Effective Date: January 1, 2023
1. Information We Collect
a. HIPAA Privacy Notice
We are required by law to maintain the privacy of your health-related data and we will not disclose your information except in accordance with state and federal law, including HIPAA, Part 2, and the CMIA. This HIPAA Privacy Notice combines our Notice of Privacy Practices under HIPAA and Patient Notice under Part 2, and any other notices that may required by the CMIA.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION, INCLUDING PROTECTED HEALTH INFORMATION (collectively, “PHI”), ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
At Evolve, we understand the importance of privacy and are committed to maintaining the confidentiality of your PHI. We make a record of the services we provide and sometimes we may receive PHI about you from third parties, such as your primary care provider or emergency provider, for permissible uses and disclosures under HIPAA, for purposes of healthcare-related treatment, payment, or operations, or as otherwise permitted by HIPAA to provide quality services to you and to transmit to other providers to assist with continuity of care. These records are also used to obtain payment for services provided to you which enables us to meet our professional and legal obligations to operate our organization. Otherwise, we will not use or disclose your PHI without your prior written authorization for any other permissible purposes under HIPAA outside of healthcare treatment, payment, or operations.
This HIPAA Privacy Notice is to provide you with information concerning our legal duties and privacy practices, including notifying affected individuals following a breach of unsecured PHI.
i. How we may use and disclose your PHI:
- Treatment: We may use or disclose medical information about you to facilitate medical treatment or services by providers. We may disclose medical information about you to health care providers, including doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of you. For example, we might disclose information about you with physicians who are treating you, such as your primary care provider or emergency provider.
- Payment: We may use and disclose medical information about you for healthcare billing, to get payment from health plans or other entities, to determine your eligibility for your health plan benefits, to facilitate payment for treatment and services you receive from us, to determine benefit responsibility and coverage with health plans, or to coordinate your coverage for your care. For example, we may disclose information about your medical history to a physician (including your physician) to determine whether a particular treatment is experimental, investigational, or medically necessary, or to decide if a health plan will cover treatment. Additionally, we may share medical information with another entity to assist with the adjudication or subrogation of health claims.
- Healthcare Operations: We may use and disclose medical information about you for our operations, to run our practice, improve your care, and contact you as needed. For example, we may use medical information in connection with: conducting quality assessments and administration improvements; conducting or arranging for medical review, legal services, audit services, and fraud and abuse detection programs; business planning and development such as cost management; and business management and general administrative activities, such as activities to help us comply with HIPAA requirements, customer service, resolution of internal grievances, and any other activities that are not inconsistent with HIPAA.
We may use and disclose your information to qualified service organizations or business associates who provide services to us for purposes of healthcare-related treatment, payment, or operations. We will always try to ensure that the medical information used or disclosed is limited to a “Designated Record Set” and to the “Minimum Necessary” standard, including a “limited data set,” as defined in HIPAA.
ii. Other Permitted Uses & Disclosures of Your PHI
We are required to disclose your PHI to the U.S. Department of Health and Human Services, Office for Civil Rights, the primary federal agency that enforces HIPAA, to assist OCR with assessing our compliance with HIPAA requirements. Otherwise, we may also use and disclose your PHI for the following purposes:
- In response to law enforcement requests, to assist them with fulfilling health oversight activities, pursuant to legal process or as required by law. For example, we may provide your information to law enforcement to report evidence directly related to criminal conduct that occurred on our premises or against program personnel.
- In response to valid government requests, to assist them with fulfilling health oversight activities. For example, state healthcare agencies with oversight over our organization may request information to carry out their responsibilities.
- To respond to lawsuits, legal action, subpoenas, or other lawful process. For example, we may receive a subpoena arising out of a pending lawsuit requesting information about you. We will request that proper confidentiality agreements are in place prior to sharing such information.
- To complete any required mandated government reporting. For example, our clinicians are mandated reporters of child abuse and may use your PHI to report child abuse to government officials.
- To avert a serious threat to health or safety. For example, health information may be provided in an emergency to paramedics to assure you are treated properly.
- To our business associates to help us administer your care. We enter contracts with these entities to keep your information as we are permitted to do so under HIPAA.
- For public health activities and purposes. For example, we may submit reports to public health authorities to assist with their public health investigations and development of public health interventions.
- To other individuals or entities as mandated by law.
