Data Privacy and Security
Aon is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Aon is committed to protecting your privacy. This commitment reflects the value we place on earning and keeping the trust of our customers, business partners, and others who share their personal information with us.
What does this Privacy Notice do?
This Privacy Notice (“Notice”) explains Aon’s information processing practices. It applies to any personal information you provide to us and any personal information we collect from other sources. This Notice is a statement of our practices and of your rights regarding your personal information. This is not a contractual document, and it does not create any rights or obligations on either party, beyond those which already exist under data protection laws.
This Notice does not apply to your use of any third party sites linked to our mobile application or member website (“App/Website”).
Who is responsible for your information?
Throughout this Notice, “Aon” refers to Aon Singapore Center for Innovation, Strategy and Management Pte. Ltd (also referred to as “we”, “us”, or “our”)which is responsible for your personal information (and the controller for the purposes of data protection laws) that we collect from or about you.
When and how do we collect your information?
We collect personal information in the following ways:
- From you and your interactions within the App/Website;
- From our clients, such as your employer, where we perform services for them;
- From other Aon affiliates, where we provide related services to your employer;
- From third party devices or apps that you connect to our App.
What information do we collect?
Information provided to us
When you request services (including your access and use of our App/Website), we ask that you provide accurate and necessary information that enables us to respond to your request. When you provide personal information to us, we use it for the purposes for which it was provided to us, as stated at the point of collection, or as obvious from the context of collection, for example creating a profile on our App/Website or calculating your Health Score and Financial Well-being Score.
When we provide the services, we may collect personal information such as:
- Basic personal data including height, weight, age, date of birth, gender, name, picture and personal contact details (address, location and email address);
- Unique identifiers such as employee ID, username, password;
- Employment information such as employment status, business unit and date of termination (for App/Website subscription purposes);
- Sensitive information such as any previous health concerns or clinical issues, details about your family history (especially relating to health concerns or clinical issues), details about your lifestyle and activities (including underlying GPS data), clinical information and similar data enabling us to provide your with the Health Score and information about your health, including a number of potential health risks based on your clinical background and lifestyle, in the frame of the Wellbeing programs sponsored by your employer.
- Activity information including information about your activities on the App/Website, participation in challenges, accumulated points
If you provide us with sensitive personal information, you understand and give your explicit consent that we may collect, use and disclose this information to appropriate third parties for the purposes described in this Notice.
If you provide personal information about other individuals such your relatives, you must obtain their consent prior to your disclosure to us.
More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information is provided below.
Information collected via App/Website
More information about the personal information collected for each of our services, together with the purpose and legal basis for collecting the information is provided below.
Information collected via Mobile Devices
Where you access our App/Website on your mobile telephone or mobile device, we may also collect your unique device identifier and mobile device IP address, as well as information about your device’s operating system, mobile carrier and your location information.
Information Collected via Social Media
You can engage with us through social media websites or through features such as plug-ins or applications on our App/Website that integrate with social media sites. You may also choose to link your account with us to third party social media sites. When you link your account or engage with us on or through third party social media sites, plug-ins, or applications, you may allow us to have ongoing access to certain information from your social media account (e.g. name, e-mail address, photo, gender, birthday, the posts or the ‘likes’ you make).
How do we use your personal information?
The following is a summary of the purposes for which we use personal information.
Running the Aon Well One well-being program
- To run the Aon Well One well-being program sponsored by your employer, including the preparation of reports on the well-being state of their employees as requested by your employer from time to time. Such reports will be prepared on an aggregated basis, so your name and identity will not be disclosed to your employer;
- However, if you take part in activities or challenges with the possibility of receiving a reward, it will be necessary to link you to that particular activity or challenge and the result achieved, and to share this information with your employer;
- To make the App/Website available to you;
- To gather your health, well-being and fitness activity to enable us to calculate your Health Score and Financial Well-being Score; and
- To communicate with you via email, post, telephone or push notifications depending on your communication preferences and/or the methods you have chosen.
