Search here!

Privacy Policy

PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND HOW WE TREAT YOUR PERSONAL INFORMATION AND WHAT CHOICES AND RIGHTS YOU HAVE IN THIS REGARD.  IF YOU DO NOT AGREE WITH THE TERMS AND CONDITIONS OF THIS POLICY, YOU SHOULD NOT ACCESS OR USE THE SITE, THE PLATFORM, OR ENGAGE IN COMMUNICATIONS WITH US.

THIS SITE AND OUR SERVICES ARE INTENDED FOR USERS LOCATED IN THE UNITED STATES, AND THEY ARE NOT INTENDED FOR USERS LOCATED IN OTHER COUNTRIES, INCLUDING THE EUROPEAN UNION AND THE EUROPEAN ECONOMIC AREA.  BY USING THE SITE OR THE PLATFORM, YOU ACKNOWLEDGE AND AGREE THAT YOU ARE USING IT FROM WITHIN THE UNITED STATES.

INTRODUCTION

HOW DO WE PROCESS PERSONAL INFORMATION?

HOW LONG DO WE STORE AND USE YOUR PERSONAL INFORMATION?

HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

RIGHTS AND CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION

THIRD-PARTY SITES

CHILDREN’S ONLINE PRIVACY PROTECTION ACT

UPDATES AND CHANGES TO THIS POLICY

CONTACT US

PERSONAL INFORMATION WE COLLECT AND PROCESS VIA THE SITE

PERSONAL INFORMATION WE COLLECT AND PROCESS VIA THE PLATFORM

PERSONAL INFORMATION WE COLLECT AND PROCESS VIA OTHER WAYS

CALIFORNIA RESIDENTS

INTRODUCTION

Epion Health (also referred to herein as “we,” “us,” and “our”) is committed to protecting the privacy and security of the personal information we collect, use, share, and otherwise process as part of our business. We also believe in transparency, and we are committed to informing you about how we treat your personal information. This Policy will provide you with a description of our online and offline practices regarding your personal information and the rights you have regarding your personal information. You may obtain an accessible version of this Policy by contacting us via the methods identified in the “Contact Us” section of this Policy.

HOW DO WE PROCESS PERSONAL INFORMATION?

Personal Information We Collect and Process. We collect and process personal information via the methods described below.  Please do not provide another person’s personal information to us.

 

Method of Interaction Description of Practices
On our Site Click here to learn more about how we collect and process personal information on our website, www.epionhealth.com and any subdomains (the “Site”).
On our Platform We collect and process personal information via Epion Check-In or Epion PreVisit (the “Platform”) in two ways:
When we are providing check-in services for a customer (your doctor) via the Platform, we act as a “Business Associate” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  In that capacity, we collect, receive, maintain, use, and disclose Protected Health Information as permitted or required under applicable law, and our customer’s (your doctor’s) privacy notice controls how we collect and process PHI.
We also give individuals an opportunity to receive personalized information about health-related products and services that may be interesting to them on the Platform.  We do not act as a Business Associate in this capacity, as this service is provided on behalf of the individuals who choose to share data with us pursuant to a HIPAA Authorization.  Click here to learn more about how we collect and process personal information on the Platform in this capacity.
Other Ways We Interact with You Click here to learn more about how we collect and process personal information in other ways, including on social media and in your communications with us.

How We Use Personal Information. To the extent permitted by applicable law, we may use the types of personal information listed above in order to:

  • Operate our business;
  • Honor our Terms of Use and contracts;
  • Provide our products and services;
  • Ensure the privacy and security of our Site, Platform, and services;
  • Maintain our databases and back-ups;
  • Manage our relationships with you;
  • Communicate with you;
  • Keep records of our communications with you;
  • Send you notifications and newsletters; 
  • Promote our products and services to you;
  • Contact you about other products and services;
  • Improve our marketing efforts; 
  • Operate the Site and the Platform;
  • Analyze use of our Site, Platform, and services;
  • Serve you the content and functionality you request;
  • Develop new products and services;
  • Track visits to the Site and the Platform;
  • Enhance your experience;
  • Provide you with a more personal and interactive experience on the Site and the Platform;
  • Process payments or other transactions;
  • Comply with federal, state, or local laws;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; 
  • Cooperate with law enforcement agencies concerning conduct or activity that we, a service provider, or a third party reasonably and in good faith believe may violate federal, state, or local law;
  • Exercise or defend legal claims; and 
  • Collect, use, retain, sell, or disclose consumer information that is deidentified or aggregated under applicable law.

How We Share and Disclose Personal Information. We may share your personal information in the following contexts.

Category Disclosure Contexts
Corporate Affiliates We may share your personal information with our corporate subsidiaries and affiliates and with their respective officers, directors, employees, accountants, attorneys, and agents.
Acquisitions and Similar Transactions We may disclose your personal information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our company assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.  For example, if another company acquires us, we will share your personal information with that company.
Disclosures with Your Consent We may ask if you would like us to share your personal information with other unaffiliated third parties who are not described elsewhere in this Policy.  We will only disclose your personal information in this context with your consent. 
Legal Obligations and Rights We may disclose your personal information in response to subpoenas, warrants, court orders or other legal processes, or to comply with relevant laws.  We may also share your personal information in order to establish or exercise our legal rights, to defend against a legal claim, and to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our contract.
Public Some areas of our Site may offer forums or provide the opportunity for users to post comments or reviews in a public forum. Please remember that any information that is disclosed in these areas becomes public information, and you should exercise caution when deciding to disclose your personal information.  If you decide to submit your personal information in these areas, you do so at your own risk and acknowledge that the information will be publicly-available.
Service Providers  We may share your personal information with our service providers that need access to your information to provide operational or other support services on our behalf.  Among other things, service providers help us to administer the Site/Platform; support our provision of services/products requested by you; provide technical support; send marketing, promotions and communications to you about our services/products; provide payment processing; and assist with other legitimate purposes permitted by law. 
Professional Advisors We may share your personal information with our insurers and other professional advisors, including attorneys and accountants, that need access to your information to provide operational or other support services on our behalf.
Deidentified or Aggregated Data We may disclose aggregated information about our users and information that does not identify any specific individual, such as groupings of demographic data and customer preferences, for new product and marketing development.
Third Parties We may provide personal information about you to third parties that may offer products and services specifically requested by you.