Uses and disclosures other than those described or listed in this notice will be made only with your consent or prior written authorization, as reasonable and appropriate, and in accordance with legal requirements. You may revoke any consent or authorization you provided at any time, subject to certain conditions such as if we have already taken action in reliance on your consent or authorization, and pursuant to then-existing state and federal laws.
iii. Your HIPAA Rights:
Under HIPAA, you have certain rights with respect to your PHI. Subject to certain exceptions, you have the following rights with respect to your PHI.
- Inspect and copy – With some exceptions, you have the right to inspect and obtain a digital or hard copy of your health information maintained in your designated record set. We may charge a fee for the associated cost of labor, mailing, or other supplies. We may deny your request to inspect and copy in certain limited circumstances. If you are denied access, you may request a review of the denial.
- Amend – This means you may request an amendment of health information about you for as long as we maintain this information. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Please contact firstname.lastname@example.org if you have questions about amending your medical record.
- Accounting of Disclosures – You have the right to request an “accounting of disclosures” (that is, a list of certain disclosures we have made of your PHI). Generally, you may receive an accounting of disclosures if the disclosure is required by law, made in connection with public health activities, or in situations similar to those listed above as “Other Permitted Uses and Disclosures”. You do not have a right to an accounting of disclosures where such disclosure was made:
- For treatment, payment, or health care operations.
- To you about your own health information.
- Incidental to other permitted disclosures.
- Where authorization was provided.
- To family or friends involved in your care (where disclosure is permitted without authorization).
- For national security or intelligence purposes or to correctional institutions or law enforcement officials in certain circumstances.
- As part of a limited data set where the information disclosed excludes identifying information.
- Request Restrictions: You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment, or healthcare operations. You also have the right to request a limit on the medical information we disclose about you to someone involved in your care or the payment for your care, such as a family member or friend. For example, you may ask that we not use or disclose information about a procedure or lab test that you had. We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.
- Request Confidential Communications – You have the right to request to receive communications of health information by alternate means or at alternative locations. For example, you may request to receive confidential communications, including any mail and telephone calls related to the services we are providing you, only in your home location or an alternative location you identify. We will strive to accommodate all reasonable requests.
- Paper copy of this Notice – You may request a paper copy of this Notice at any time, even if you have agreed to receive this HIPAA Privacy Notice electronically.
To make any requests connected with your rights, please email us at email@example.com.
iv. Our Duties.
In the event your information is acquired by an unauthorized party, we will provide notification to you.
Notice will be given without unreasonable delay, and will include a description of the incident, the types of information involved in the incident, steps you should take to protect yourself from harm, and a brief description of what we are doing to investigate the incident. We will also provide you with contact information of who you may contact for more information.
We are required by law to maintain the privacy of PHI, to provide you with this HIPAA Privacy Notice of our legal duties and privacy practices with respect to protected PHI/ePHI, and to notify you if you are affected by a breach of unsecured protected health information. We must follow the duties and privacy practices described in this HIPAA Privacy Notice. We will not use or disclose your PHI other than as described in this HIPAA Privacy Notice unless you inform us in writing otherwise.
v. Changes to this Notice.
We reserve the right to change the terms of our HIPAA Privacy Notice and to make the new HIPAA Privacy Notice provisions effective for all PHI that we maintain. We will send you a copy of the revised notice by email (or, if unavailable, by mail) for existing clients and those who discharged within the past year, and will also post it on our website.
vi. Questions and Complaints.
You may submit your questions or complaints regarding this HIPAA Privacy Notice to us by contacting our Privacy Information Officer at 1-844-384-6773 or by sending an email to firstname.lastname@example.org. You may also submit a complaint the Secretary of the U.S. department of Health and Human Services, Office for Civil Rights if you believe your privacy rights have been violated. Any violation of the legal and regulatory requirements applicable to our status as a Part 2 program is a crime. You may report any suspected violations of Part 2 requirements to the United States Attorney for the judicial district in which the violation occurs by visiting https://www.justice.gov/usao/find-your-united-states-attorney or to the Substance Abuse and Mental Health Services Administration (SAMHSA) office responsible for opioid treatment program oversight by visiting https://www.samhsa.gov/about-us/contact-us.
We will not take retaliatory action against you if you file a complaint about our privacy practices.
Our data practices related to our Website are set forth in this section. If you do not accept these practices, do not visit or otherwise use our Websites.
i. Information About You That You Provide.
