Last Revised: January 5, 2021
Personal Information We May Collect
How We May Collect Personal Information
We and our service providers may collect Personal Information in a variety of ways, including:
- Through the Services: We may collect Personal Information directly from you through the Services, e.g., when you answer a Survey or register for an account.
- From Other Sources: We may receive your Personal Information from other sources with your consent or as permitted by applicable law, such as from your insurance or healthcare provider, public databases, joint marketing partners and other third parties.
How We May Use and Disclose Your Personal Information
Recora, Inc. may have an arrangement with your insurance or healthcare provider and under that arrangement may be permitted to use and disclose your Personal Information as directed by them, uses and discloses Personal Information to provide the Services as described below. We may use Personal Information:
- To respond to your inquiries, fulfill your requests, and send you communications that you request, such as the results of any Survey that you have taken.
- To send administrative information to you, for example, information regarding the Services and changes to our terms, conditions and policies.
- To personalize your experience on the Services, for example, by presenting Surveys and similar products to you.
- For our internal management and business purposes, such as data analysis, developing new services, enhancing, improving or modifying the Services, audits, fraud monitoring and prevention, identifying usage trends, but, in some cases that will be only to the extent such use of Personal Information is permitted or required by your insurance or healthcare provider.
- As we believe to be necessary or appropriate, and only as permitted under the Health Insurance Portability & Accountability Act and amendments thereto (HIPAA) or other applicable law: (a) to comply with legal process; (b) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (c) to protect our operations or those of any of our affiliates, including in connection with investigating security incidents; or (d) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
- For such other purposes as you may consent.
Your Personal Information may be transferred or disclosed:
- To our third party service providers who assist us to provide the Services (such as website hosting, data analysis, information technology and related infrastructure provision, email delivery, auditing and other services), and with whom we have a contract that includes appropriate privacy obligations.
- To third parties, such as your insurance or healthcare provider, consistent with your instructions. For example, you may opt in to allow us to share your responses to and results of any Surveys.
- As we believe to be necessary or appropriate, and only as permitted under HIPAA or other applicable law: (a) to comply with legal process; (b) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (c) to protect our operations or those of any of our affiliates, including in connection with investigating security incidents; or (d) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
- To such third parties and for such purposes to which you consent.
Other Information We May Collect
“Other Information” is any information that does not reveal your specific identity or does not directly relate to an individual, such as:
- Browser and device information
- Apps usage data
- Information collected through cookies, pixel tags and other technologies
- General demographic information
- Aggregated information
If we are required to treat Other Information as Personal Information under applicable law, then we may use it for the purposes for which we use and disclose Personal Information as detailed in this Policy.
How We May Collect Other Information
We and our third party service providers may collect Other Information in a variety of ways, including:
- Through your browser or device: Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) you are using. We use this information to ensure that the Services function properly.
- Through your use of the Apps: When you download and use the Apps, we and our service providers may track and collect usage data, such as the date and time the App on your device accesses our servers and what information and files have been downloaded to the App based on your device number.
- Using pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used in connection with some Services to, among other things, track the actions of users of the Services (including email recipients), and compile statistics about usage of the Services and response rates.
- IP Address: Your IP address is a number that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP). An IP address may be identified and logged automatically in our server log files whenever a user accesses the Services, along with the time of the visit and the page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. We use IP addresses for purposes such as calculating usage levels, diagnosing server problems and administering the Services. We may also derive your approximate location from your IP address.
- Physical Location: We may collect the physical location of your device by, for example, using satellite, cell phone tower or WiFi signals. We may use your device’s physical location to provide you with personalized location-based services and content. You may be permitted to allow or deny such use, but, if you do, we may not be able to provide you with the applicable personalized services and content.
- From you: Information such as your preferred means of communication is collected when you voluntarily provide it.
How We May Use and Disclose Other Information
We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Information. If we do, we will treat the combined information as Personal Information as long as it is combined.
Third Party Services
Security and Retention
The following six rights are collectively referred to as the “Individual Rights.”
- The right to access - You have the right to request copies of your personal data that Recora, Inc. possesses. We may charge you a small fee for this service;
- The right to rectification - You have the right to request that Recora, Inc. correct any information you believe is inaccurate. You also have the right to request that Recora, Inc. complete information you believe is incomplete;
- The right to erasure — You have the right to request that Recora, Inc. erase your personal data, under certain conditions;
- The right to restrict processing - You have the right to request that Recora, Inc. restrict the processing of your personal data, under certain conditions;
- The right to object to processing - You have the right to object to Recora, Inc.’s processing of your personal data, under certain conditions; and
- The right to data portability - You have the right to request that Recora, Inc. transfer the data that we have collected to another organization, or directly to you, under certain conditions.
If you would like to exercise any of your Individual Rights regarding Personal Information that you have previously provided to us, you may do so by logging into your account within the Services or by contacting us in accordance with the “Contacting Us” section below. In your request, please make clear what Individual Right you are exercising. For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable and in compliance with applicable law. Where appropriate, we will transmit the amended information to third parties having access to your Personal Information. We may be prevented from complying with a request to exercise an Individual Right. In such circumstances, we will respond to your request to exercise your Individual Right with a response stating that we cannot comply with such a request and, if legally allowed, why.
If you are a resident of California the following information and rights are provided to you as required by the California Consumer Privacy Act of 2018 (“CCPA”). Any terms defined in the CCPA have the same meaning when used in this notice. Personal information under CCPA does not include:
- Publicly available information from government records.
- De-identified or aggregated consumer information.
- Information excluded from the CCPA's scope, such as:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.
- Financial Information covered by the Gramm-Leach-Bliley Act, and implementing regulations.
In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
- Identifiers: Name, residential address, Internet Protocol (IP) address, email address, or other similar identifiers
- Customer records information: Name, address, telephone number, medical information, health insurance information
- Characteristics of protected classifications under California or federal law: Race, gender identity, age
We disclose your personal information for a business purpose to the following categories of third parties:
- Service Providers: Cloud hosting, email delivery, medical record management, telehealth video platform, service desk management, platform usage analytics, business analytics, SMS delivery, log aggregation, geolocation
Sale of Personal Information
In the preceding twelve (12) months, we have not sold any personal information.
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you any of the following, as requested:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you.
- If we disclosed your personal information and identify the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Comply with legal obligations.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it
Response Timing and Format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.