Conducting data analytics
We are an innovative business, which relies on developing sophisticated products and services by drawing on our experience from prior engagements. We are not concerned with an analysis of identifiable individuals, and we take steps to ensure that your rights and the legitimacy of our activities are ensured through the use of aggregated or otherwise de-identified data.
If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected for, we will request your consent as required. In all cases, we balance our legal use of your personal information with your interests, rights, and freedoms in accordance with applicable laws and regulations to make sure that your personal information is not subject to unnecessary risk.
What is our legal basis for processing your information?
All processing (i.e. use) of your personal information is justified by a “lawful basis” for processing. In the majority of cases, processing will be justified on the basis that it is:
- Necessary to pursue your employer’s legitimate commercial interests ensuring that the processing does not infringe the rights and freedoms conferred to you under applicable data privacy law;
- Necessary for regulatory purposes: to allow for calculation of tax payments.
- In limited circumstances, necessary for statistical purposes:. to improve understanding of well-being trends and other demographic aspects. Appropriate steps are taken to ensure that any output of statistical analyses will not include personal information which might reasonably identify you; and
- In limited circumstances, processed with your consent, for example where your prior authorisation or request is required in order to send you marketing communications. . Also when you register for the challenge, or where your employer is offering Rewards based on points accumulated in Well One you agree to disclose of data related to your participation to your employer or when you agree to a transfer of rewards data to third parties, your consent is a legal basis. The same shall apply if you provide us with sensitive dat You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Do we collect information from children?
We do not directly provide services to children, and we do not knowingly collect personal information from children.
How long do we retain your personal information?
How long we retain your personal information depends on the purpose for which it was obtained and its nature. We will keep your personal information for no more than the time required to fulfil the purposes described in this Notice unless a longer retention period is permitted by law. We have implemented appropriate measures to ensure your personal information is securely destroyed in a timely and consistent manner when no longer required.
In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.
Do we disclose your personal information?
With other Users
By default, all registered users of our App/Website are displayed with their name and profile picture. For all other data, you control and decide yourself which Data shall be accessible to other users. You can change the privacy settings of your account at any time and thereby determine who will be able to see which data.
We may share your personal information with other Aon entities, brands, divisions, and subsidiaries to serve you, including for the activities listed above.
We do not rent, sell or otherwise disclose personal information with unaffiliated third parties for their own marketing use. We do not share your personal information with third parties except in the following circumstances discussed below.
We disclose personal information to business partners who provide certain specialized services to us as part of the well-being service and rewards providers. These business partners operate as separate controllers and are responsible for their own compliance with data protection laws. You should refer to their privacy notices for more information about their practices.
In some situations, we may share aggregated information with aligned insurance carrier partners that have contracted Well One services on your behalf and of your employer. Please note that in this circumstance, no personally identifiable information is shared with the insurance carrier partner.
Authorized Service Providers
We may disclose your information to service providers we have retained (as processors) to perform services on our behalf (either in relation to services performed for our clients, or information which we use for our own purposes, such as marketing). These service providers are contractually restricted from using or disclosing the information except as necessary to perform services on our behalf or to comply with legal requirements. These activities could include any of the processing activities that we carry out as described in the above section, ‘How we use your personal information.’
- IT service providers who manage our IT and back office systems and telecommunications networks;
- specialist service providers, including those supporting our App/Website.
These third parties appropriately safeguard your data, and their activities are limited to the purposes for which your data was provided.
Legal Requirements and Business Transfers
We may disclose personal information (i) if we are required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request. (ii) in response to law enforcement authority or other government official requests, (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (iv) in connection with an investigation of suspected or actual illegal activity or (v) in the event that we are subject to a merger or acquisition to the new owner of the business. Disclosure may also be required for company audits or to investigate a complaint or security threat.
We may disclose your information in the situations detailed in section How do we use your personal information.
Do we transfer your personal information across geographies?
