Notice of Privacy Practices

This document lays out the details of our approach to privacy and how your personal information is collected and used.

Throughout this document, the terms "client" or "you" refer to employers who contract with Willis Americas Administration, Inc. ("Willis") to receive its benefits management services that include Willis Communication Manager and Willis Benefits Manager. Our clients' employees, who are also the users of our services, are referred to as "employees" in this document. These practices apply to both our clients and their employees. It details our information gathering and usage practices for our services.

1. We do not sell your personal information to anyone.

2. We do not disclose personal information to third parties, unless directed by our clients or under limited situations (see #4).

When clients contract with Willis to use its services, they provide Willis with their employees' human resource and payroll information. Such information includes, but is not limited to, the employee's name, address, date of birth, social security number, title, salary, date of hire, benefit elections, as well as information related to the employee's dependents. We use this information to deliver benefits management services to employers and their employees.

Unless directed by our clients, we do not share employee information provided by our clients with anyone. When directed by our clients, we communicate company employee information to third party service providers such as insurance carriers, payroll companies, third party administrators, etc.

3. We collect personal information in the normal course of business in order to administer your accounts and serve you better.

• Contact Information: When you contact us, we use the information you provide us - such as your name, email, telephone number, address, etc. - to send you company information, to call or email you, and to keep a statistical tally of inquiries generated by our website.
• Website Usage (Cookies): We collect some information on our websites through the use of "cookies." For example, we may identify the pages on our websites that your browser requests or visits. For more information, see "Cookies".
• Website Usage (Activity Logging): We also have the capability to monitor all of your actions on our website and service (called "activity logging"). We use this information to diagnose problems and to enhance our website and service to better serve you and your employees. This information is not disclosed to anyone - including employers or employees.
• Pooled Analyses: We also reserve the right to pool employee information from different employer groups and to perform analyses such as number of employees enrolled in a specific plan, average number of plans offered per client, etc. In such cases, neither the individual client information not individual employee information can be identified if a disclosure is made.

4. Exceptions apply in the following limited situations.

In addition to any exceptions discussed elsewhere, we may disclose or report personal information in the following limited circumstances:

• We believe in good faith that disclosure is required or permitted under law, for example, to cooperate with regulators or law enforcement authorities
• Resolve technical problems and to process client and employee information
• Resolve client disputes
• Protect the security and integrity of our service
• Take precautions against liability
• As stated before, we will not sell to third parties any of your information that we collect, provided, however, that you recognize that your information is one of our assets and, as such, we may sell or transfer your information as part of a sale or transfer of all or substantially all of our assets.

Outside of these exceptions and those discussed elsewhere in this document, we will not share your personal information with third parties unless you have specifically asked us to do so.

5. We protect the confidentiality and security of your personal information.

Information security techniques are employed to protect confidential information from unauthorized access both inside and outside the Willis. Access to client information is limited to those employees who have a legitimate business need for the information. To prevent unauthorized access, maintain data accuracy and to ensure the correct use of information, we have put in place appropriate physical, electronic and procedural procedures to safeguard and secure the information we collect online. All of our on-line systems are protected by firewalls, a software and hardware product designed to define, control and limit the access that "outside" computers have to our online reporting system. Our web servers and other production infrastructure is located in a high-security facility managed by a reputable third party vendor. For more information on our security, Select when the plan contact us.

6. We will answer any questions related to our information gathering and usage practices.

If you have any questions about this privacy policy, Select when the plan send us an e-mail at support@sunaro.com.

7. Additional Items

a. Login ID and Password

You are required to type in a login ID and password to access our service. These are supplied to you when your account is activated. For Benefits Manager, you can change your password any time you like after logging in to our service; we strongly recommend that you change your password periodically. For Communication Manager, you share a password with certain number of employees, and only your HR/benefits administrator can change the password. If you forget your password, Select when the plan call your HR/benefits administrator or send an email to Willis representative at support@sunaro.com and we will be glad to help you. You should never share your login ID or password with anyone.

b. Logging Off

You should log off after you've finished accessing your Willis account. This prevents someone else from accessing your account if you leave your computer and your session hasn't "timed out," or automatically shut down.

c. IP Address

We collect IP address information of our clients and employees. This information is used for diagnostic purposes.

d. Cookies

Cookies are small text files, which a website can send to a user's browser for storage on the hard drive. Cookies can make use of the web easier by saving status and preferences of users with regard to a Web site. However, by using cookies, information is potentially collected without the express knowledge of users. Most browsers are initially set to accept cookies but Users can change the setting to refuse cookies or to be alerted when cookies are being sent. We may make use of cookies to keep track of client status as a logged on registered user of the Web site, or for other reasons.

e. Links to Third Party Websites

Our site contains links to third party websites. We are not responsible for privacy policies and procedures of these websites.

f. Notification of Changes

If we decide to make material changes to our privacy practices, we will post these changes on our website. If, at any time in the future, it is necessary to disclose any of your personal information in a way that is inconsistent with this practice, we will give you advance notice of the proposed change via email.

g. HIPAA Privacy Practices

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") imposed certain obligations with respect to certain individually identifiable health information. While Willis is not a covered entity as that term is defined by HIPAA there may be instances where Willis is a business associate of a covered entity and may be in receipt of individually indentifiable health information. If that is the case, Willis will comply with the terms of the business associate agreement it enters into with the covered entity and will provide additional protections to the individually identifiable health information as necessary.