Synchronous Health Privacy Policy

Effective April 1, 2020

INTRODUCTION

We are committed to protecting your privacy, and we have adopted this Privacy Policy to protect information that we collect from our website (the “Site”). This Privacy Policy does not address our use of information collected in connection with our provision of services to our patients, including, without limitation, “protected health information” (as that term is defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended and supplemented from time to time(“HIPAA”)), which is governed by HIPAA and other applicable federal and state laws and regulations, and the terms of our contracts with our patients. We may modify this Privacy Policy from time to time, and if we make material changes to it, we will notify you through the Site or by other means so that you may review the changes before you continue to use the Site. Continuing to use the Site after we publish or communicate a notice about any changes to this Privacy Policy means that you are consenting to the changes.

INFORMATION WE COLLECT AND HOW WE USE IT

We collect and retain contact information for you as a visitor only if you voluntarily supply us with this information. You may choose to provide us with this information, including your name, email address, telephone number or other information. If you have voluntarily provided this information, you consented to the collection and use of your personally identifiable information as described in this Privacy Policy. We use cookies (a small file containing a string of characters placed on your device) and similar technologies, including mobile device identifiers, to improve your Site experience and measure use of our services. We do not currently use cookies and similar technologies to serve you ads. We may collect, or have a third party collect on our behalf, data on the number of visits, paths taken, time spent on the Site and how you use and navigate through the Site (for example, determining the number of Participants who visit various pages within the Site, information accessed by such Participants, whether they scroll up or down on particular pages or complete any forms). We may disclose this information to our affiliates or to third parties. We may use this collected or logged information to diagnose Site technical problems. By visiting the Site, you consent to the placement of cookies and beacons in your browser in accordance with this Privacy Policy. When you visit or leave the Site by clicking a hyperlink or view a plugin on a third-party site, we may automatically receive the URL of the site from which you came or the one to which you are directed. We also receive the internet protocol address of your computer or the proxy server that you use to access the web, your computer operating system details, your type of web browser, your mobile device (including your mobile device identifier provided by your mobile device operating system), your mobile operating system (if you are accessing the Site using a mobile device), and the name of your ISP or your mobile carrier. Polls and surveys may be conducted by us or third parties. We may use your responses to polls and surveys to improve your Site experience and measure use of our services. We may use third parties to deliver incentives to you to participate in surveys or polls. If the delivery of incentives requires your contact information, you may be asked to provide personal information to the third party fulfilling the incentive offer, which will be used only for the purpose of delivering incentives and verifying your contact information. It is up to you whether you provide this information, or whether you desire to take advantage of an incentive. Your consent to use any personally identifiable information for the purposes set forth in the poll or survey will be explicitly requested by the party conducting it. “Public Information” which means the information you choose to make public, as well as information that is always publicly available. Information posted to a group chat or moderated session and information kept within a one on one session. “Contact Information” is personal information and or family/friend/relation that Synchronous Health stores confidentially for your Specialist to access in case of an emergency or mental health crisis. Information Synchronous Health receives on forms, including, but not limited to, identifying information such as address, telephone number, e-mail address related to customer projects. Banking information for billing purposes, such as account # and routing information for invoicing purposes Information Synchronous Health Collects for Employees and Sub-Contractors Federal law requires us to obtain, verify, and record personal information - such as your name, address and date of birth - in order to confirm your identity, social security number and banking information. Synchronous Health collects, retains, and uses PI from employees and subcontractors including the following:

  • Information Synchronous Health receives on applications or other forms, including, but not limited to, identifying information such as address, telephone number, e-mail address, social security number, date of birth, mother’s maiden name, medical history.
  • Federal Tax ID #.
  • Medical records.
  • Investment information.
  • Background security checks

