Privacy Notice

Wipro Healthplan Services operates MarketLink as a web-broker enrollment platform intended to support Qualified Health Plan (QHP) application and enrollment workflows where approved, configured, and connected with Marketplace services. We align protected health information (PHI) handling to HIPAA privacy and security expectations.

Data Controller Contact: MarketLink Privacy Officer, privacy@marketlink.ai

To provide enrollment services, we collect the following categories of information:

Identity & Contact Information: Full name, date of birth, Social Security Number (encrypted at rest and in transit), address, phone number, email address, immigration status (for eligibility purposes).

Household Information: Names, dates of birth, SSNs, and income information for all household members for whom you are requesting coverage.

Financial Information: Annual household income, sources of income, tax filing status — used to calculate Advanced Premium Tax Credit (APTC) and Cost-Sharing Reduction (CSR) eligibility.

Health & Coverage Information: Current and prior health insurance coverage, employer-sponsored coverage details, Medicaid/CHIP eligibility, Special Enrollment Period qualifying events.

Account & Technical Information: Email address, login credentials (hashed), IP address, browser type, device information, session logs, portal access timestamps — collected for security, fraud prevention, and CMS audit requirements.

Broker Relationship Information: Name of your appointed broker, AOR consent records, enrollment transaction history.

We use your information solely for the following purposes:

• Conducting eligibility determinations for Marketplace coverage, APTCs, and CSRs;
• Facilitating enrollment, re-enrollment, and plan changes in Qualified Health Plans;
• Communicating with you about your coverage, enrollment status, and renewal reminders;
• Complying with applicable Marketplace program requirements and data-sharing requirements;
• Preventing fraud, detecting unauthorized access, and ensuring platform security;
• Fulfilling our legal and regulatory obligations under HIPAA, 45 CFR § 155.260, and applicable state law;
• Maintaining audit logs as required by CMS (10-year retention).

We do not use your information for marketing, advertising, or any purpose unrelated to health insurance enrollment services.

We share your information only as necessary to provide enrollment services and as required by law:

• Centers for Medicare and Medicaid Services (CMS): We transmit enrollment applications and eligibility data to CMS and the Federal Data Services Hub as required for enrollment processing;
• Insurance Carriers: We share enrollment data with the health insurance carrier of the plan you select to initiate and service your coverage;
• Your Licensed Broker: With your documented AOR consent, your broker can view and manage your enrollment information;
• Service Providers (Business Associates): We engage HIPAA-aligned cloud hosting, database, and email service providers under Business Associate Agreements (BAAs). These vendors may process your PHI only as directed by us and are prohibited from using it for any other purpose;
• Legal Requirements: We may disclose information as required by law, court order, or to respond to valid legal process.

We do not sell your personal information. We do not share your information for advertising or cross-context behavioral profiling.

Encryption: All data at rest is encrypted using AES-256. All data in transit uses TLS 1.3. Social Security Numbers and other sensitive identifiers receive additional field-level encryption.

Access Controls: Access to consumer data is restricted to authenticated, MFA-enabled broker accounts with documented AOR consent. All access is logged with user identity, timestamp, and IP address.

Audit Logging: Access to personally identifiable information is designed to be logged and retained under applicable Marketplace record-retention requirements.

Identity Verification: Broker account controls are mapped to federal identity proofing and authentication expectations.

Incident Response: In the event of a data breach, we will notify affected individuals within 72 hours and report to applicable regulators as required by law.

We retain personal information for the following periods:

• Enrollment records and PHI: 10 years from the date of enrollment, where required by applicable Marketplace program requirements;
• Audit logs: 10 years;
• AOR consent records: Duration of the broker relationship plus 10 years;
• Account information: For the life of your account plus 7 years after account closure;
• Session and technical logs: 2 years.

After the applicable retention period, information is securely destroyed using NIST-approved methods.

You have the following rights with respect to your personal information:

• Right to Access: Request a copy of the personal information we hold about you;
• Right to Correct: Request correction of inaccurate information;
• Right to Delete: Request deletion of your information, subject to CMS retention requirements and legal obligations;
• Right to Data Portability: Receive your data in a machine-readable format;
• Right to Opt Out: Opt out of any non-essential communications.

To exercise these rights, submit a request to privacy@marketlink.ai or use the form at Trust Center. We will respond within 45 days. Identity verification is required before fulfilling any request.

Note: Certain CMS-mandated retention requirements may limit our ability to delete enrollment records before the end of the required retention period.

We use strictly necessary cookies for session management and authentication. We do not use third-party advertising cookies, cross-site tracking technologies, or behavioral profiling cookies. We use privacy-preserving analytics to understand aggregate platform usage patterns. You may disable cookies in your browser settings, but doing so may impair portal functionality.

The Platform is not directed to children under 13. We do not knowingly collect personal information from children under 13. We do collect information about dependent children as part of household enrollment applications, as required for eligibility determinations. This information is processed solely for enrollment purposes and subject to the same protections as all other data.

We may update this Privacy Notice to reflect changes in our practices or applicable law. We will post the updated notice on the Platform and update the “Last Updated” date. Material changes will be communicated to active users via email or portal notification.