Legal - Privacy Policy 2023 US

Last updated: July 1, 2023

Scope

Peppy Health Corporation (“Peppy”, “we”, “us”, or “our”) created this Privacy Policy to describe its collection, use, and disclosure practices with respect to information that identifies or may reasonably identify you (“Personal Information” or “PI”). This Privacy Policy applies to our healthcare services, including our menopause, endometriosis and PCOS support, including any related medical prescription services, and any accompanying features or products that we may develop (“Services”) and the mobile application and other platforms that we may develop in the future (collectively, the “Platform”). This Privacy Policy supplements our Terms of Service and Notice of Privacy Practices, which describes our collection, use, and disclosure of your Protected Health Information pursuant to the Health Insurance Portability and Accountability Act (HIPAA).

Depending on your relationship with us, our collection, use, and disclosure of Personal Information may differ. We use the term “Users” to describe individuals who sign up for and access the Services. We use the term “Providers” to describe the physicians, nurses, or other clinicians or supporting staff members who administer our Services to Users. Any references to “you” or “yours” refers to both Users and Providers.

Updates

We may update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective when we notify you of the changes and may apply to PI that we have already collected. Our means of notifying you may vary and may include a banner or notification on our Platform, an email communication from us, or another form of reasonable notice. Unless otherwise stated in the notice, your use of the Platform following these updates will constitute your acceptance of these updates.

Children

Our Platform is not targeted to children under the age of 18. If you know that we have received PI directly from a child under the age of 18, please contact us by referencing the information in Contacting Us, below, so that we may delete that PI from our system. Please note, however, that there may be occasions where you choose to submit PI about your dependents during the course of your care.

What Personal Information do we collect?

We may collect the following PI about you:

Contact information. This includes your full name and preferred name, postal address, phone number, and work and personal email address. This also includes your username* and password* when you create an account with us.
Photograph. You have the option to upload a picture when you create an account.
Demographic information.* This includes your birthdate, gender, and race.
Employment information. This includes your occupation and current employer. For Providers, this also includes licensing and credentialing information.
Health Information.* This includes data that Users provide to us through our Platform. This may include data that Users share during chat sessions with Providers, biometric data, test results where Users have requested diagnostic test services, pictures or descriptions of symptoms that Users share, prior medical and medication history, health content preferences, and any other health information that Users choose to share with us.
Internet and device information. This includes device and browser characteristics, including unique or online identifiers such as your device ID, IP address, and mobile operating system.
Usage information. This includes information about how you interact with our Platform and engage the Services, such as pages visited or programs completed.
Geolocation information. This includes the geolocation of the device(s) you use to access our Platform. We collect this information at the state, city, or zip code level in order to set the appropriate time zone for the Platform and monitor the integrity and security of our Platform.

Categories marked with an asterisk (*) may be considered “sensitive” categories of information according to some U.S. state laws. We intend to retain each of the above categories of PI for as long as necessary to comply with legal obligations, fulfill your requests or inquiries, and improve our Platform.

How do we collect Personal Information?

We collect PI from the following sources:

Directly from you. For example, when you fill out our forms or sign up to join the Platform, you provide PI like your contact, demographic, and employment information. As noted above, Users provide health information when they engage with our Services.
At your direction. For Users, we may receive PI about you if you specifically instruct a third party to share it with us.
Automatically. For example, when you visit our Platform, we use tools such as cookies or pixel tags, to collect PI such as your geolocation or other internet or device information. For more information on this, see Cookies, pixels, and other tracking technologies.
Third-party service providers. We work with third parties to help us provide and manage the Services and Platform. These third parties may collect PI about you on our behalf, such as:
- For Providers, we work with a third-party service to help us verify and manage the healthcare credentialing process.
- We may also receive PI about you from videoconferencing providers and calendar management tools when you use certain parts of our Services, like attend an event or program.
- We also use third-party data analytics providers to help us track how you interact with our Platform and engage with our Services.
Users’ employers. We collect Users’ work email addresses from Users’ employers so that we may verify access to the Platform. Upon sign up, we ask Users to provide their personal email address so that we may communicate with Users through a personal account.

How do we use your Personal Information?

We may use your PI for various purposes, including to:

Provide and administer the Services and allow you access and use of our Platform
Process your requested transaction(s) and facilitate your interaction with our Services or Platform
Personalize your experience with our Services or Platform
Deliver or suggest content in which you may be interested based on your interactions with our Platform
Address your customer service requests or communicate with you in relation to other follow up items or correspondence
Develop and improve our Services or Platform for you and other future Users and Providers, for example, by developing additional features or tools to offer within our Platform or seeking your responses to a survey or marketing communication
Help maintain and enhance the security and integrity of our Services or Platform
Communicate with you about our Platform, including this Privacy Policy

The information that we use to provide some or most of the Services is Protected Health Information and therefore subject to our HIPAA Notice of Privacy Practices.