HOW LONG DO WE STORE AND USE YOUR PERSONAL INFORMATION?

We will retain and use your personal information for as long as is necessary to fulfill the purposes for which it was collected, to comply with our business requirements and legal obligations, to resolve disputes, to protect our assets, to provide our products and services, and to enforce our agreements.

We take reasonable steps to delete the personal information we collect when (1) we have a legal obligation to do so, (2) we no longer have a purpose for retaining the information, and (3) if you ask us to delete your information, unless we determine that doing so would violate our existing, legitimate legal, regulatory, dispute resolution, contractual, or similar obligations. We may also decide to delete your personal information if we believe it is incomplete, inaccurate, or that our continued storage of your personal information is contrary to our legal obligations or business objectives.

To the extent permitted by law, we may retain and use anonymous and aggregated information for performance reporting, benchmarking, and analytic purposes and for product and service improvement. When we delete personal information, it will be removed from our active servers and databases; but, it may remain in our archives when it is not practical or possible to delete it.

We are required by law to maintain records of consumer requests submitted under the California Consumer Privacy Act and how we responded to such requests for at least 24 months. We only use this information for record keeping purposes.

HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

We have put security measures in place to protect the personal information that you share with us from being accidentally lost, used, altered, or disclosed or accessed in an unauthorized manner. From time to time, we review our security procedures to consider appropriate new technology and methods.

We use SSL technology to encrypt data in transit, and we also encrypt data at rest on our systems. We do not store or save your financial information. While our security measures seek to protect your personal information in our possession, no security system is perfect, and no data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee or warrant the security of any information you transmit to or from our Site or Platform, and you do so at your own risk. We cannot promise that your personal information will remain absolutely secure in all circumstances.

We also use reasonable security measures when transmitting personal information to consumers in response to requests under the California Consumer Privacy Act. We have implemented reasonable security measures to detect fraudulent identity verification activity and to prevent the unauthorized access to or deletion of personal information.

If a data breach compromises your personal information, we will notify you and any applicable regulator when we are required to do so by applicable law.

RIGHTS AND CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION

Please use the “Contact Us” details at the end of this Policy to exercise your rights and choices under this Policy. If you would like to manage, change, limit, or delete your personal information or if you no longer want to receive any email, postal mail, or telephone contact from us in the future, such requests may be submitted via the “Contact Us” details at the end of this Policy. If you are exercising a right that is the responsibility of our customers, we will direct you to contact the appropriate customer who is responsible for responding to your request.

Email Opt-Out. If you no longer wish to receive communications from us via email, you may opt-out by clicking the “unsubscribe” link available at the bottom of our email communications or by contacting us at privacy@epionhealth.com. Once we receive your instruction, we will promptly take corrective action.

Cookies. You may set your browser to refuse all or some browser cookies or to alert you when cookies are being set.  For more information on how to modify your browser settings to block or filter cookies, visit http://www.aboutcookies.org/ or http://www.cookiecentral.com/faq/.  You may learn more about internet advertising practices and related consumer resources at http://www.aboutads.info/consumers/, http://www.networkadvertising.org/choices, and http://youronlinechoices.eu/.

Online Tracking Signals. Except as otherwise required by law, we do not currently recognize browser settings or signals of tracking preferences, which may include “Do Not Track” instructions. “Do Not Track” is a web browser setting that seeks to disable the tracking of individual users’ browsing activities. We adhere to the standards set out in this Policy and do not currently respond to “Do Not Track” signals on the Site/Platform or on third-party websites or online services where we may collect information.

Accuracy and Updating Your Personal Information. Our goal is to keep your personal information accurate, current, and complete. If any of the personal information you have provided to us changes, please let us know via the “Contact Us” details at the end of this Policy. For instance, if your email address changes, you may wish to let us know so that we can communicate with you. If you become aware of inaccurate personal information about you, you may want to update your information. We are not responsible for any losses arising from any inaccurate, inauthentic, deficient, or incomplete personal data that you provide to us.

Preferences.  If you wish to change your communication preferences or ask that we restrict how we use your personal information, please contact us via the “Contact Us” details at the end of this Policy.  You may follow opt-out links on any marketing communications sent to you.

Complaints. If you believe that your rights relating to your personal information have been violated, you may lodge a complaint with us by contacting us via the “Contact Us” details at the end of this Policy.

California Residents. If you are a resident of California, you may review our California supplement to this privacy notice by clicking here.

Nevada Residents. Effective October 1, 2019, you may submit a verified request to us at privacy@epionhealth.com to request that we not make any sale (as defined under Nevada law) of any covered information (as defined under Nevada law) that we have collected or will collect about you. Please provide your name and contact information in your request, and we will respond to your request in accordance with Nevada law.

THIRD-PARTY SITES

This Policy is applicable only to the Site and the Platform, and it does not apply to any third-party websites.

The Site and the Platform may contain links to, and media and other content from, third-party websites. These links are to external websites and third parties which have their own privacy policies. Because of the dynamic media capabilities of the Site and the Platform, it may not be clear to you which links are to the Site/Platform and which are to external, third-party websites. If you click on an embedded third-party link, you will be redirected away from the Site/Platform to the external third-party website. You can check the URL to confirm that you have left this Site.

We cannot and do not (1) guarantee the adequacy of the privacy and security practices employed by or the content and media provided by any third parties or their websites, (2) control third parties’ independent collection or use or your personal information, or (3) endorse any third-party information, products, services or websites that may be reached through embedded links on this Site.

Any personal information provided by you or automatically collected from you by a third party will be governed by that party’s privacy policy and terms of use.  If you are unsure whether a website is controlled, affiliated, or managed by us, you should review the privacy policy and practices applicable to each linked website.

CHILDREN’S ONLINE PRIVACY PROTECTION ACT

The Children’s Online Privacy Protection Act (“COPPA”), as well as other data privacy regulations, restrict the collection, use, or disclosure of personal information from and about children on the Internet. Our Site and services are not directed to under the age of 13, nor is information knowingly collected from children under the age of 13. No one under the age of 13 may access, browse, or use the Site/Platform or provide any information to or on the Site/Platform. If you are under 13, please do not use or provide any information on the Site/Platform (including, for example, your name, telephone number, email address, or username). If we learn that we have collected or received personal information from a child under the age of 13 without a parent’s or legal guardian’s consent, we will take steps to stop collecting that information and delete it. If you believe we might have any information from or about a child under the age of 13, please contact us using the contact information provided below.