In addition to, and separate from, the PHI we may collect in connection with your treatment, Evolve and/or its Service Providers (defined below), may collect certain information from you, your parent(s), guardian(s), or custodian(s) when you use our Website or other Services. We or our Service Providers may collect information that identifies you personally (“Personal Information” or “PI”) directly from you via the Service. For example, Evolve collects information when you contact us via email, phone, or communicate or transact through the Service (for example, by completing the “Contact Us” form on our Website). In some instances, we may need to supplement the information you provided with certain Personal Information about you obtained from third parties to provide services to you. In addition, when you interact with Third-Party Services (defined below), you may be able to provide information to those third parties and those Third Parties, in turn, may provide information to us.
We, our Service Providers and/or Third-Party Services may collect your Personal Information, including:
- Contact Information: Name, addresses, email addresses, telephone number, and IP address.
- Preference Information: Preferences you indicate to us or that we have observed such as your marketing preferences, areas of interest, and subscriptions to Evolve communications.
- Legal Information: Transaction fraud checks or flags, payment card refusals, and information or copies of documents you provide where the law requires you to prove your identity.
- Voluntary Information: Other information you voluntarily give us such as feedback, complaints, and survey responses.
- Observed Information: Information we collect about you while you use our Websites such as the pages, services, or areas of our Websites that you visit, your location, or which link has brought you to our Website.
c. Information Collected Automatically
We, our Service Providers and/or Third-Party Services may also automatically collect certain information about you when you access or use the Services (“Usage Information”). Usage Information may include IP address, device identifier, browser type, operating system, information about your use of the Service, the device you use, the web page you visited before coming to our sites, and identifiers associated with your devices and you (depending on their settings) may also transmit location information to the Service.
The methods that may be used on the Services to collect Usage Information include cookies, web beacons (also known as “tracking pixels”), embedded scripts, location-identifying technologies, device recognition technologies device and activity monitoring and other tracking technologies now and hereafter developed (“Tracking Technologies”) may be used to collect information about interactions with the Website or e-mails, including information about your browsing and purchasing behavior. Such Tracking Technologies may include:
- Cookies: We use “cookies” to store specific information about you. A “cookie” is a small text file that is sent to your browser and stored on your device, such as session ID cookies or tracking cookies. Tracking cookies remain longer and help in understanding how you use the Services and enhance your user experience. Cookies may remain on your hard drive for an extended period of time. If you use your browser’s method of blocking or removing cookies, some but not all types of cookies may be deleted and/or blocked and as a result, some features, and functionalities of the Services may not work.
- Web Beacons (“Tracking Pixels”): Web beacons are small graphic images, also known as “Internet tags” or “clear gifs,” embedded in web pages and e-mail messages. Web beacons may be used, without limitation, to count the number of visitors to the Service, to monitor how users navigate the Service, and to count content views.
- Embedded Scripts: An embedded script is programming code designed to collect information about your interactions with the Service. They are temporarily downloaded onto your computer from Evolve’s web server, or from a third party with which Evolve works and are active only while you are connected to the Service and deleted or deactivated thereafter.
- Device Recognition Technologies: Device Recognition Technologies, including application of statistical probability to data sets, as well as linking a common unique identifier to different device use (e.g., Facebook ID), attempt to recognize or make assumptions about users and devices to identify a user across devices (e.g., that a user of multiple devices is the same user or household) (“Cross-device Data”).
- Device and Activity Monitoring: Such technologies may monitor, and may record, certain interactions with the Service, including without limitation, keystrokes, and/or collect and analyze information from your device, such as, without limitation, your operating system, plug-ins, system fonts, and other data, for purposes such as identification, security, fraud prevention, troubleshooting, tracking and/or improving the Services and customizing or optimizing your experience on the Services.
Some information about your use of the Service and certain other online websites may be collected using Tracking Technologies across time and Services and used by us and third parties for purposes such as to associate different devices you use and deliver relevant ads and/or other content to you on the Website and certain other online websites, in accordance with applicable data protection laws. See the Choices: Tracking and Communications Options section.
d. Information We Collect from Other Sources
We may also obtain information about you from other sources, including Service Providers and Third-Party Services. We are not responsible or liable for the accuracy of the information provided by third parties or for third party policies and practices.
2. Why We Collect Information
- To Deliver Our Services:
- To deliver the Products or Services you have requested.
- To process your payment authorization, and collection of sums owed for treatment received.
- To give you Service notices and deal with any customer care issues you may have.
- To manage registered accounts you have with us.
- To create and secure an on-line account, if you choose to establish one.
- To notify you of any changes to our Services.