How do we disclose your Personal Information?

We may disclose your PI in the following ways:

Within Peppy and its affiliates, in order to provide our Services and Platform to you. Please note that in order to ensure continuity of services, your health data submitted during consultations may be accessible to multiple practitioners who are qualified to provide you with assistance.
With third-party service providers to help us provide and manage our Services and Platform. We share PI with these third parties according to a contract that ensures they take appropriate steps to safeguard the confidentiality, integrity, and security of the PI that we share with them. We also limit PI provided to these third parties to the amount reasonably necessary to perform their function. These third parties include:
- Healthcare credentialing providers to help us verify and manage the healthcare credentialing process;
- Videoconferencing providers and calendar management tools so that we may provide you with Services like events and programming;
- Data analytics providers to help us track how you interact with our Platform and engage with our Services;
- Business service providers, like accountants, auditors, consultants, attorneys, and insurers;
- Customer service providers that may provide services through chatbots or other automated assistance features;
- Communications services for email and SMS messaging; and
- IT service providers that assist us with data storage, diagnostics, and system maintenance for our Platform.
With any successors to all or part of our business in the event that we assess or actually merge with, acquire or are acquired by, or sell a brand or part of our business to another entity as part of an asset sale, corporate reorganization, or other change of control, including bankruptcy.
With certain parties in order to comply with the law, or otherwise assess or defend our legal rights and obligations. This includes government agencies, investigatory bodies, law enforcement, and certain advisers such as our attorneys or other auditors. This may also include other third parties in response to a court order or subpoena. We may also release PI when its release is appropriate to enforce our site policies, or protect others’ rights, property, or safety.

Please note that we do not share PI with Users’ employers. We may, however, share aggregated data (such as statistical data indicating the percentage of Users who access a particular service) for any purpose with any party because this does not identify the individual.

The information that we share to provide some or most of the Services is Protected Health Information and therefore subject to our HIPAA Notice of Privacy Practices.

How do we protect your Personal Information?

We take security seriously and have implemented reasonable technical, organizational, and physical safeguards to protect your PI. However, please keep in mind that no system, including our Platform, is 100% secure. Please take reasonable steps to maintain your own security. We recommend that you select complex passwords for your accounts and not reuse login credentials for multiple accounts.

Cookies, pixels, and other tracking technologies

Cookies, and other technologies like web beacons or pixels, optimize your experience with our Platform by remembering your browsing preferences. Our Platform does not currently recognize “Do Not Track” signals, but depending on your device model and operating system, you may be able to modify how mobile applications collect information in your device’s settings. We use these tracking technologies within our Platform for many reasons as described above, including customizing the Services and Platform for you and improving the Services and Platform for others. However, we do not currently use any tracking technologies for the purposes of targeted advertising.

Third-party links

Occasionally, at our discretion, we may include or offer third-party products or services on our Platform. We do not own or control these third-party sites. Your use of these third-party sites is subject to the third parties’ privacy policies and/or other applicable terms, and we are not responsible for the content or activities of these linked sites.

Your Privacy Choices

Depending on your state of residence (including California, Virginia, Colorado, Utah, Connecticut, and potentially other states), you may have certain rights with respect to your PI. We will strive to honor these rights no matter your place of residence, but we reserve our ability to fulfill your requests as legally required.

To exercise any of the following rights (“Data Subject Right”), you or your authorized agent may contact us via the instructions in Contacting Us, below.

We may request additional information to verify the authenticity of your request, including confirming PI or other information that you have already provided to us, or potentially requesting additional PI.

Right to Know and Access. You may request that we confirm whether we are processing your PI and other details about that processing. Furthermore, you may request that we provide you with a copy of your PI, including the specific pieces of PI if applicable.
Right to Correct. If you believe that your PI is inaccurate or incomplete, you may request that we correct your PI.
Right to Delete. You may request that we delete the PI that you have provided to us, subject to certain exceptions.
Right to Opt Out of Targeted Advertising. Targeted advertising is the practice of serving you personalized ads based on information gathered about you across different websites, devices, or applications. We do not engage in targeted advertising.
Right to Opt Out of Sales. Some U.S. state laws define sales as exchanges of PI for monetary or other valuable consideration. We do not “sell” your PI.
Right to Restrict Certain Processing. You may have the right to limit the use or disclosure of your “sensitive” PI or opt out of other processing activities, such as those involving automated decision-making, as defined by applicable U.S. state law.
Right to Nondiscrimination. We will not discriminate against you for exercising these rights. However, where permitted by law, we may charge a reasonable fee in fulfilling certain requests.
Right to Appeal. If we deny your request to exercise a Data Subject Right, you may have the right to appeal the decision with us. If you would like to appeal a prior decision, please be sure to include information about your prior request so that we may locate our earlier determination.