For more information about COPPA, please visit the Federal Trade Commission’s website at: https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule.

UPDATES AND CHANGES TO THIS POLICY

We reserve the right, at any time, to add to, change, update, or modify this Policy to reflect any changes to the way in which we treat your personal information or in response to changes in law. Should this Policy change, we will post all changes we make to this Policy on this page.  If we make material changes to how we treat your personal information, we will also notify you by posting a notice on the home page of the Site and within the Platform for a reasonable period of time. Any such changes, updates, or modifications shall be effective immediately upon posting. The date on which this policy was last modified is identified at the beginning of this Policy.

 

You are expected to, and you acknowledge and agree that it is your responsibility to carefully review this Policy prior to using the Site or the Platform, and from time to time, so that you are aware of any changes. Your continued use of the Site or the Platform after the “Last Updated” date will constitute your acceptance of and agreement to such changes and to our collection and sharing of your personal information according to the terms of the then-current Policy. If you do not agree with this Policy and our practices, do not access, view, or use any part of the Site or the Platform.

CONTACT US

For more information, or if you have any questions or concerns regarding this Privacy Policy, wish to exercise your rights, or wish to lodge a complaint with us, you may contact us using the information below, and we will do our best to assist you. Please note, if your communication is sensitive, you may wish to contact us by postal mail.

In Writing:  Epion Health, 111 River Street, Suite 1230, Hoboken, NJ 07030

By Email: privacy@epionhealth.com

PERSONAL INFORMATION WE COLLECT AND PROCESS VIA THE SITE

We collect, receive, and process the following personal information via the Site.  

Category Description
Customer Information We collect the name, title, telephone number, email address, and mailing address of the individual designated to be the customer’s contact person.  We also collect the practice’s name and EHR ID. We track which services have been purchased from us.
Cookies and Similar Technologies When you visit the Site, we collect cookies and use similar technologies as described in the “Personal Information Collected Via Cookies and Similar Technologies” section below.  If you choose to disable cookies and similar technologies, some areas and features of the Site may not work properly.
Usage Information When you visit the Site, we automatically collect information from your browser and your device, which includes the date and time of your visit as well as your location, Internet Protocol (IP) address or unique device identifier, domain server, browser type, access time, and data about which pages you visit.
Job Applicant Information We collect your name, address, telephone number, email address, resume, cover letter, citizenship/employment eligibility, LinkedIn URL, and information about your professional experience.
Webinar Registrations We collect your name, email address, job title, and organization name.
Blog Comments We collect your name, email address, website, and any information you provide in your comment.

Personal Information Collected Via Cookies and Similar Technologies

First and Third-Party Cookies – Description

A “cookie” is a small file created by a web server that can be stored on your device (if you allow) for use either during a particular browsing session (a “session” cookie) or a future browsing session (a “persistent” cookie).  “Session” cookies are temporarily stored on your hard drive and only last until they expire at the end of your browsing session. “Permanent” cookies remain stored on your hard drive until they expire or are deleted by you. Local stored objects (or “flash” cookies) are used to collect and store information about your preferences and navigation to, from, and on a website.  

First-party cookies are set by the Site, and they can only be read by the Site.  Third Party Cookies are set by a party other than us. We use first-party and third-party session, persistent, and/or flash cookies and the information collected by them as set forth herein.

Similar Technologies – Description

In addition to cookies, there are other automatic data collection technologies, such as Internet tags, web beacons (clear gifs, pixel tags, and single-pixel gifs), and navigational data collection (log files, server logs, etc.) that can be used to collect data as users navigate through and interact with the Site:

  • Web beacons: These are tiny graphics (sometimes called “clear GIFs” or “web pixels”) with unique identifiers that are used to understand browsing activity.  In contrast to cookies, which are stored on a user’s computer hard drive, web beacons are rendered invisible on web pages when you open a page.
  • Social Widgets: These are buttons or icons provided by third-party social media providers that allow you to interact with social media services when you view a webpage or mobile app screen. These social widgets may collect browsing data, which may be received by the third party that provided the widget and are controlled by third parties.
  • UTM Codes: These are strings that can appear in a URL (the “Uniform Resource Locator,” which is typically the http or https address entered to go to a web page) when you move from one web page or website to another, where the string can represent information about browsing, such as which advertisement, page, or publisher sent the user to the receiving website.

What Cookies and Similar Technologies Are in Use and Why Do We Use Them?

Google Analytics.  We use Google Analytics to collect and process statistical data about the number of people using the Site and to better understand how they find and use our webpages.  The data collected includes data related to your device/browser, your IP address, and on-site activities to measure and report statistics about user interactions on the Site. The information stored in the cookie is reduced to a random identifier. Any data collected is used in accordance with this Privacy Policy and Google’s privacy policy.  You may learn more about Google Analytics and the cookies used by Google by visiting https://www.google.com/policies/privacy/partners/ and https://support.google.com/analytics/answer/6004245.  You can learn more about Google’s restrictions on data use by visiting the Google Privacy Policy at: https://www.google.com/policies/privacy. Google Analytics relies on the following cookies:

Domain Cookie Name Description Duration
epionhealth.com _ga Google Analytics 2 years from the date it was last refreshed
epionhealth.com _gat Google Analytics 2 years from the date it was last refreshed
epionhealth.com _gid Performance cookie used to collect information about how our visitors use the website. 24 hours after inactivity

To opt-out of Google Analytics, visit https://tools.google.com/dlpage/gaoptout and install the opt-out browser add-on feature.  For more details, visit the “Google Analytics opt-out browser add-on” page (located at https://support.google.com/analytics/answer/181881?hl=en).

Google Tag Manager. We use Google Tag Manager, which allows marketed website tags to be managed using an interface. The tool itself (which implements the tags) is a cookie-less domain and does not register identifiable data. The tool causes other tags to be activated which may, for their part, register personal data under certain circumstances. Google Tag Manager does not access this information.  Google Tag Manager is subject to the Google Privacy Policy located at https://www.google.com/intl/en/policies/privacy.