- To provide services and fulfill your orders.
- To advertise our services to you if they are relevant and appropriate to you.
- To maintain a profile of our ongoing relationship that allows us to better serve you and tailor our offers so that they are more likely to be of interest to you.
- To share with other companies within the Evolve brand affiliates as needed for reasonable management, analysis, planning, and decision making, including in relation to making decisions regarding expansion and promotion of our Websites and Services and for use by those companies for the other purposes described in this policy.
- Research and Development:
- To obtain your feedback, provide customer service, and track our performance.
- To ensure that our online content that you access (whether as part of a Service or not) is presented in the most effective manner for you.
- To operate our websites more effectively and to promote our Services on our Website.
- To manage, conduct research, and improve how we operate and promote our Services including, without limitation, using non-personal anonymous, aggregate, and statistical information.
- Analysis and Profiling:
- To analyze your responses to our marketing communications (e.g., whether you open communications and/or how you interact).
- To analyze your browsing and purchasing activity.
- To use the analyses mentioned above, together with other demographic data, to contact you with information on offers relevant to you.
- To analyze customer choices in respect of our services to understand our target audience for the purposes of selecting similar customers for advertising purposes.
- Legal Requirements:
- To pursue legal claims, prevent crime, and detect and prevent fraud and related matters.
- To verify your identity when necessary and/or appropriate.
- To address issues relating to your personal safety and the safety of others.
- To comply with applicable law, to respond to requests from government authorities, enforce our rights and protect property, and to satisfy our record keeping, regulatory, and legal obligations.
3. Disclosing Your Information
- With our agents, vendors, consultants, and other service providers (collectively “Service Providers”) in connection with their work on our behalf, including assisting in the provision of the Service. These parties may provide services including authentication, billing and collections, payment processing, customer support, or data storage.
- With other third parties to meet legal, regulatory, insurance, audit, and other similar administrative needs.
- Within our affiliated companies, we occasionally share your information as needed for purposes set forth in the Why We Collect Information section.
In addition, we may disclose information about you as follows:
- Marketing: Subject to your communications choices in the Communications subsection of the Choices: Tracking and Communications Options, Communications section, and the rights of data subjects or consumers in certain jurisdictions explained in the State Privacy Notice section and in accordance with applicable law.
- With Your Disclosure or Consent: As more fully described in the Third-Party Consent, Third-Party Services, Advertising and Analytics section, your activities on the Service may, by their nature, result in the sharing of your information with third parties to the extent permissible under applicable law. Such third-party data receipt and collection is subject to the privacy and business practices of that third party, not us.
- Corporate Transactions: Finally, in the event we go through a merger, sale, bankruptcy, or other business transaction, we reserve the right to transfer or assign your information that we have collected as part of any business transaction in accordance with applicable law. In some cases, such as bankruptcy, we may not be able to control how your Personal Information is used.
4. Third-Party Content, Third-Party Services, Advertising and Analytics
The Service may include or link to Third-Party Services, apps, locations, platforms, code (e.g., plug-ins, application programming interfaces or other websites (collectively, “Third-Party Service(s)”). These Third-Party Services may use their own cookies, web beacons, and other Tracking Technologies to independently collect information about you and may solicit Personal information from you.
Certain functionalities on the Service permit interactions that you initiate between the Service and Third-Party Services. Examples of such interactions include connecting the Service to a Third-Party Service (e.g., to pull or push information to or from the Service). If you enable such interactions, both we and the third party may have access to certain information about you and your use of the Service and any Third-Party Service.
We may engage and work with Service Providers, Third-Party Services, and other third parties to serve advertisements on the Website and/or on other online websites. Some of these ads may be tailored to your interests based on your browsing of the Website and elsewhere on the Internet, which may include use of precise location and/or cross-device data, sometimes referred to as “interest-based advertising” and “online behavioral advertising” (“Interest-based Advertising”) (where permitted under applicable law), which may include sending you an ad on another online website after you have left the Website (i.e., “retargeting”).
5. International Transfers
We are based in the U.S. and the information we and our Services collect is governed primarily by U.S. law. If you are accessing the Service from outside of the U.S., please be aware the information collected through the Service may be transferred to, processed, stored, or used in the U.S. Data protection laws in the U.S. may be different from those of your country of residence.
6. Children’s Privacy
Our Website is intended for a general audience. Evolve does not intend to collect personal information as defined by the U.S. Children’s Online Privacy Protection Act (“COPPA”) (“Children’s Personal Information”) in a manner that is not permitted by COPPA. If we obtain knowledge that we have collected Children’s Personal Information in a manner not permitted by COPPA, we will remove such data to the extent required by COPPA.