In addition to these Data Subject Rights, you can always manage your communication preferences. If at any time you would like to unsubscribe from receiving future emails, you can follow the unsubscribe or opt-out instructions included in the email communication.

Notice to Nevada Residents

We do not “sell” PI according to Nevada law. If you would like to request that we not sell your PI in the future, please following the instructions in Contacting Us.

Notice to California Residents

The following statements are made in compliance with the California Consumer Privacy Act (“CCPA”), as amended.

We do not “sell” or “share” PI as defined by CCPA. “Share” as defined by CCPA refers to sharing PI for the purposes of cross-context behavioral advertising, also referred to as online targeted advertising.

We do not process sensitive information for purposes other than those specified in Cal. Code Regs. tit. 11, § 7027(m).

In the past 12 months, we have collected PI described above, under What Personal Information do we collect? from the sources listed in How do we collect Personal Information?. This PI falls into the following categories of PI under the CCPA:

Identifiers
Categories listed in California Civil Code 1798.80(e)
Characteristics of protected classifications under California or federal law
Health information
Internet or electronic network activity information
Professional or employment-related information

The Personal Information that we have disclosed to or shared with third parties in the past 12 months is described above, under How do we share your Personal Information?, and includes PI from the following categories of PI under the CCPA:

Identifiers
Visual information (if you choose to upload a photograph of yourself to your account)
Categories listed in California Civil Code 1798.80(e)
Characteristics of protected classifications under California or federal law
Health information
Internet or electronic network activity information
Professional or employment-related information

Notice to EU Data Subjects

For the purposes of applicable data protection legislation including the General Data Protection Regulation 2016/679/EU (‘GDPR’), Peppy is the data controller for the personal data we process, as described in this privacy policy unless otherwise stated. Our data protection officer is 8foldGovernance Limited (company registration number 12085647) and can be contacted at dpo.contact@peppy.health.

If you are resident in the EU/EEA, our data protection representative for the purposes of Article 27 GDPR is Data Protection Representative Limited (trading as ‘DataRep’), a company registered in the Republic of Ireland with registered number 616588. You should contact DataRep in the first instance for any requests in relation to your personal data by emailing datarequest@datarep.com or completing a web form at www.datarep.com/data-request. Your request will be forwarded to the DPO as required.

Contacting Us

If you have any questions regarding this Privacy Policy, or would like to submit individual requests in accordance with this Privacy Policy, including those listed in Your Privacy Rights and Choices, you may contact us at: hello@peppy.health and/or Peppy Health Corporation, 511 Ave of the Americas, Unit #967, New York, NY 10011.

● Provision of healthcare and personalised digital content services.

● Providing any required information to third party diagnostic testing services.

● Research, statistical analysis and behavioural analysis to improve our services.

● Customer service improvements and quality management.

● Security, fraud prevention and detection.

● To notify you of any changes to this website or to our services that may affect you.

● Communicating user surveys and marketing, including engagement tracking to ensure that importance communications are received by you.

● Direct marketing and business development activities.

Please note that in order to ensure continuity of services, your health data submitted during consultations may be accessible to multiple practitioners who are qualified to provide you with assistance.

Where we have collected and processed your personal information with your consent, you can withdraw your consent at any time by contacting dpo.contact@peppy.health and providing us with enough information to identify you (e.g., account number, username, registration details). In the event that you withdraw your consent it may not be possible to provide you with access to our service in whole or in part.

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.

How your Personal Data is provided to us

For App users, we collect Personal Data through the use of the application that you choose to submit. We are not provided with Personal Data by any third party unless such party is specifically instructed by you to do so.

Contact Data of customer account holders may be collected in the course of our marketing and sales activities or through your submission of forms on the Peppy website(s).

Marketing and opting out
We conduct direct marketing activities in accordance with all applicable laws. If you prefer not to receive any direct marketing communications from us, you can opt out at any time by:

● emailing us at hello@peppy.health with subject title ‘Unsubscribe’;

● providing us with enough information to identify you (e.g., account number, username, registration details); and

● If your objection is not to direct marketing in general, but to direct marketing by a particular channel (e.g., email or telephone), please specify the channel you are objecting to.

In each communication you receive from us, there will be an “opt-out” or “unsubscribe” option available.

Information about other individuals
If you give us information on behalf of someone else, whether through the Peppy App or web forms, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can:

● give consent on his/her behalf to the processing of his/her personal data;

● receive on his/her behalf any data protection notices;

● give consent to the processing of his/her personal data; and

● give explicit consent to the transfer of his/her health data.

