Supplemental Privacy Notice for California Residents
Effective: October 28, 2024
This Privacy Notice for California Residents supplements and is expressly made part of the information contained in Personify Health’s Privacy Notice, available at https://personifyhealth.com/general-privacy-notice/, and applies solely to visitors, users, and others who reside in the State of California (“Consumers” or “You”). We adopt this Notice to comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”). Any terms defined in the CCPA and Privacy Notice have the same meaning when used in this Supplemental Notice.
Collecting and Using Personal Information
Please see our program specific Privacy Notice for details about how we collect and use your Personal Information.
Additionally, please note that to the extent we de-identify and use PHI, we rely upon applicable rules and guidance and under HIPAA. All de-identification of PHI is undertaken pursuant to the safe harbor provisions of the HIPAA Privacy Rule.
Sale of Personal Information
We do not resell Personal Information that we collect from any consumer. However, we do sell reports based on data we collect from third parties, public sources, or our existing de-identified datasets. We also sell inferences derived using our analytics to your Sponsor so they can better serve your needs. In the preceding twelve (12) months, we have sold the following categories of Personal Information for a business purpose:
- Category A – Identifiers.
- Category B – Personal information categories listed in the California Customer Records. statute.
- Category F – Internet or other similar network activity.
- Category K – Inferences drawn from other Personal Information.
Opt-Out and Opt-In Rights
If you are 16 years of age or older, you may direct us to not sell your Personal Information at any time. We do not sell the Personal Information of consumers we know are less than 16 years of age, unless we receive affirmative authorization from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age. If you or your parent or guardian choose to opt-in to Personal Information sales, you or your parent or guardian may still opt-out of future sales at any time. To opt-out, you (or your authorized representative) may submit a request to us by emailing [email protected].
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. We will only use Personal Information provided in an opt-out request to review and comply with the request.
You have the right to opt out of using your information for automated decision making (“profiling”) involving your behavior, economic situation, health, interests, locations or movements, performance at work, personal preferences or reliability.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services
- Charge you different prices or rates for goods or services
- Provide you a different level or quality of goods
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods.
However, we may offer, and you may consent, to receive certain incentives permitted by the CCPA. Any CCPA-permitted incentive we offer will reasonably relate to your Personal Information’s value and contain written terms that describe the program’s material aspects. You may revoke your consent to participate or receive such financial incentive at any time.
Other Rights
To exercise any of the following requests, please submit a request to us by emailing [email protected].
Access to Specific Information; Data Portability Rights
You have the right to request that We disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you: (A) the categories of Personal Information we collected about you; (B) the categories of sources for the Personal Information we collected about you; (C) our business or commercial purpose for collecting or selling that Personal Information; (D) the categories of third parties with whom we share that Personal Information; (E) the specific pieces of Personal Information we collected about you (also called a data portability request). If we sold or disclosed your Personal Information for a business purpose, we will provide you with two separate lists disclosing such sales or disclosures, identifying the Personal Information categories that each category of recipient purchased or otherwise obtained.
Deletion Rights
You have the right to request that We delete any of your own Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
An exception to your request may apply if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 etc.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided.
Utilizing and Agent or Guardian
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: (A) provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative; and (B) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Responding to Your Requests
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Contact Information
If you have general questions about your Program, you can contact Member Services by calling 1-888-671-9395 (in the US) or by sending an email to [email protected].
If you have any questions, comments or concerns, about this Notice, or your rights and obligations under this Notice, you may contact us via email at [email protected] or via the “Contact Us” section of the Personify Health web-based platform and mobile application. Alternatively, you can contact us by writing to:
Personify Health, Inc.
Attn: Privacy Officer
75 Fountain Street
Providence, Rhode Island 02903
United States