7. Accessing and Changing Information
To the extent required by applicable law, we may provide web pages or other mechanisms allowing you to delete, correct, or update some of your information that we have collected and retained, and potentially certain other information about you (e.g., profile and account information). Further, except to the extent prohibited by applicable law, we reserve the right to retain data: (a) as required by applicable law; and (b) for so long as reasonably necessary to fulfill the purposes for which the data was collected.
8. How We Safeguard Your Information
The security of your Personal information is important to us. We employ reasonable technical and organizational measures to protect against the loss of, or unauthorized access to, the information under our control. Although we take reasonable and appropriate measures to protect your information, we cannot guarantee that your information will always remain secure.
9. Choices: Tracking and Communications Options
a. Tracking Technologies Generally
Regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. Browsers offer different functionalities and options, so you may need to set them separately. Also, tools from browsers may not be effective with regard to certain Tracking Technologies. Please be aware that if you disable or remove these technologies, some parts of the Services may not work, and when you revisit the Services, your ability to limit browser-based Tracking Technologies is subject to your browser settings and limitations.
Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online websites you visit. Like many online websites, we currently do not alter our practices when we receive a “Do Not Track” signal from a visitor’s browser.
b. Analytics and Advertising Tracking Technologies
You may choose whether to receive some Interest-based Advertising by submitting opt-outs. Some of the advertisers and Service Providers that perform advertising-related services for us and third parties may participate in the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Program for Online Behavioral Advertising. To learn more about how you can exercise certain choices regarding Interest-based Advertising, including use of Cross-device Data for serving ads, visit http://www.aboutads.info/choices/, and http://www.aboutads.info/appchoices for information on the DAA’s opt-out program specifically for mobile apps (including use of precise location for third party ads). Some of these companies may also be members of the Network Advertising Initiative (“NAI”). To learn more about the NAI and your opt-out options for their members, see http://www.networkadvertising.org/choices/. Please be aware that, even if you are able to opt out of certain kinds of Interest-based Advertising, you may continue to receive other types of ads. Opting out only means that those selected members should no longer deliver certain Interest-based Advertising to you but does not mean you will no longer receive any targeted content and/or ads (e.g., from other ad networks). Also, if your browsers are configured to reject cookies when you visit these opt-out webpages, or you subsequently erase your cookies, use a different device or web browser, or use a non-browser-based method of access (e.g., mobile app), your NAI / DAA browser-based opt-out may not, or may no longer, be effective. We support the ad industry’s Self-regulatory Principles for Online Behavioral Advertising and expect that ad networks we directly engage to serve you Interest-based Advertising will do so as well, though we cannot guarantee their compliance.
We are not responsible for effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs.
You can opt out of receiving certain promotional communications from us at any time by: (i) for promotional e-mails, following the instructions provided in emails to click on the unsubscribe link, or if available by changing your communication preferences by logging onto your account; and (ii) for text messages, following the instructions provided in text messages from us to text the word, “STOP”. Please note that your opt-out is limited to the e-mail address or phone number used and will not affect subsequent subscriptions. If you opt-out of only certain communications, other subscription communications may continue. Even if you opt out of receiving promotional communications, we may, subject to applicable law, continue to send you non-promotional communications, such as those about your account, transactions, servicing, or our ongoing business relations.
10. U.S. State Privacy Notice
This U.S. State Privacy Notice (“Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (together, the “CCPA”), Chapter 603A of the Nevada Revised Statutes, and all laws implementing, supplementing, or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”).
- Sections 10(a) and (b) of this Notice provide notice of our data practices, including our collection, use, disclosure, and sale of Consumers’ Personal Information or Personal information (collectively, “PI”).
- Section 10(c) of this Notice provides information regarding Consumer rights and how you may exercise them.
- Section 10(d) of this Notice provides additional information for California residents.
For California residents the term “Consumer” is not limited to data subjects acting as individuals regarding household goods and services and includes data subjects in a business-to-business context.
a. Notice of Data Practices
The description of our data practices in this Notice covers the twelve (12) months prior to the Effective Date and will be updated at least annually. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.
We may Collect your PI directly from you (e.g., when you request information regarding our services); your devices; our affiliates; service providers; public sources of data; or other businesses or individuals.