You should refer any such individuals to this Privacy Policy.

Processing data of minors

Peppy does not ordinarily process personal data of individuals under the age of 18. There may be occasions where you choose to submit the personal data of your dependents for the purposes of receiving guidance or healthcare services. Where this is the case you may be asked to provide additional explicit parental consent to such processing where such individuals are under the minimum legal age for the use of online services or consent to health services.

How long we keep your personal data

We retain your personal data in our server logs, our databases, and our records for as long as necessary to provide our services to you or until such time as you request erasure of your personal data. We may need to retain some of your information for a longer period, such as in back-up records, or in order to comply with our legal or regulatory obligations, to resolve disputes or defend against legal claims. Medical records, which may include chat data, may be retained for up to ten years after you cease to use the services, in line with established health practices.

Where we anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use this information indefinitely without further notice to you.

Your rights
You have the following rights in relation to your personal data. The rights available to you depend on our legal basis for processing your data.

Access – You have the right to request access to personal data that we may process about you.

Rectification – You have the right to require us to correct any inaccuracies in your personal data.

Erasure – You have the right to ask us to erase your personal data in certain circumstances. Deletion of personal data will be carried out on the understanding that removal of some information (e.g., addresses) during an active membership term may negatively affect your ability to use the website/ App.

Restriction – You have the right to request that we restrict processing of your personal information in certain circumstances.

Objection – You have the right to object to the processing of your personal data.

Portability – You have the right to ask that we transfer the personal data you have given us to another organisation or give it to you.

You will not have to pay a fee for exercising your rights, save for where such a request is determine to be manifestly unfounded or excessive in which case a reasonable fee may be imposed or we may refuse to act on the request. We have one month to respond to you in relation to a request.

If you wish to exercise any of the rights set out above, please contact dpo.contact@peppy.health and provide us with enough information to identify you (e.g., account number, username, registration details); and to rectify your data specify the information that is incorrect and what it should be replaced with.

Disclosure of your personal data

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They may use their own third party data processors, but all of our data processors are subject to legal requirements in line with the GDPR in respect of any processing they carry out on our behalf. They will hold it securely and retain it for the period we instruct.

These types of organisations are:

● Third party care providers such as testing and diagnostic services.

● Email and SMS messaging services (to enable us to communicate with you efficiently).

● Providers of business services such as auditors, consultants, solicitors and/or insurers (to enable us to run Peppy efficiently).

● Providers of IT systems or services (to enable us to run Peppy efficiently)

● IT storage providers (to enable us to secure data efficiently).

● Market research providers (to help us to improve the services we offer).

● Providers of information management services (to help us learn about our customers).

● Organisations that you ask us to share your personal information with (upon request).

● Third party machine learning services to help us to provide a more effective and efficient service to our customers.

If you are a purchaser of Peppy’s services, we may request your consent to monitor and record communications with you (such as telephone conversations, emails and chat) for the purpose of quality assurance, training, detecting, investigating and preventing illegal activities, which may include sharing data with law enforcement agencies. You may opt out of such record keeping where it involves special category personal data, unless such sharing is required by law.

Keeping your data secure

We will use technical and organisational measures to safeguard your personal data, for example: we store your personal data on secure encrypted servers.

While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet.

Transfers of your information out of the EEA
We may need to transfer your personal data outside the European Economic Area (EEA), including the United States, for example, if one of our suppliers or employees is located outside the EEA.

Where we transfer EU personal data to the United Kingdom, such transfers are subject to the European Commission adequacy decision of 28 June 2021 in respect of the United Kingdom.

Where we need to transfer your data outside the EEA to a country that is not considered to adhere to an equivalent standard of data protection, we will ensure that any transfer of your personal data will be subject to appropriate safeguards, such as a European Commission approved contract (if appropriate) that will ensure you have appropriate remedies in the unlikely event of a security breach.

Links to other sites
Our website does and may contain links to other websites. This privacy policy applies only to our website (www.peppy.health and any website URL starting with www.peppy.health/) so when you visit other websites please read their privacy policies, as we cannot accept any responsibility for breaches or issues you may have in relation to privacy once you leave our website.

How to make a complaint
We would encourage you to contact us at dpo.contact@peppy.health if you think that any collection or use of your personal data by us is unfair, misleading or inappropriate.

If you make a complaint to us and think we have not dealt with it to your satisfaction, you have the right to make a complaint to your local supervisory authority. A full list of supervisory authorities is available here.

Changes to privacy policy
We keep our privacy policy under regular review. If we change our privacy policy we will post the changes on this page, so that you may be aware of the information we collect and how we use it at all times.

Privacy Policy (US)

Categories of Personal Data

Legal basis for processing

Purpose of processing