Domain Cookie Name Description Duration
epionhealth.com _gcl_au Google Tag Manager, Used by Google AdSense for experimenting with advertisement efficiency across websites using their services. 1 week

Google Marketing Platform. We use the Google Marketing Platform (Google Analytics Advertising Features, DoubleClick, Google AdWords Conversion, Google Conversion Tracking, Google Conversion Linker, Google Remarketing, and GA Audiences) to track user activity on the Site and to serve personalized advertisements. Your browser is assigned a pseudonymous ID used to track the ads that have been served to your browser and to identify those on which you’ve clicked. The cookies enable Google and its partners to select and display ads based on your browsing behavior. 

Domain Cookie Name Description Duration
doubleclick.net IDE This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website. 10 years after your last visit to a page containing a Google Map.
google.com 1P_JAR This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website. 24 hours after the date of the session
google.com NID This cookie is set by DoubleClick (which is owned by Google) to help build a profile of your interests and show you relevant ads on other sites. 6 months

For more information on how Google uses this information, visit https://support.google.com/displayvideo/answer/7621162.  To block certain ads served by Google, please visit https://support.google.com/ads/answer/2662922.

Typekit by Adobe. We use Typekit by Adobe to enhance the Site’s typography. Adobe uses cookies within Typekit to track usage statistics, and they collect usage information about the fonts being served on the Site.

Hubspot. This website uses a HubSpot tracking code which uses cookies or similar technologies to track visitors of this website and gather demographic information about them. HubSpot keeps track of the Site and pages you visit within HubSpot. This data is used to deliver customized content and promotions to users whose behavior indicates that they are interested in a particular subject area. For more information about HubSpot’s Privacy Policy, see https://legal.hubspot.com/privacy-policy.

Domain Cookie Name Description Duration
epionhealth.com __hssc This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.  30 min
epionhealth.com __hssrc Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. end of session
epionhealth.com __hstc The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). 13 months
epionhealth.com hsfirstvisit HS Performance cookie end of session
epionhealth.com hubspotutk This cookie is used to keep track of a visitor’s identity. This cookie is passed to HubSpot on form submission and used when deduplicating contacts. 13 months
js.hs-analytics.net X-OpenDNS-Session Hubspot web tracking code permanent
hsforms.com __cfduid Hubspot form tracking code permanent
hubspot.com __cfduid Hubspot form tracking code permanent
hubspot.com __hluid In-app usage tracking 1 Year

Other Cookies.  We also use other third-party cookies to provide certain aspects of the Site:

Domain Cookie Name Description Duration
google.com OGPC This cookie enables the functionality of Google Maps. 24 hours after the date of the session
www.google.com OTZ These cookies allow the website to remember choices you make 30 days

Other Third-Party Technologies

Some third parties may use automated data collection technologies to collect information about you when you browse the Internet.  The information they collect about your online browsing activities over time and across different websites and other online services may be associated with your personal information and used to provide you with targeted content.  We do not control these third parties’ technologies or how they may be used. If you have any questions about targeted content, you should contact the responsible party directly or consult their privacy policies.

Choices About Cookies

We provide you with choices regarding the personal information you provide to us, and we have created ways to give you control over your information.  Most web browsers are set by default to accept cookies. If you do not wish to receive cookies, you may set your browser to refuse all or some types of cookies or to alert you when cookies are being sent by website tracking technologies and advertising.  You may adjust your browser settings to opt out of accepting a “persistent” cookie and to only accept “session” cookies, but you will need to log in each time you want to enjoy the full functionality of the Site.

Please be aware that, if you decline the use of cookies, you may not have access to the full benefits of the Site.  In addition, adjusting the cookie settings on the Site may not fully delete all of the cookies that have already been created.  To delete them, visit your web browser settings after you have changed your Cookie Settings on the Site. Additional information is provided below about how to disable cookies or manage the cookie settings for some of the leading web browser providers:

Google Chrome: https://support.google.com/chrome/answer/95647?hl=en 

Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences 

Internet Explorer: http://windows.microsoft.com/en-GB/windows-vista/Block-or-allow-cookies 

Safari: http://help.apple.com/safari/mac/8.0/#/sfri11471

To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website at: https://www.macromedia.com/support/documentation/en/flashplayer/help/help09.html. You may also wish to use an internet browser that is designed with users’ privacy in mind, such as Brave or Firefox Quantum.

For more information on how to modify your browser settings to block or filter cookies, visit http://www.aboutcookies.org/ or http://www.cookiecentral.com/faq/.  You may learn more about internet advertising practices and related consumer resources at http://www.aboutads.info/consumers/, http://www.networkadvertising.org/choices, and http://youronlinechoices.eu/

CCPA Notice at Collection.  For purposes of the California Consumer Privacy Act (CCPA), in collecting the information described above, we collect the categories of personal information listed in the left column below. Please also see the “Do Not Sell My Personal Information and “Notice of Financial Incentive sections of our Privacy Policy for additional information. You can also click on the “Do Not Sell My Personal Information” link at the bottom of this page.

CCPA Category Description
Identifiers

When collecting Customer Information, we will receive the name, telephone number, email address, and mailing address of the individual designated to be the customer’s contact person.

 

When collecting Cookies and Similar Technologies and Usage Information, we will receive your Internet Protocol (IP) address or unique device identifier.

 

When collecting Job Applicant Information, we will receive your name, address, telephone number, and email address.

 

When collecting Webinar Registrations and Blog Comments we will receive your name and email address.

Categories of personal information described in the California Customer Records statute

When collecting Customer Information, we will receive the name, title, telephone number, and mailing address of the individual designated to be the customer’s contact person.

 

When collecting Job Applicant Information, we will receive your name, address, telephone number, email address, resume, and information about your professional experience.

 

When collecting Webinar Registrations, we will receive your name, email address, job title, and organization name.

 

When collecting Blog Comments we will receive your name and email address.

Characteristics of protected classifications When collecting Job Applicant Information, we will receive your citizenship/employment eligibility.
Commercial information When collecting Customer Information, we track which products and services have been purchased from us.
Internet or other electronic network activity information

We collect cookies and use similar technologies as described in the “Personal Information Collected Via Cookies and Similar Technologies” section. We may receive the following via these technologies: browsing history; search history; internet service provider (ISP); type of computer; operating system; type of web browser; URLs of any referring or exited webpages; information about your interaction with the Site/Platform or advertisements on it; data about which pages you visit; and the date and time of your visit.