We are a global organization and may transfer certain personal information across geographical borders to our, authorized service providers or business partners in other countries working on our behalf in accordance with applicable law. Our affiliates and third parties may be based locally or they may be overseas some of which have not been determined by the European Commission to have an adequate level of data protection.
When we do, we use a variety of legal mechanisms to help ensure your rights and protections travel with your data:
- we ensure transfers within and outside of the EU are covered by agreements based on the EU Commission’s standard contractual clauses, which contractually oblige each member to ensure that personal information receives an adequate and consistent level of protection wherever it resides within; or
- where we transfer your personal information outside third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information, for example through the standard contractual clauses, as well as ensuring that we protect the personal data with the appropriate technical and organisational measures, such as encryption, for each step of the processing operations; and
- where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information is disclosed.
Examples of countries we transfer personal information to include, but are not limited to, the United States of America, the United Kingdom, Ireland, Singapore, India, Poland, Mexico, The Netherlands and Switzerland.
If you would like further information about whether your information will be disclosed to overseas recipients, please contact us as noted below. You also have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal information when this is transferred as mentioned above.
Do we have security measures in place to protect your information?
The security of your personal information is important to us and we have implemented reasonable physical, technical and administrative security standards to protect personal information from loss, misuse, alteration or destruction. We protect your personal information against unauthorized access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorized individuals access your personal information, and they receive training about the importance of protecting personal information.
Our service providers and agents are contractually bound to maintain the confidentiality of personal information and may not use the information for any unauthorized purpose.
What choices do you have about your personal information?
You can change the privacy settings of your account at any time and thereby determine who will be able to see which personal information. The types of your personal information which may be distinguished are the following: Health Score, Financial Wellbeing Score, workouts, pictures (workout, profile and profile background pictures) and achievements gained.
Sensitive information such as weight or blood pressure, are not accessible to others.
The following types of sharing options are available:
- Friends (option by default): Only your friends on our App/Website will be able to see your personal information.
- None: Only you as the user of your account will be able to see your personal information.
According to our default privacy settings, all your friends on our App/Website be able to see all the above-mentioned personal information. You can change the privacy settings of your account at any time after your registration. Please note that due to the linking option to other social networks, such as Facebook, your personal data may be made available to other persons through your friends.
We take reasonable steps to provide you with choices about your personal information and how we communicate with you.
You can update your contact information of your profile after you log into your account.
If you previously chose to receive push notifications on your mobile device from us but no longer wish to receive them, you can manage your preferences either through your device or the application settings. If you no longer wish to have any information collected by the mobile application, you may uninstall the application by using the uninstall process available on your mobile device.
You can contact us by e-mail. Please include your current contact information, the information you are interested in accessing and your requested changes.
If we do not provide you with access, we will provide you with the reason for refusal and inform you of any exceptions relied upon.
Other rights regarding your data
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information.
We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Right to Access
You have right to access personal information which we hold about you. If you have created a profile, you can access that information by visiting your account.
Right to Rectification
You have a right to request us to correct your personal information where it is inaccurate or out of date.
Right to be Forgotten (Right to Erasure)
You have the right under certain circumstances to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data.
Right to Restrict Processing
You have the right to restrict the processing of your personal information, but only where:
- its accuracy is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending.
Right to Data Portability
You have the right to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.
Right to Object to Processing
You have the right to object the processing of your personal information at any time, but only where that processing has our legitimate interests as its legal basis. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
If you have any questions, would like further information about our privacy and information handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about a breach of the Act or this Statement, please contact the Privacy Officer: email@example.com
Or direct your query to, Aon Privacy Office – Singapore, 2 Shenton Way, #26-01, SGX Centre 1, Singapore, 068804 or firstname.lastname@example.org.
You have the right to lodge a complaint with your local Data Protection Authority. Find your national Data Protection Authority here: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en
Changes to this Notice
We may update this Notice from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page.
We encourage you to periodically review this Notice so that you will be aware of our privacy practices.
This Notice was last updated February 2022.