This document was last updated March 23, 2021.
- California Privacy Rights. The California Consumer Privacy Act (“CCPA”) of 2018 enhances privacy rights and consumer protection for residents of California. Under the CCPA, California residents have the rights to: 1) know what Personal Data are being collected about them; 2) know whether their Personal Data are sold or disclosed, and to whom; 3) say ‘no’ to the sale of their Personal Data; 4) access their Personal Data; and 5) not be discriminated against for exercising their privacy rights under the CCPA. California law allows California residents to request information regarding our disclosures in the prior calendar year, if any, of their PII to third parties. To make such a request, please contact us at firstname.lastname@example.org. Please include enough detail for us to locate your file; at a minimum, your name, email and username, if any. We will attempt to provide you with the requested information within thirty (30) days of receipt. We reserve our right not to respond to requests sent more than once in a calendar year, or requests submitted to an address other than the one posted in this notice. Please note that this law does not cover all information sharing. Our disclosure only includes information covered by the law.
- Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rights. HIPAA (as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 and the HIPAA Omnibus Final Rule) protects your rights to privacy with respect to your healthcare-related Personal Data. We have the duty and responsibility to protect the privacy and security of your Protected Health Information (“PHI”) and Electronic Health Records (“EHR”) (as defined in the HIPAA Regulations) that we access or that come into our possession. We will take commercially reasonable steps to maintain compliance with HIPAA requirements. We support and facilitate the timely and unimpeded flow of health information for lawful and appropriate purposes.
Use of Services
Your access to and use of our Services are subject to certain terms and conditions, which are set forth in our Terms of Service.
Collection of Information
Information You Provide
We collect information you provide, such as when you email us, sign up for the Services, or submit information through the Services. We may collect, but are not limited to collecting:
- Personally Identifiable information (“PII”), such as your name, email address, residence and mailing address, phone number, sex, date of birth, other demographic information and sensitive PII, such as race, and ethnicity;
- Protected Health Information (“PHI”), such as your symptoms and exposure to COVID-19, COVID-19 test results and related information, your medical history, and elevated temperature readings, and your questions regarding COVID-19 issues.
Information We Collect from Your Use of the Services
We collect information about you when you use our Services, including, but not limited to the following:
- Device Information. We may automatically collect certain information about the computer or devices (including mobile devices) you use to access the Services. For example, we may collect and analyze information such as (a) IP addresses, geolocation information (as described in the next section below), unique device identifiers and other information about your mobile phone or other mobile device(s), browser types, browser language, operating system, the state or country from which you accessed the Services; and (b) information related to the ways in which you interact with the Services, such as: referring and exit pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed and the order of those pages, the amount of time spent on particular pages, the date and time you used the Services, the frequency of your use of the Services, error logs, and other similar information. As described further below, we may use third-party analytics providers and technologies, including cookies and similar tools, to assist in collecting this information.
- Location Information. We may collect information about your location, including general information (e.g., IP address, zip code) and more specific information (e.g., GPS-based functionality on mobile devices used to access the Services), and may use that information to customize the Services with location-based information, advertising, and features. For example, if your IP address indicates an origin in Los Angeles, California, the Services may be customized with Los Angeles-specific information. In order to do this, your location information may be shared with our agents or vendors. If you access the Services through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer’s instructions for further details.
- Cookies and Other Electronic Technologies. We may use the tools outlined below in order to better understand users. As we adopt additional technologies, we may also gather additional information through other methods.
- Web Beacons: “Web Beacons” (a.k.a. clear GIFs or pixel tags) are tiny graphic image files embedded in a web page or email that may be used to collect anonymous information about your use of our Services, the websites of selected partners, and the emails, special promotions or newsletters that we send you. The information collected by Web Beacons allows us to analyze how many people are using the Services, using the selected partners’ websites or opening our emails, and for what purpose.
- Website Analytics: We may use third-party website analytics services in connection with the website, including, for example, to register mouse clicks, mouse movements, scrolling activity and text that you type into the website or mobile application. These website analytics services generally do not collect personal information unless you voluntarily provide it and generally do not track your browsing habits across websites which do not use their services. We use the information collected from these services to help make the website easier to use.
- Mobile Device Identifiers: Mobile device identifiers are data stored on your mobile device that may track the mobile device, and the data and activities occurring on and through it, as well as the applications installed on it. Mobile device identifiers enable collection of personal information (such as media access control, address and location) and traffic data. Mobile device identifiers help us learn more about our users’ demographics and internet behaviors.
Information from Third Parties
We may obtain additional information about you from third parties, such as health care entities or laboratory providers of testing and analytics services, researchers, and others. We may combine information that we collect from you with information about you that we obtain from such third parties and information derived from any other service we provide.