 

When collecting Usage Information, we will automatically receive information from your browser and your device, which includes the date and time of your visit as well as your location, domain server, browser type, access time, and data about which pages you visit.

Geolocation data

When collecting Customer Information and Job Applicant Information we will receive your physical address.

 

When collecting Cookies and Similar Technologies and Usage Information we will receive your location while using the Site. 

Inferences Where permitted by law, based on all of the information that we collect, we may develop inferences and create a profile about your preferences, characteristics, behavior, and attitudes 

Is entry of personal information required?  You may choose not to provide us with personal information, but you will not be able to access portions of the Site that require your personal information (such as completing online orders).  Some pages of the Site, including our online forms and applications, may give you the option of providing certain of your personal information.

PERSONAL INFORMATION WE COLLECT AND PROCESS VIA THE PLATFORM

When we are providing check-in services for a “Covered Entity” customer (your doctor) via the Platform, we act as a “Business Associate” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  In that capacity, we collect, receive, maintain, use, and disclose Protected Health Information as permitted or required under applicable law, and our Covered Entity customer’s (your doctor’s) privacy notice controls how we collect and process PHI.

However, we also give individuals an opportunity to receive personalized information about health-related products and services that may be interesting to them on the Platform.  We do not act as a Business Associate in this capacity, as the service is provided on behalf of the individuals who choose to share data with us pursuant to a HIPAA Authorization.  When individuals opt-in to receiving this information via the Platform, we receive and process the following personal information:

Category Description and Purpose
End User (Patient) Medical Information If you, as an end user of our Platform, direct your health care provider to share your medical information with us, we will receive the information provided by your health care provider.  This may include the health information entered during the check-in process or on file with your healthcare provider.
Cookies and Similar Technologies When you use the Platform, we collect cookies and use similar technologies as described in the “Personal Information Collected Via Cookies and Similar Technologies” section below. 
Usage Information When you use the Platform, we automatically collect information from the browser and device, which includes the date and time of your visit as well as your location, Internet Protocol (IP) address or unique device identifier, domain server, browser type, access time, and data about which pages you visit.

Personal Information Collected Via Cookies and Similar Technologies

First and Third-Party Cookies – Description

A “cookie” is a small file created by a web server that can be stored on your device (if you allow) for use either during a particular browsing session (a “session” cookie) or a future browsing session (a “persistent” cookie).  “Session” cookies are temporarily stored on your hard drive and only last until they expire at the end of your browsing session. “Permanent” cookies remain stored on your hard drive until they expire or are deleted by you. Local stored objects (or “flash” cookies) are used to collect and store information about your preferences and navigation to, from, and on a website.  

First-party cookies are set by the Platform, and they can only be read by the Platform.  Third Party Cookies are set by a party other than us. We use first-party and third-party session, persistent, and/or flash cookies and the information collected by them as set forth herein.

Similar Technologies – Description

In addition to cookies, there are other automatic data collection technologies, such as Internet tags, web beacons (clear gifs, pixel tags, and single-pixel gifs), and navigational data collection (log files, server logs, etc.) that can be used to collect data as users navigate through and interact with the Platform:

  • Web beacons: These are tiny graphics (sometimes called “clear GIFs” or “web pixels”) with unique identifiers that are used to understand browsing activity.  In contrast to cookies, which are stored on a user’s computer hard drive, web beacons are rendered invisible on web pages when you open a page.
  • Social Widgets: These are buttons or icons provided by third-party social media providers that allow you to interact with social media services when you view a webpage or mobile app screen. These social widgets may collect browsing data, which may be received by the third party that provided the widget and are controlled by third parties.
  • UTM Codes: These are strings that can appear in a URL (the “Uniform Resource Locator,” which is typically the http or https address entered to go to a web page) when you move from one web page or website to another, where the string can represent information about browsing, such as which advertisement, page, or publisher sent the user to the receiving website.

What Cookies and Similar Technologies Are in Use and Why Do We Use Them?

Domain Cookie Name Description Duration
epionhealth.com epion_device_password Unique device identifier for the Epion Platform permanent
epionhealth.com _patient-check-in_session Unique session identifier for the Epion Platform permanent
epionhealth.com rack.session Unique session identifier for the Epion Platform permanent

Other Third-Party Technologies

Some third parties may use automated data collection technologies to collect information about you when you browse the Internet.  The information they collect about your online browsing activities over time and across different websites and other online services may be associated with your personal information and used to provide you with targeted content.  We do not control these third parties’ technologies or how they may be used. If you have any questions about targeted content, you should contact the responsible party directly or consult their privacy policies.

CCPA Notice at Collection.  For purposes of the California Consumer Privacy Act (CCPA), in collecting the information described above, we collect the categories of personal information listed in the left column below. Please also see the “Do Not Sell My Personal Information and “Notice of Financial Incentive sections of our Privacy Policy for additional information. You can also click on the “Do Not Sell My Personal Information” link at the bottom of this page.

CCPA Category Description
Identifiers

When collecting End User Medical Information, we may receive your name, alias, address, medical record number, email address, social security number, driver’s license number, passport number, or other similar identifiers.

 

When collecting Cookies and Similar Technologies and Usage Information, we will receive your Internet Protocol (IP) address or unique device identifier. 

Categories of personal information described in the California Customer Records statute When collecting End User Medical Information, we may receive your name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, and health insurance information. 
Characteristics of protected classifications  When collecting End User Medical Information, we may receive your age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). 
Biometric information When collecting End User Medical Information, we may receive physiological, biological or behavioral characteristics that could be used, singly or in combination with each other or with other identifying data, to establish individual identity.
Internet or other electronic network activity information

We use cookies and use similar technologies as described in the “Personal Information Collected Via Cookies and Similar Technologies” section above.  We may receive the following via these technologies: browsing history; search history; internet service provider (ISP); type of computer; operating system; type of web browser; URLs of any referring or exited webpages; information about your interaction with the Site/Platform or advertisements on it; data about which pages you visit; and the date and time of your visit.

 

When collecting Usage Information, we will automatically receive information from your browser and your device, which includes the date and time of your visit as well as your location, domain server, browser type, access time, and data about which pages you visit.  

Geolocation data

When collecting End User Medical Information, we may receive your address or other location information included in your medical records.  

