This Privacy Policy discloses our information gathering and dissemination practices with respect to the Services. Please read this Privacy Policy carefully. We have also created this Privacy Policy to demonstrate our commitment to privacy. We recognize that when you provide us with information about yourself that you trust us to act in a responsible manner with that information. We are committed to making sure we earn and keep that trust.

The following describes the types of personal and other information that DocBuddy may collect about you, the organization you represent, and patients treated by you or by an affiliated organization, as well as how we may use and maintain that information, including, but not limited to:

Registration.

Before you can use certain functionality offered through the Services, we will ask you, your employer, or a healthcare institution with whom you are affiliated toregister with DocBuddy and provide your email address, a password, your first and last name, your institutional affiliations, other contact information, and personal details. We request this information for identification purposes, to communicate with you regarding your account, in connection with security functions, and to facilitate the functioning of certain aspects of the Services. We may keep this information indefinitely.

Forms.

To fully employ the Services, you may be required to fill out forms that collect contain personal information including but not limited to your name, address, telephone number,DEA number, account information, employment, and other personal information relevant to a patient’s diagnosis and treatment.

Medical Records.

For licensed medical professionals to provide care to their patients, we may collect data concerning such patients, including but not limited to standard medical and clinical data, test results, insurance claim data, eligibility data, enrollment data, health risk assessment data, billing information, and electronic health record data. We may keep this information indefinitely in de-identified form, subject to the other terms of this Privacy Policy, our agreement with the institution that permits you to access the Platform, or a otherwise required by law.

Correspondence.

If you correspond with us via electronic transmission, we may gather in a file specific to you the information that you submit. We may keep this information indefinitely.

URL and IP addresses.

Like many other websites, we collect information about the use and navigation of our Services. This information helps us to design our Services to better suit our users’ needs. For example, our Services will track the URL that you visited before you came to our website(s), the URL to which you next go and your Internet Protocol (IP) address. We may use your IP address to help diagnose problems with our server and to administer our Services. Your IP address also is used to help identify you and to gather broad demographic information.

Information Collected with Cookies.

Like most providers of web and mobile applications, we use cookies in connection with certain aspects of our Services, including pages of our website. Cookies make using the Internet easier by, among other things, saving preferences for you. For example, a cookie may let our Services remember that you’ve registered with us, which allows us to speed up your future activities with our Services, and which allows you to enter your registration information less frequently while using our Services. We may also use cookies to deliver content tailored to your interests. Cookies may enable us or our affiliates to relate your use of our Services to personally identifying information (PII) that you previously submitted, such as calling you by name when you use our Services at a later date. If your browser or device is set to reject cookies, or if your browser or device notifies you that you are about to receive a cookie and you reject it, then your use of the Services may not be as efficient or as enjoyable as it would be if the cookie were enabled. The information that we collect with cookies allows us to improve our marketing and promotional efforts, to analyze use of our Services, to improve our content and product offerings and to customize content provided through the Services, as well as the layout of such Services. However, we only use information collected with cookies on an aggregated basis without the use of any information that personally identifies you.

We will not share, rent, sell or otherwise disclose any of the PII that we collect about you, your organization(s), or your patients, except when we have your permission or in any of the following situations:

• We may disclose information that we collect about you or your patients to affiliates, vendors, and suppliers who perform services for us in order to provide certain services, to complete or confirm a transaction that you conduct with us, or to correct errors in our services.
• We may disclose the results of aggregated data about you for marketing or promotional purposes (for instance, that a certain percentage of our Service’s users are living in the United States). In these situations, we do not disclose to these entities any information that could be used to personally identify you. Certain information, such as your password, is not disclosed to marketing advertisers at all, even in aggregate form.
• We may disclose information about you as part of a merger, acquisition, or other sale or transfer of its assets or business. We do not guarantee that any entity receiving such information in connection with one of these transactions will comply with all terms of this policy; you may, however, request that we delete protected health information (PHI) accessible to us in connection with such an event.
• We may disclose information about you, your affiliated healthcare organizations, or your patients to provide services to you; to enforce our client’s rights; to protect against actual or potential fraud; to resolve our users’ inquiries or disputes; to receive payments; to carry out our business; to protect the confidentiality or security of our records; to enable our service providers to perform marketing services on our behalf and inform members about our own products or services; to facilitates the transmission of encrypted PHI to one or more electronic health records systems used by you, your employers, or an affiliated healthcare organization; and to comply with federal or state laws and other applicable legal requirements.
• We may be legally obligated to disclose information about you to the government or to third parties under certain circumstances, such as in connection with illegal activity in our Services or to respond to a subpoena, court order, or other legal process. We reserve the right to release information that we collect to law enforcement or other government officials, as we, in our sole and absolute discretion, deem necessary or appropriate. If you use our Services or services outside of the United States, information that we collect about you may be transferred to servers inside the United States and maintained indefinitely, which may involve the transfer of information out of countries located in the European Economic Area. By allowing us to collect information about you, you consent to such transfer and processing of your data.