OPTING OUT

If at any time after registering for information, you change your mind about receiving information from us, send us a request specifying your new choice. Simply send your request to kati.lohr@sync.health. Many browsers and mobile operating systems enable you to indicate your preference regarding online tracking. You can set your browser or mobile operating system to a “do not track” or similar setting and, when your browser or mobile operating system passes your request to us, we will not serve you targeted advertising (which we do not currently do anyway), although we may continue to collect data about your use of the Site. For example, Apple’s iOS7 mobile operating system provides iPhone and iPad Participants with a “Limit Ad Tracking” setting, and if you turn on that setting, we will not use your device identifier to serve you targeted ads. DISCLOSURES We will not disclose personal information without your consent unless we have a good faith belief that disclosure is reasonably necessary to comply with a legal requirement or process (including, but not limited to, civil and criminal subpoenas, court orders or other compulsory disclosures); to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; to investigate and defend ourselves against any third-party claims or allegations; to protect the security or integrity of the services we provide; to respond to claims of a violation of the rights of third parties; or to protect the rights, property, or safety of Synchronous Health, Inc (including its affiliates, “Karla,” “WhenDo,” “we” or “us”), visitors to the Site, or the public. We may also disclose your personal information to a third party as part of a sale of the assets of Synchronous Health, Inc, a subsidiary, or division, or as the result of a change in control of the company or one of its affiliates, or in preparation for any of these events. Any third party to which we transfer or sell Synchronous Health, Inc’s assets will have the right to continue to use the personal and other information that you provide to us in the manner set out in this Privacy Policy. Synchronous Health keeps your information confidential except where disclosure is required or permitted by law (for example to government bodies and law enforcement agencies or during an emergency circumstance as judged by your Specialist working with local authorities).

MOBILE DEVICES

The Synchronous Health Platform is available on a multitude of portable electronic devices. We provide our connection to mobile services for free, but please be aware that your carrier’s normal rates and fees, such as text messaging fees, may still apply.

USES OF COLLECTED DATA

Synchronous Health uses non-identifying and aggregate information to better design our Web site and to use in research and trend analysis. We only provide data to our partners, if any, after we have removed your name and any other personally identifying information from it, or have combined it with other people’s data in a way that it no longer personally identifies you. Synchronous Health uses non-identifying (De-Identified or “Safe Harbor” form) and aggregate information about responses to the clinical outcome assessments (personal assessments), and the frequency of the utilization of the Synchronous Health service. These efforts enhance program evaluation. The anonymous and aggregated data also may be published through various media platforms/academic journals. No personal identifying information is tied to the results, and Synchronous Health does not share anything that could be used to identify your account or your private information. From time to time, we may use customer information for new, unanticipated uses not previously disclosed in our privacy notice. If our information practices change at some time in the future we will contact you before we use your data for these new purposes to notify you of the policy change and to provide you with the ability to opt out of these new uses. Synchronous Health stores data only for as long as it is necessary to provide products and services to you and others, including those described above and for legal protections or as required by applicable laws and regulations. Synchronous Health may enable access to public information that has been shared through our services. Synchronous Health may allow service providers to access information so they can help us provide services. IP addresses are used to identify the location of Participants, the number of visits from different countries and also to block disruptive use; and to analyze and improve the services offered on our website, e.g. to provide you with the most Participant-friendly navigation experience. Certain information is needed to provide you with services, so we only delete this information after you delete your account. Some forms of processing (geo-location, etc.) may require the express consent of the Participant. Specific information may be shown on the pages of the Site in connection with particular services or processing of Data provided by the Site Participant. Upon request we provide site visitors with access to a description of information that we maintain about them. Synchronous Health websites use industry-standard encryption technologies when transferring and receiving consumer data exchanged with our site. If you feel that this site is not following its stated information policy, you may contact us at addresses or phone number below. For content that is covered by intellectual property rights, like photos and videos you specifically grant Synchronous Health websites a non-exclusive, transferable, sub-licensable, royalty- free, worldwide license to use any IP content that you post on or in connection with Synchronous Health websites (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. This Paragraph does NOT apply to photos, images or other videos shared ONLY with your Specialist in your private “chat” on the Platform. When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).

PERSONAL INFORMATION DISCLOSURES

We do not share nonpublic personal information about our customers, participants, or partners (present, former and potential) with anyone, except as required by law, or as follows:

  • To any person when you authorize such disclosure.
  • To computer services consultants and technicians or other security consultants, in order to ensure the confidentiality and security of customer & employee records.
  • To financial service providers or consultants to carry out requested services, and/or to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
  • To independent auditors or consultants to carry out institutional risk control.
  • To government or regulatory agencies, including self-regulatory organizations and to comply with a legal summons, court order, subpoena or a similar legal process, audit or investigation.
  • To swap data repositories

PROTECTION OF INFORMATION & DATA

How We Protect Personal Information We restrict access to information about you to those employees who need to know that information as part of their job responsibilities. We also educate our employees about the importance of confidentiality and customer privacy through standard operating procedures, special training programs, and our Code of Conduct. We take appropriate disciplinary measures to enforce employee privacy responsibilities. We have developed precautions that comply with federal regulations to ensure the security and confidentiality of customer records and information, to guard against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to our customers or our employees. Synchronous Health maintains strict information security procedures, including physical, electronic and procedural safeguards, to protect the confidentiality of your information. We conduct semi-annual Risk Privacy Assessments and remediate to update our technology to improve the protection of information storage.