 

When collecting Cookies and Similar Technologies and Usage Information we will receive your location while using the Platform. 

Professional or employment-related information When collecting End User Medical Information, we may receive information about your work history and experience that is included in your medical records. 
Education information When collecting End User Medical Information, we may receive information about your educational history or records that is included in your medical records.
Inferences Where permitted by law, based on all of the information that we collect, we may develop inferences and create a profile about your preferences, characteristics, behavior, and attitudes.

PERSONAL INFORMATION WE COLLECT AND PROCESS VIA OTHER WAYS

Outside of our Site and Platform, we may collect, receive, and process personal information from you via the methods described below.

Your Communications and Feedback When you communicate with us or provide feedback, we will receive and may retain your communications and the information included in those messages. If you receive email communications from us, we may use certain tools to capture data related to if/when you open our message and if/when you click on any links or banners it contains.  Other information collected through this email tracking feature may include: your email address, the date and time of your “click” on the email, a message number, the name of the list from which the message was sent, a tracking URL number, and a destination page. We use this information to enhance our marketing efforts.
Financial and Payment Information

If you purchase products or services from us, you will be asked to provide your bank account number, bank routing information, and other data necessary to process payments, including credit card numbers, security codes, expiration dates, and other related billing information.  This information is passed directly to our payment processors and is not accessed by us.

By submitting your payment card information, you expressly consent to the sharing of your information with third-party payment processors and other third-party services (including but not limited to vendors who provide fraud detection services to us and other third parties). Please note that credit card numbers and account information are not stored on our servers.

Third-Party Sources We may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly-available sources.

CCPA Notice at Collection.  For purposes of the California Consumer Privacy Act (CCPA), in collecting the information described above, we collect the categories of personal information listed in the left column below. Please also see the “Do Not Sell My Personal Information and “Notice of Financial Incentive sections of our Privacy Policy for additional information.  You can also click on the “Do Not Sell My Personal Information” link at the bottom of this page.

CCPA Category Description
Identifiers

When collecting Your Communications and Feedback, we will receive your name, email address, a message number, a tracking URL number, and other information that you may provide.

 

When collecting Financial and Payment Information, our third-party processor will receive your bank account number, bank routing information, credit card numbers, security codes, expiration dates, and other related billing information.

Categories of personal information described in the California Customer Records statute

When collecting Your Communications and Feedback, we will receive your name, email address, and other information that you may provide.  

 

When collecting Financial and Payment Information, our third-party processor will receive your bank account number, bank routing information, credit card numbers, security codes, expiration dates, and other related billing information.

Internet or other electronic network activity information When collecting Your Communications and Feedback, we will receive data related to if/when you open our message and if/when you click on any links or banners it contains, the date and time of your “click” on the email, a message number, the name of the list from which the message was sent, a tracking URL number, and a destination page.
Audio, electronic, visual, thermal, olfactory, or similar information When collecting Your Communications and Feedback, we will receive and retain your communications, such as call center recordings and electronic communications with us
Inferences Where permitted by law, based on all of the information that we collect, we may develop inferences and create a profile about your preferences, characteristics, behavior, and attitudes

CALIFORNIA RESIDENTS

Data Practices During Last 12 Months

Personal Information Collected: As described in this Policy, we may have collected the categories of personal information listed below during the preceding 12 months. Not all categories may be collected about every individual:

  • Identifiers
  • Categories of personal information described in the California Customer Records statute
  • Characteristics of protected classifications
  • Commercial information
  • Biometric information
  • Internet or other electronic network activity information 
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences

Personal Information Sold. On the Platform, we will only sell categories of personal information to third parties with the explicit consent of the user on the Platform. We do not sell personal information to data brokers.

Personal Information Disclosed for a Business Purpose. We have disclosed for a business purpose the categories of personal information listed below during the preceding 12 months:

  • Identifiers
  • Categories of personal information described in the California Customer Records statute
  • Characteristics of protected classifications
  • Commercial information
  • Biometric information
  • Internet or other electronic network activity information
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences

We may have disclosed each category of personal information to the following categories of third parties: (1) corporate parents, subsidiaries, and affiliates; (2) advisors (accountants, attorneys); (3) service providers (data analytics data storage, mailing, marketing, payment processing, Site and Platform administration, technical support); (4) operating systems and platforms; (5) advertising networks (Internet or other electronic network activity information, Geolocation data, and Inferences only); (6) internet service providers, and (7) social networks (Internet or other electronic network activity information, Geolocation data, and Inferences only).

Notice of Financial Incentive

We give individuals an opportunity to receive personalized information about health-related products and services that may be interesting to them via the Platform.  Individuals who want to participate in this service, instruct their health care providers to disclose data to us pursuant to a HIPAA Authorization. Individuals can then choose to share information with third-parties to receive products, services, discounts, or other offers or benefits.  This service may involve the following categories of personal information under the CCPA:

  • Identifiers
  • Categories of personal information described in the California Customer Records statute
  • Characteristics of protected classifications
  • Commercial information
  • Biometric information
  • Internet or other electronic network activity information
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences

The financial incentive or price or service difference is reasonably related to the value provided by the consumer’s data, as data is required to facilitate the service.  The value depends on how participating individuals interact with the service.

How to opt-in.  You may choose to receive personalized information about health-related products and services by opting-in on the Platform when the option is presented to you.  You may choose to share your information with third-parties by selecting that option when presented to you on the Platform.

How to withdraw.  You have the right to withdraw from this service at any time.  You may exercise that right by contacting us via the “Contact Us” details at the end of this Policy.

Do Not Sell My Personal Information

Request to Opt-Out

Where provided by law, you have the right to direct us to stop selling your personal information to third parties and to refrain from doing so in the future.  We do not sell the personal information of minors under 16 years of age without affirmative authorization where required by law.

Submission Instructions.  To exercise this right, please visit our “Do Not Sell My Personal Information” portal.  You are not required to create an account to use the “Do Not Sell My Personal Information” portal, and you may opt-out by contacting us at privacy@epionhealth.com.

Response Process.  We will comply with your request as soon as feasibly possible, but no later than 15 business days from the date of receipt.  We will only use the personal information collected from you in connection with the request for the purposes of complying with the request. If we sell your personal information to any third parties after you submit the request but before we comply with it, we will notify those third parties that you have exercised your right to opt-out and direct those third parties not to sell your information.

