications such as marketing emails at any time by clicking the "unsubscribe" link in any marketing communication or by contacting us directly. Please note that you cannot opt out of transactional communications related to your benefits enrollment or account security.

CCPA-Specific Rights (California Residents)

If you are a California resident, you have the additional right to:

  • Know what personal information we collect, use, and disclose about you
  • Request deletion of your personal information, subject to legal exceptions
  • Opt out of the "sale" of personal information (note: we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

GDPR-Specific Rights (EEA/UK Residents)

If you are a resident of the European Economic Area or the United Kingdom, you have additional rights including the right to data portability, the right to restrict processing, and the right to object to processing based on legitimate interests. Our legal basis for processing your data will depend on the specific context, but typically relies on contractual necessity, legitimate interests, or your consent.

To exercise any of these rights, please contact us at privacy@opm-benefits.com. We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law.

7. Cookies and Tracking

We use cookies and similar technologies to provide, secure, and improve our services. Here is a breakdown of the types of cookies we use:

Strictly Necessary Cookies

These cookies are essential for our platform to function and cannot be disabled. They include session cookies that maintain your authenticated state, security cookies that prevent cross-site request forgery (CSRF), and load-balancing cookies that ensure reliable service delivery. These cookies do not store any personally identifiable information.

Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your language preferences, theme settings, and previously viewed plan comparisons. While not strictly necessary, they significantly improve your experience.

Analytics Cookies

We use analytics cookies to understand how visitors interact with our website and platform. This data is aggregated and anonymized to help us improve our services. We use tools such as Google Analytics (with IP anonymization enabled) and our own first-party analytics.

Managing Cookies

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, though this may impact your ability to use certain features of our platform. For our benefits administration platform, strictly necessary cookies must be enabled for the system to function properly.

8. Children's Privacy

Our website and services are not directed to individuals under the age of thirteen (13), and we do not knowingly collect personal information from children under 13. The only circumstance in which we may process information relating to minors is when a parent or legal guardian enrolls a minor child as a dependent in an employer-sponsored benefits plan. In such cases, the information is provided and authorized by the parent or guardian and is processed solely for the purpose of benefits enrollment and administration.

If we become aware that we have inadvertently collected personal information from a child under 13 outside of the dependent enrollment context, we will take steps to delete that information as promptly as possible. If you believe we may have collected information from a child under 13, please contact us immediately at privacy@opm-benefits.com.

9. International Data Transfers

OPM Benefits, Inc. is headquartered in Chicago, Illinois, United States. Our platform infrastructure is hosted within the United States using data centers that maintain SOC 2 Type II and ISO 27001 certifications. If you access our services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where necessary. We also conduct transfer impact assessments to evaluate the level of protection afforded to personal data in the receiving jurisdiction.

Our clients operating internationally should contact us to discuss specific data transfer mechanisms and supplementary measures appropriate to their circumstances.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Provide notice through our platform dashboard for active users
  • Notify client administrators via email at least thirty (30) days before material changes take effect
  • Post a prominent notice on our website for at least thirty (30) days

We encourage you to review this policy periodically. Your continued use of our services after changes become effective constitutes your acknowledgment of the modified policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

OPM Benefits, Inc.
Attn: Privacy Team
200 West Madison Street, Suite 2100
Chicago, IL 60606

Email: privacy@opm-benefits.com
Phone: (312) 555-0180

For HIPAA-related inquiries, please reference our HIPAA Notice or contact our HIPAA Privacy Officer directly at privacy@opm-benefits.com.

If you are not satisfied with our response to your privacy concern, you may have the right to lodge a complaint with your local data protection authority.