We may also use and disclose your PI under this Notice for Commercial Purposes, which may be considered a “Sale” or “Share” under applicable U.S. Privacy Laws, such as when Third-Party Digital Businesses (defined below) Collect your PI via third-party cookies, and when we Process PI for certain advertising purposes. In addition, we may make your PI available to Third-Parties for their own use.
We provide more detail on our data practices in the chart that follows.
b. PI Collection, Disclosure, and Retention – By Category of PI
We collect, disclose, and retain PI (excluding PHI, which is addressed in our HIPAA Privacy Notice at Section1(a)) as follows:
|Category of PI||Examples of PI Collected and Retained||Categories of Recipients|
|1. Identifiers||Real name, alias, postal address, unique personal identifiers, online identifiers, Internet Protocol address, e-mail address, and account name.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, payment processors, marketing services providers, and medical providers, diagnostic or laboratory companies;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: Third-Party Digital Businesses|
|2. Personal Records||Name, signature, description, address, telephone number, and financial information (e.g., payment card or financial account information). Some PI included in this category may overlap with other categories.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, payment processors, marketing services providers, and medical providers, diagnostic or laboratory companies;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: Third-Party Digital Businesses|
|3. Personal Characteristics or Traits||In some circumstances, we may Collect PI that is considered protected under U.S. law, such as age, gender, nationality, race, or information related to medical conditions, but only when that information is relevant for our Business Purposes. We abide by the legal requirements imposed under applicable law in regard to such information.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data processors, and medical providers, diagnostic or laboratory companies;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|4. Customer Account Details/Commercial Information||Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, payment processors, and marketing services providers;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: Third-Party Digital Businesses|
|5. Internet Usage Information||When you browse our sites or otherwise interact with us online, we may Collect browsing history, search history, and other information regarding your interaction with our sites, applications, or advertisements.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, payment processors, and marketing services providers;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: Third-Party Digital Businesses|
|6. Geolocation Data||If you interact with us online we may gain access to the approximate, and sometimes precise, location of the device or equipment you are using.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, payment processors, and marketing services providers;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: Third-Party Digital Businesses|
|7. Sensory Data||We may Collect audio, electronic, or similar information when you contact us through our customer service line or via CCTV cameras in common areas at our facilities.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, other business vendors, and data processors;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|8. Professional or Employment Information||Professional, educational, or employment-related information.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|9. Non-public Education Records||Education records directly maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, schedules, identification codes, financial information, or disciplinary records.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors;· Educational consultants;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|10. Inferences from PI Collected||Inferences drawn from PI to create a profile about a Consumer reflecting preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, marketing services providers, and medical providers, diagnostic or laboratory companies;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: Third-Party Digital Businesses|
|11. Sensitive PI||Government Issued Identification Numbers (e.g., social security, driver’s license, state identification card, or passport number)||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, and payment processors;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|Account Log-In (e.g., username and password to online account with Company)||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, and marketing services providers;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|Precise Geolocation (any data that is derived from a device and that is used or intended to be used to locate a consumer w/in a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet)|
|Sensitive Personal Characteristics (e.g., racial or ethnic origin, religious or philosophical beliefs, citizenship or immigration status, or union membership)||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, and data processors;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|Communication Content (e.g., the contents of a consumer’s mail, email, and text messages, other than where Business is the intended recipient of the communication)||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data analytics providers, data processors, payment processors, and marketing services providers;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|Health Information (PI collected and analyzed concerning a consumer’s health, medical history, mental or physical health, diagnosis/condition, and medical treatment)||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data processors, and medical providers, diagnostic or laboratory companies;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|Sex Life / Sexual Orientation (PI collected and analyzed concerning a consumer’s sex life or sexual orientation)||Disclosures for Business Purposes:· Vendors, such as general IT, cloud computing, software, and other business vendors, data processors, and medical providers, diagnostic or laboratory companies;· Other members of our corporate group; and/or· Other parties (e.g., litigants and government entities) within the limits of Additional Business Purposes.Sale/Share: None|
|Children’s Data (PI collected from a known child)|
There may be additional information we Collect that meets the definition of PI under applicable U.S. Privacy Laws but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category. Because there are numerous types of PI in each category, and various uses for each PI type, actual retention periods vary. We retain specific PI pieces based on how long we have a legitimate purpose for the retention.
c. Your State Privacy Rights
As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below), Company provides Consumers the privacy rights described in this section. For residents of states without Consumer privacy rights, we will consider requests but will apply our discretion with respect to and if and how we process such requests. We will also consider applying state law rights prior to the effective date of such laws, but will do so in our discretion.