We will not ask you to opt-in for at least 12 months after you opted-out.  However, if you initiate a transaction or attempt to use a product or service that requires the sale of your information, we will inform you that the transaction, product or service requires the sale of your personal information and provide you instructions on how the consumer can opt-in.

Denials. If we have a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, we may deny the request.  In this scenario, we will inform the requesting party that we will not comply with the request and provide an explanation of why we believe the request is fraudulent.

Authorized Agent. You may authorize another person to opt-out of the sale of your personal information on your behalf, if you provide the authorized agent a signed, written permission.  We may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on the consumer’s behalf. If the authorized agent is verified, we will comply with the opt-out request submitted by the authorized agent.

Internet Privacy Controls. For online activities, we will treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal your choice to opt-out of the sale of your personal information as a valid opt-out request for that browser or device, or, if known, for you, individually.

Request to Opt-In

Submission Instructions – Adults.  If you exercise your right to opt-out of the sale of your personal information, we will refrain from selling personal information collected by us about you.  However, if you wish to update your preferences, you may opt-in at any time. We use a two-step opt-in process through which you must first clearly request to opt-in and then second separately confirm your choice to opt-in.

Submission Instructions – Minors Ages 13-16. For consumers 13-16 years of age, we will only sell the minor’s personal information if we receive an opt-in request.  We use a two-step opt-in process through which you must first, clearly request to opt-in and then second, separately confirm your choice to opt-in.  When we receive a request to opt-in to the sale of personal information from a minor that is at least 13 and less than 16 years of age, we will inform the minor of the right to opt-out at a later date and of the process for doing so.

Submission Instructions – Minors under 13. For minors under the age of 13, we will only sell the minor’s personal information if the parent or guardian consents to the sale of the minor’s personal information.  We use a two-step opt-in process through which you must first, clearly request to opt-in and then second, separately confirm your choice to opt-in.

In order to determine that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child, we may: (1) provide a consent form to be signed by the parent or guardian under penalty of perjury that must be returned to us by postal mail, facsimile, or electronic scan; (2) require a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; (3) have a parent or guardian call a toll-free telephone number staffed by trained personnel; (4) have a parent or guardian connect to trained personnel via video-conference; (5) have a parent or guardian communicate in person with trained personnel; or (6) verify a parent or guardian’s identity by checking a form of government issued identification against databases of such information, and the parent or guardian’s identification is deleted promptly after such verification is complete.  When we receive an affirmative authorization, we will inform the parent or guardian of the right to opt-out at a later date and of the process for doing so on behalf of their child.

CCPA Requests to Know and Requests to Delete

The CCPA gives consumers the right to request that we (1) disclose what personal information we collect, use, disclose, and sell, and (2) delete certain personal information that we have collected or maintain.  You may submit these requests to us as described below, and we honor these rights where they apply.

However, by way of example, these rights do not apply where we collect or sell a consumer’s personal information if: (1) we collected that information while the consumer was outside of California, (2) no part of a sale of the consumer’s personal information occurred in California, and (3) no personal information collected while the consumer was in California is sold.  In addition, de-identified information is not subject to these rights.

If a request is submitted in a manner that is not one of the designated methods for submission, or if the request is deficient in some manner unrelated to our verification process, we will either (1) treat the request as if it had been submitted in accordance with the designated manner, or (2) provide you with specific directions on how to submit the request or remedy any deficiencies with the request, as applicable.

Request to Know

You have the right to request: (1) the specific pieces of personal information we have collected about you; (2) the categories of personal information we have collected about you; (3) the categories of sources from which the personal information is collected; (4) the categories of personal information about you that we have sold and the categories of third parties to whom the personal information was sold; (5) the categories of personal information about you that we disclosed for a business purpose and the categories of third parties to whom the personal information was disclosed for a business purpose; (6) the business or commercial purpose for collecting, disclosing, or selling personal information; and (7) the categories of third parties with whom we share personal information.  Our response will cover the 12-month period preceding our receipt of a verifiable request.

Submission Instructions.  You may submit a request to know via our Request Portal or via 800.293.4564 or privacy@epionhealth.com.

Verification Process.  We are required by law to verify the identities of those who submit requests to know, and our verification process is described in detail below.  We will inform you if we cannot verify your identity.

  • If we cannot verify the identity of the person making a request for categories of personal information, we may deny the request. If the request is denied in whole or in part for this reason, we will provide a copy of, or direct you to, our privacy policy.
  • If we cannot verify the identity of the person making the request for specific pieces of personal information, we are prohibited from disclosing any specific pieces of personal information to the requestor.  However, if denied in whole or in part for this reason, we will evaluate the request as if it is seeking the disclosure of categories of personal information about the consumer.
  • If there is no reasonable method by which we can verify the identity of the requestor to the degree of certainty required, we will state this in our response and explain why we have no reasonable method by which we can verify the identity of the requestor.

Response Process. Upon receiving a request to know, we will confirm receipt of the request within 10 business days and provide information about how we will process your request. The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request).  In general, we will respond to the request within 45 days from the day we receive it; but, if necessary, we may take up to an additional 45 days to respond to your request. If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 days.

Once verification is complete, we will associate the information provided by you in the verifiable consumer request to any personal information previously collected by us about you.  We will promptly take steps to disclose and deliver, free of charge to you, the information requested. We will provide an individualized response to requests regarding categories of personal information as required by applicable law; but, we may refer you to our general practices outlined in this Policy when our response would be the same for all consumers and all the information that is otherwise required to be in a response is presented here.

If you do not have a password-protected account with us, we may respond to a request to know related to household personal information by providing aggregate household information.  If all consumers of a household jointly request access to specific pieces of personal information for the household, we will comply with the request if we can verify the identity of each consumer.

Delivery. Except as otherwise provided by applicable law, the information will be provided in writing and may be delivered through your account with us.  If you do not maintain an account with us, we will respond by mail or electronically (at your option) in a portable and, to the extent technically feasible, readily-useable format that allows you to transmit the information to another entity.  Alternatively, we may offer a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information. If we do not take action on your request, we will, without delay and, at the latest, within the time period permitted for our response, inform you of the reasons that we did not take action and any rights you may have to appeal the decision.