We protect nonpublic personal information by

  • Restricting access to customer information to only those personnel for whom the information is necessary.
  • Entering into written confidentiality/non-disclosure agreements with third party service providers for certain disclosures.
  • Maintaining physical, electronic, and procedural safeguards that comply with the relevant laws and regulations; and
  • Conducting Security & Data awareness training program to communicate and educate employees about information security policies and procedures in order to make them aware of their roles and responsibilities in safeguarding information resources.
  • Synchronous Health uses firewall barriers and digital certifications to maintain the security of your online session and information.
  • We do not collect any non-public personal information about visitors on our website, unless information is provided to us voluntarily or derived from website navigation and usage of the Synchronous Health website and online platforms.
  • We may gather and analyze information regarding usage of our website, including domain name, the number of hits, the pages visited, previous/subsequent sites visited and length of Participant session. This information may be gathered by using cookies.

Protecting the Privacy of your fellow Synchronous Health Participants During the use of Synchronous Health websites services, you will not send or otherwise post unauthorized commercial communications (such as spam) on Sync.Health

  • You will not collect Participants’ content or information, or otherwise access Sync.Health using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission.
  • You will not upload viruses or other malicious code.
  • You will not solicit login information or access an account belonging to someone else.
  • You will not bully, intimidate, or harass any other Participant.
  • You will not post content that: is hateful, threatening, or pornographic; incites violence; or contains nudity or graphic or gratuitous violence.
  • You will not provide any false personal information on Sync.Health or create an account for anyone other than yourself without permission. You will not create more than one personal profile.

PRIVACY ENFORCEMENT

Personnel using Synchronous Health’s information resources in opposition to this policy may be subject to limitations on the use of these resources, suspension of privileges (including internet access), as well as disciplinary and/or legal action, including termination of employment. Employees, contractors, consultants, interns, and all personnel affiliated via third parties sign the Privacy Policy agreement to comply and be governed by this policy and the Synchronous Health Information Security Policies upon hire and again annually. All Employees have background checks performed. All Specialists acting as contractors go through rigorous vetting processes meeting or exceeding national credentialing standards.

COPYRIGHTS OF SYNCHRONOUS HEALTH AND ASSOCIATED PRODUCTS

We respect other people’s rights and expect you to do the same. You will not post content or take any action on Synchronous Health websites that infringes or violates someone else’s rights or otherwise violates the law. We can remove any content or information you post on Synchronous Health websites if we believe that it violates this Privacy Policy or the Terms of Use on this Site. You will not use our copyrights or any confusingly similar marks, without our written permission. You will not tag Synchronous Health fellow Participants or send email invitations to non-Participants without their consent.

PROTECTING THE PRIVACY OF CHILDREN

The Site is not directed at children under 13 and we will not knowingly allow anyone under 13 to provide any personally identifying information. If you are under 13, please do not provide any information about yourself.