To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, complete our Consumer Rights Request Form and submit via email to email@example.com, or call us at 1-844-384-6773, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). More details on the request and verification process is in Section viii(A) below. The Consumer rights we accommodate are as follows:
i. Right to Limit Sensitive PI Processing
With regard to PI that qualifies as Sensitive PI under U.S. Privacy Laws, as of January 1, 2023, if you elect to provide us with that Sensitive PI you will have consented to such Processing. However, you can limit certain Sensitive PI Processing and if you do so we will explain in a response what Processing purposes U.S. Privacy Laws do not allow you to limit.
ii. Right to Know (Categories) (available for California Residents Only)
California residents have a right to submit a request for any of the following for the period that is 12-months prior to the request date:
- The categories of PI we have Collected about you.
- The categories of sources from which we Collected your PI.
- The Business Purposes or Commercial Purposes for our Collecting, Selling, or Sharing your PI.
- The categories of Third Parties to whom we have disclosed your PI.
- A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.
- A list of the categories of PI Sold or Share about you and, for each, the categories of recipients, or that no Sale or Share occurred.
iii. Right to Know (Specific Pieces) (California)
Residents of California are entitled to access PI up to twice in a 12-month period. You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have collected and are maintaining. For your specific pieces of PI, as required by applicable U.S. Privacy Laws, we will apply the heightened verification standards as described below. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests.
iv. Do Not Sell / Share (California and Nevada)
California has an opt-out from “Selling” PI or “Sharing” its for Cross-Context Behavioral Advertising (use of PI from different businesses or services to target advertisements). We may Sell or Share your PI and/or use your PI for targeted advertising. Nevada residents have a narrower right to opt-out of certain PI collected via an online service. We provide California and Nevada residents an opt out of Sale/Sharing. Due to technical limitations and the different nature of the data and data processing you will have to opt-out separately with respect to non-cookie PI and cookie PI as explained below.
Third-Party digital businesses (“Third-Party Digital Businesses”) may associate cookies and other tracking technologies that Collect PI about you on our services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We understand that giving access to PI on our services, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws and thus we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share and subject to a Do Not Sell/Share opt-out request.
Opt-out for non-cookie PI: If you want to limit our Processing of your non-cookie PI (e.g., your email address) for targeted advertising, or opt-out of the Sale/Sharing of such data, make an opt-out request by clicking this button: Cookies Settings.
Opt-out for cookie PI: If you want to limit our Processing of your cookie-related PI for targeted advertising, or opt-out of the Sale/Sharing of such PI, you need to exercise a separate opt-out request on our cookie management tool here: Cookies Settings. This is because we have to use different technologies to apply your opt-out of cookie PI and to non-cookie PI. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to enable them again via our cookie management tool. Note that if you use ad blocking software, our cookie banner may not appear when you visit our Services, and you may have to use the link above to access the tool.
Opt-out preference signals (also known as global privacy control or GPC): California requires businesses to process GPC signals, also know as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the Sale or Sharing of personal information. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. We have configured the settings of our consent management platform to receive and process GPC signals on our website. We process OOPS/GPC with respect to Sales and Sharing that may occur in the context of Collection of cookie PI by tracking technologies online by Third-Party Digital Businesses, discussed above, and apply it to the specific browser on which you enable OOPS/GPC. We currently do not, due to technical limitations, process OOPS/GPC for opt-outs of Sales and Sharing in other contexts (e.g., non-cookie PI). We do not: (1) charge a fee for use of our service whether or not you have enabled OOPS/GPC; (2) change your experience with any product or service if you use OOPS/GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.
We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please Contact Us.
We may disclose your PI for the following purposes, which are not a Sale or Share: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.
v. Right to Delete
Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI.
Please also be aware that making a deletion request does not ensure complete or comprehensive removal or deletion of PI or content you may have posted.
Note also that, depending on where you reside (e.g., California), we may not be required to delete your PI that we did not Collect directly from you.
Consumers may bring inaccuracies they find in their PI that we maintain to our attention, and we will act upon such a complaint as required by applicable law. You can also make changes to your online account in the account settings section of the account. That will not, however, change your information that exists in other places.
vii. Automated Decision Making/Profiling
We do not engage in Automated Decision Making or Profiling.
viii. How to Exercise Your Consumer Privacy Rights
To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, complete our Consumer Rights Request Form and submit via email to firstname.lastname@example.org, or call us at 1-844-384-6773, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).