Limitations. We are committed to responding to requests to know in accordance with applicable law.  However, your rights are subject to the following limitations:

  • We are only required to respond to requests to know twice in a 12-month period.
  • We are prohibited from disclosing Social Security numbers, driver’s license numbers, other government-issued identification numbers, financial account numbers, health insurance numbers, medical identification numbers, account passwords, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.

Denials. If we deny a verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception under applicable law, we will inform the requestor and explain the basis for the denial.  If the request is denied only in part, we will disclose the other information sought by the consumer.

Request to Delete

You have a right to request the erasure/deletion of certain personal information collected or maintained by us.  As described below, we will delete your personal information from our records and direct any service providers (as defined under applicable law) to delete your personal information from their records.

Submission Instructions:  You may submit a request to delete via our Request Portal or via privacy@epionhealth.com.  We may present you with the choice to delete select portions of your personal information, but a global option to delete all personal information will be offered and more prominently presented.

Verification Process.  We are required by law to verify the identities of those who submit requests to delete, and our verification process is described in detail below.  We will inform you if we cannot verify your identity.  

  • If we cannot verify the identity of the person making a request to delete, we may deny the request.  If you have not already made a request to opt-out, we will ask you if you would like to opt-out of the sale of personal information.
  • If there is no reasonable method by which we can verify the identity of the requestor to the degree of certainty required, we will state this in our response and explain why we have no reasonable method by which we can verify the identity of the requestor.

Response Process. Upon receiving a request to delete, we will confirm receipt of the request within 10 business days and provide information about how we will process your request.  The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request). We will use a two-step process for online requests to delete in which you must first, clearly submit the request to delete and then second, separately confirm that you want your personal information deleted.  In general, we will respond to the request within 45 days from the day we receive it; but, if necessary, we may take up to an additional 45 days to respond to your request. If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 days.

Once verification is complete, we will take one of the following actions: (1) permanently and completely erase the personal information on our existing systems (with the exception of archived or back-up systems); (2) deidentify the personal information; or (3) aggregate the personal information.  For personal information stored on archived or backup systems, we may delay compliance with your request to delete for that data until the archived or backup system is restored to active status or next accessed or used for a sale, disclosure, or commercial purpose.

If you do not have a password-protected account with us, we may respond to a request to delete related to household personal information by providing aggregate household information.  If all consumers of a household jointly request deletion for the household, we will comply with the request if we are able to verify the identity of each consumer.

Delivery.  In our response to you, we will inform you of whether or not we have complied with the request. We will also inform you of our obligation to maintain a record of the request under California law.

Limitations.  We are committed to responding to requests to delete in accordance with applicable law.  However, we are not required to delete your personal information if it is necessary for us (or our service providers) to maintain your personal information in order to:

  • Complete the transaction for which the personal information was collected; 
  • Fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
  • Provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you;
  • Otherwise perform a contract between us and you;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
  • Debug to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise his/her right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent;
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
  • Comply with a legal obligation; and
  • Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the information was provided.

Denials.  If we deny your request, we will (1) inform you that we will not comply with the request and describe the basis for the denial; (2) delete the personal information that is not subject to the exception; and (3) not use the personal information retained for any other purpose than provided for by the applicable exception(s).

Verification Procedures

To determine whether the individual making the request is the consumer about whom we have collected information, we will verify your identity by matching the identifying information provided by you in the request to the personal information that we already maintain about you.  As a part of this process, you will be required to provide your name, address, telephone number, date of birth, and/or the name of the physician with whom you last used Epion’s service.

If we cannot verify your identity based on the information already maintained, we may request additional information from you.  We will try to limit the information collected, and we will only use this information to verify your identity and for security or fraud-prevention purposes.  Except as required by law, we will delete any new personal information collected for the purposes of verification as soon as practical after processing the request.

We require different levels of authentication based upon the nature of the personal information requested. A more stringent verification process is applied when (1) sensitive or valuable personal information is involved, (2) there is a greater risk of harm to the consumer, and/or (3) there is a higher likelihood that fraudulent or malicious actors would request the information.

Password-Protected Account. If you have a password-protected account with us, we may verify your identity through our existing authentication practices for the account. We will require you to re-authenticate yourself before disclosing or deleting your data.  If we suspect fraudulent or malicious activity on or from the password-protected account, we will not comply with the request until further verification procedures determine that the request is authentic and that the consumer making the request is the person about whom we have collected information.

Request to Know Categories. For a request to know categories of personal information, we will verify the identity of the consumer making the request to a “reasonable degree of certainty” by matching at least two (2) data points provided by the consumer with data points maintained by us, which we have determined to be reliable for the purpose of verifying the consumer.

Request to Know Specific Pieces. For a request to know specific pieces of personal information, we will verify the identity of the consumer making the request to a “reasonably high degree of certainty” by matching at least three (3) pieces of personal information provided by the consumer with personal information maintained by us, which we have determined to be reliable for the purpose of verifying the consumer, together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. We are required by law to maintain all signed declarations as part of our record-keeping obligations.

Request to Delete.  For a request to delete, we will verify the identity of the consumer to a “reasonable degree of certainty” or a “reasonably high degree of certainty,” depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.  For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty.

Authorized Agents

If you use an authorized agent to submit a request to know or a request to delete, we may require you to: (1) provide the authorized agent with signed, written permission to do so; (2) verify your identity directly with us; and (3) directly confirm with us that you provided the authorized agent permission to submit the request.  However, we will not require these actions if you have provided the authorized agent with power of attorney pursuant to the California Probate Code. We may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Excessive Requests

If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, we may either (1) charge a reasonable fee, or (2) refuse to act on the request and notify the consumer of the reason for refusing the request.  If we charge a fee, the amount will be based upon the administrative costs of providing the information or communication or taking the action requested.

CCPA Non-Discrimination

You have the right not to receive discriminatory treatment by us due to your exercise of the rights provided by the CCPA.  We do not discriminate against consumers for exercising their rights under the CCPA.

California Shine the Light

Under California Civil Code Section 1798.83, California residents who provide personal information in obtaining products or services for personal, family, or household use may be entitled to request and obtain from us once a calendar year information about the information we shared, if any, with other businesses for direct marketing uses. Please be aware that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing, if any, will be included in our response.  As part of the California Online Privacy Protection Act, all users of our Site may make any changes to their information at any time by contacting us at privacy@epionhealth.com.