Aggregate or De-identified Data
Use of Information
We use the information that we collect for the following purposes:
- To personalize your experience with the Services by informing you of products, programs, events, services, and promotions of ours, our partners and/or third parties that we believe may be of interest to you (see the “Opt-In Policy” below);
- To provide, maintain, administer, improve, or expand the Services, perform business analysis, or for other internal purposes to support, improve or enhance our business, the Services, and other products and services we offer;
- To contact you when necessary or requested;
- To customize and tailor your experience of the Services;
- To send mobile notifications (you may opt-out of this service);
- To send emails and other communications that display content that we think will interest you and according to your preferences;
- To send you news and information about our Services;
- To track and analyze trends and usage in connection with our Services;
- To better understand who uses the Services and how we can deliver a better user experience;
- To use statistical information that we collect in any way permitted by law, including from third parties in connection with their commercial and marketing efforts;
- To prevent, detect, and investigate security breaches, fraud, and other potentially illegal or prohibited activities;
- To enforce the legal terms that govern your use of the Services;
- To protect our rights or property;
- To administer and troubleshoot the Services; and
- For any other purpose disclosed to you in connection with our Services.
We may use third-party service providers to process and store personal information in the United States and other countries.
Sharing of Information
We may share personal information about you as follows:
- With third parties to provide, maintain, and improve our Services, including service providers who access information about you to perform services on our behalf;
- If we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request; to enforce applicable user agreements or policies; to protect the security or integrity of our Services; and to protect us, our users or the public from harm or illegal activities; and
- We may share information about your COVID-19 symptom check responses and results, your COVID-19 testing status and results, elevated temperature readings, and related information with your employer in order to support you and your employer’s decision-making regarding workplace health and risk assessment, re-testing strategy and planning, risk rating population studies, related analytics and reporting, and pay protection/return to work planning in connection with symptoms and diagnoses for infectious diseases, such as COVID-19.
- With your consent, we may also share aggregated, non-personally identifiable information with third parties.
- We take reasonable measures, including administrative, technical, and physical safeguards, to help protect personal information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure. As a result, although we take industry-standard steps to protect your information (e.g., strong encryption), we cannot ensure or warrant the security of any information you transmit to us or from our online products or services, and you do so at your own risk.
- For PHI and EHR data subject to HIPAA, we securely store and maintain such data and records in compliance with the HIPAA Privacy and Security Rule Standards. We or our service providers maintain all HIPAA-related documentation in electronic form on HIPAA-compliant, HITRUST-certified data storage facilities.
- If you are using the Services from outside of the USA, you understand that your connection will be through and to servers located in the USA, and the information you provide will be securely stored in our web servers and internal systems located within the USA. By accessing or using the Services or otherwise providing information to us, you consent to the processing, transfer and storage of information in and to the USA, where you may not have the same rights and protections as you do under your local law.
- General. We store your Personal Data for as long as reasonably required for its purpose or for any additional period required by law. We will delete your account information and Personal Data when you or when we delete your account. We may store information longer for legitimate business reasons (for example, Personal Data may remain in backups for a reasonable period of time), or as legally required. Otherwise, we store your Personal Data until you request us to remove it from our servers. We store our logs and other technical records indefinitely.
- HIPAA-Related Data. For PHI and EHR data subject to HIPAA, our data retention policy is as follows:
- We retain all HIPAA-related data and records for a minimum period of six (6) years from the date of creation or modification, or the date when such data were last in effect, whichever is later.
- In the event that local/state laws require a longer duration for retention of healthcare records, we retain such data for the duration specified by law, but no less than six (6) years.
- When deleting HIPAA-related data, we use a soft-delete functionality wherever possible, so that the data can be accessed or recovered by a system administrator. If you require permanent deletion of your Personal Data, you may send a written request to us for approval before the data can be deleted by an administrator.
- We may delete HIPAA-related PHI or EHR in a verifiable manner only when required or permitted by applicable laws and regulations, and we maintain a record of such deletions for a minimum period of six (6) years from the date of the deletion.
- We ensure that all HIPAA-related data and documentation are available to members of our workforce only on a need-to-know basis, and as required by their job functions via user-specific account access restrictions.
Your Privacy Choices
How You Can Access and Update Your Information
You may update or correct information about yourself at any time or by emailing us at email@example.com.
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject cookies; however, our Services may not function properly if you do so.
Options for Opting out of Cookies and Mobile Device Identifiers
If you are interested in more information about how you can generally control cookies from being put on your computer to deliver tailored advertising, you may visit the Network Advertising Initiative’s Consumer Opt-Out link, the Digital Advertising Alliance’s Consumer Opt-Out link or TRUSTe’s Advertising Choices Page to opt-out of receiving tailored advertising from companies that participate in those programs.
How We Respond to Browser “Do Not Track” Signals
We do not recognize or respond to browser-initiated Do Not Track signals, as the Internet industry is currently still working on Do Not Track standards, implementations and solutions. For more information about DNT signals, visit http://allaboutdnt.com.
Links to Other Websites
Our Services may contain links to other websites and those websites may not follow the same privacy practices as we do. We are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of such third parties to learn more about their privacy practices.
We do not knowingly collect or maintain personally identifiable information from persons under 13 years of age without verifiable parental consent, and no part of the Services are directed at persons under 13. If you are under 13 years of age, then please do not use the Services. If we learn that personally identifiable information of persons less than 13 years of age has been collected without verifiable parental consent, then we will take the appropriate steps to delete this information. To make such a request, please contact us at firstname.lastname@example.org.
No Rights of Third Parties
How to Contact Us
Safe Health Systems
5455 Wilshire Boulevard,
Los Angeles, CA