CALIFORNIA CONSUMER PRIVACY ACT – USE AND DISCLOSURES

Synchronous Health recognizes that California has articulated specific privacy rights of Synchronous Health Participants in that State. California Participants should understand that Synchronous Health does not sell Participant data to third parties. Further, Synchronous Health is a medical records retention company. As such, almost all Participant data is kept in encrypted storage as a medical record. State Law requires Synchronous Health to retain such records for at least seven years. The CCPA does not generally apply to medical information governed by the California Confidentiality of Medical Information Act (CMIA) or protected health information collected by a covered entity or business associate governed by the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request, once a year, if Synchronous Health has shared their personal information (non-medical record data only) with other companies for direct marketing purposes during the preceding calendar year. This is California’s “Shine-the-Light Law.” To request a copy of the information disclosure provided by Synchronous Health, please contact us on Synchronous Health websites at the “contact us” link on the website. Please allow reasonable time for a response. If you are a California resident under the age of 18, and a registered Participant of any site where this policy is posted, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted on our site. Synchronous Health does not have Participant below the age of 13 and does not typically allow Participants to publicly post information. However, if you feel you publicly posted information on the Site and you are between the ages of 13 and 17, please contact us on Synchronous Health websites at the “contact us” link on the website. Please allow reasonable time for a response. Please be aware that such a request does not ensure complete or comprehensive removal of the data/content you have posted and that there may be circumstances in which the law does not require or even allow removal of data, specifically medical data, even if requested. California Right to Know: You may request access to the specific pieces of personal data we have collected about you in the last 12 months. You may also request additional details about our information practices, including the categories of personal data we have collected about you, the sources of such collection, the categories of personal data we share for a business or commercial purpose, and the categories of third parties with whom we share your personal data. You may make these requests by contacting us on Synchronous Health websites at the “contact us” link on the website. Please allow reasonable time for a response. California Designated Agent. You may designate an agent to make a request on your behalf. That agent must have access to your account for us to verify the request. California Non-Discrimination. Synchronous Health will never discriminate against you, including by denying or providing a different level of service should you choose to exercise your rights under the CCPA.

GDPR AND INTERNATIONAL PRIVACY

We respect and comply with the local laws of any international based Client. The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA and is commonly referred to as “GDPR.” The GDPR regulations include but are not limited to the following: disclosure when you sell, transfer or market to a third party the Participant’s data; access to collected data and clear consent for data provided; security and a notice sent out regarding any potential breach of said security. Finally, dependent of your EU country or origin, the GDPR takes what was previously termed the right “to forget” or request deletion of your data once you cease using an application or site. This tenant of the GDPR may conflict with applicable medical records retention laws. In the United States, this requires at least seven years of retention, which is common around the world and is sometime up to ten years or more in certain countries. So, unlike some data platforms, we cannot erase private health data directly upon a client’s request, as it may be considered essential for other medical file retention purposes. Applicable individual country medical retention laws are generally considered an acceptable exception to the GDPR regulations regarding the right to deletion of certain data.

SECURITY

We take privacy and security seriously. We have implemented security safeguards designed to protect the personal information that you provide in accordance with industry standards. Access to your data on the Site is password-protected, and, if we collect sensitive data (such as journal entries and credit card information), we will protect it by SSL encryption when it is exchanged between your web browser and the Site. However, since the Internet is not a 100% secure environment, we cannot ensure or warrant the security of any information that you transmit to the Site. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication are not encrypted, and we strongly advise you not to communicate any confidential information through these means. Please help keep your account safe by using a strong password.

The Sync.Health websites may contain links to and from external websites. If you follow a link to any of these external websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these websites or their policies. Please check these policies before you submit any personal data to these external websites.

CORRECTING AND REMOVING YOUR INFORMATION

If you need to update, change or remove information, you can do so by contacting kati.lohr@sync.health or by regular mail addressed to: Synchronous Health, Inc Attn: Support 102 Woodmont Blvd, Ste 200 Nashville, TN 37205 We will respond to your request within at most 30 days from the date of your request. We retain the personal information you provide while your account is in existence or as needed to provide you services. We may retain your personal information even after you have closed your account if retention is reasonably necessary to comply with our legal obligations, meet regulatory requirements, prevent fraud and abuse, or enforce this Privacy Policy. We may retain personal information, for a limited time, if requested by law enforcement.

CHANGES TO THIS PRIVACY POLICY

We may change this Privacy Policy from time to time. If we make significant changes in the way we treat your personal information, or to the Privacy Policy, we will provide notice to you through the Site or by some other means, such as email. Please review the changes carefully. If you agree to the changes, simply continue to use the Site. If you object to any of the changes to our terms and you no longer wish to use the Site, you may close your account. Unless stated otherwise, our current Privacy Policy applies to all information that we have about you and your account. Using the Site after a notice of changes has been communicated to you or published through the Site shall constitute consent to the changed terms or practices.

HOW TO CONTACT US

If you have questions or comments about this Privacy Policy, please contact us online or by physical mail at: Synchronous Health, Inc 102 Woodmont Blvd, Ste 200 Nashville, TN 37205 E-mail: kati.lohr@sync.health

Last Revised: April 1, 2020