As permitted or required by applicable U.S. Privacy Laws, any request you submit to us must be a Verifiable Consumer Request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, phone number and/or account information. We will review the information provided and may request additional information (e.g., transaction history) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sale/Share/Target or Limitation of Sensitive PI requests unless we suspect fraud.
You are not required to create a password-protected account with us to make a Verifiable Consumer Request, but you may use your password-protected account to do so. If we suspect fraudulent or malicious activity on or from the password-protected account, we may decline a request or request that you provide further verifying information.
We verify each request as follows:
- Right to Know (Categories) (available for California residents only): If you do not have a password-protected account, we verify your Request to Know Categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If we cannot do so, we will refer you to this Notice for a general description of our data practices.
- Right to Know (Specific Pieces): If you do not have a password-protected account, we verify your Request to Know Specific Pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request if you are a California resident.
- Do Not Sell/Share/Target & Limit SPI: No specific verification required unless we suspect fraud.
- Right to Delete: If you do not have a password-protected account, we verify your Request to Delete to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share/Target and/or Limit SPI request.
- Correction: If you do not have a password-protected account, we verify your Request to Correct PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized correction.
To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.
You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you. Authorized agents may submit a request to exercise privacy rights on behalf of a Consumer by completing our Consumer Rights Request Form and submitting it via email to email@example.com, or calling us at 1-844-384-6773, and responding to any follow-up inquiries we make. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.
Some PI that we maintain is insufficiently specific for us to be able to associate it with a verified Consumer (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests. If we deny a request, in whole or in part, we will explain the reasons in our response.
We will make commercially reasonable efforts to identify Consumer PI that we Process to respond to your Consumer request(s). In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.
Consistent with applicable U.S. Privacy Laws and our interest in the security of your PI, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number, financial account number, any health or medical identification number, an account password, or security questions or answers in response to a Consumer privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.
We will not discriminate or retaliate against you in a manner prohibited by applicable U.S. Privacy Laws for your exercise of your Consumer privacy rights. We may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable PI.
We may offer discounts or other rewards (“Incentives”) from time-to-time to Consumers that provide us with PI. For example, we may provide you with a gift card in exchange for your responses to a survey. You may opt-in to Incentives by completing the survey or other loyalty and Incentive programs we may offer from time-to-time (“Program(s)”). Each Program may have additional terms, available on the Program page or at Program sign-up. The Incentives will be described in the Program page, or at Program sign-up. If you subsequently wish to withdraw from the Programs, the method for doing so will be explained in the Program terms. We do not limit Program participation to consumers that do not exercise their CCPA rights. However, a deletion request may not delete Program PI because it is necessary to maintain your participation in the Program. If you desire to delete Program PI, terminate your participation in the Program before making a CCPA deletion request.
Notwithstanding anything to the contrary, we may collect, use, and disclose your PI as required or permitted by applicable law and this may override your rights under U.S. Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.
d. Additional Notices for California Residents
In addition to the CCPA, certain Californians are entitled to certain other notices, as follows:
This Notice provides information on our online practices and your California rights specific to our online Services. Without limitation, Californians that visit our online Services and seek to acquire goods, services, money, or credit for personal, family or household purposes are entitled to the following notices of their rights:
i. California Minors
Although our services are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our Services, and posted content on the Service, can request removal by contacting us, detailing where the content is posted and attesting you posted it. We will then make reasonable, good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines we do not control.
ii. Shine the Light
We may share “personal information,” as defined by California’s “Shine the Light” law, with third parties for such third parties own direct marketing purposes. California residents may opt-out of this sharing by contacting us at firstname.lastname@example.org or 300 N. Pacific Coast Hwy, Suite 2060, El Segundo, CA 90245 (Attn: Privacy). You must put the statement “Shine the Light Request” in the body of your correspondence. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. This right is different than, and in addition to, CCPA rights, and must be requested separately. However, a Do Not Sell/Share/Target opt-out is broader and will limit our sharing with third parties for their own direct marketing purposes without the need for making a separate Shine the Light request. We will not accept Shine the Light requests by telephone or by fax, and are not responsible for requests not labeled or sent properly, or that are incomplete.
11. Contact Us
If you have any questions, comments, or concerns about our privacy practices, please contact us by e-mail at email@example.com, or call us at 1-844-384-6773. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include sensitive information in your e-mail correspondence with us.