Our Services require users to give us unique identifiers in order to log into many areas of our Services. We utilize these unique identifiers to verify the user’s identity and eligibility, in order to protect our members from the release of sensitive or PII to unauthorized users. To help protect the privacy of data you transmit through our Services or through a mobile device, where PII is requested, we also use technology designed to encrypt the information that you input before it is sent to us using Secure Sockets Layer (SSL) technology or similar encryption technology. In addition, we take steps to protect the data we collect against unauthorized access. However, you should keep in mind that our Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control.Please also be aware that despite our best intentions and the guidelines outlined in this Privacy Policy, no data transmission over the Internet or encryption method can be guaranteed to be 100% secure.

You may correct or update information collected about you by managing your account profile or by contacting our Privacy Officer at the address noted below. We will use reasonable efforts to update our records. For our records, we may retain original and updated information for reasons such as technical constraints, dispute resolution, troubleshooting, and agreement enforcement.

This Privacy Policy only addresses the use and disclosure of information we collect from you. You should be aware that when you are using our Services, you may be directed to other websites or applications that are beyond our control, and we are not responsible for the privacy practices of third parties or the content of linked websites or applications. We encourage you to read the posted privacy policy whenever interacting with any third-party website or application, including any electronic medical records system you access through your employer or affiliated healthcare institution.

We reserve the right to update this Privacy Policy from time to time. Please visit this page periodically so that you will be apprised of any changes.

We do not knowingly collect or maintain PII from persons under 13 years old, and no part of our Services are directed to persons under 13. IF YOU ARE UNDER 13 YEARS OF AGE, PLEASE DO NOT USE OR ACCESS OUR SERVICES AT ANY TIME OR IN ANY MANNER. If we learn that PII of persons less than 13 years old has been collected without verifiable parental consent, then we will take appropriate steps to delete this information.

By choosing to use our Services, or otherwise provide information to us, you agree that any dispute over privacy or the terms contained in this Privacy Policy will be governed by the law of the State of Colorado, without reference to principles of conflicts of law. You also agree to abide by any limitation on damages contained in our Terms of Service or other agreement that we have with you.

To the extent DocBuddy is deemed to store PHI identifiable in medical records provided by or to you, upon merger, acquisition, or dissolution of DocBuddy, you may request that we restrict the use of or delete such records.

• Restrictions on the Use of Records. Your request for a restriction must be made in writing. In your request, you must tell us: (i) what information you want to limit; (ii) whether you want to limit how we use or disclose your information, or both; and (iii) to whom you want the restrictions to apply.
• Destruction of Records. Your request to delete PHI records must be made in writing. If destruction of PHI occurs, the information will be destroyed in accordance with HIPAA guidance with appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI and the disposal of such information.
• Right to a Paper Copy of This Privacy Policy. You have a right at any time to request a paper copy of this Privacy Policy, even if you had previously agreed to receive an electronic copy.If we deny your request for restriction in the use or destruction of PHI, we will notify you in writing. You then have the right to submit to us a written statement of disagreement with our decision and we have the right to rebut that statement.

If you have any questions about this Privacy Policy, or need to reach us for any other reason, including to exercise any of the rights described above, you may contact us at:Privacy OfficerDocBuddy Inc.5860 S. Clayton Ct.Greenwood Village, CO 80121support@docbuddy.com

The policies indicated in this Privacy Policy will remain effective, even if your access to the Services is terminated, to the extent we retain information about you. We may change this Privacy Policy at any time and will inform you of any changes as required by law or regulation.

Google Analytics is a web analysis service provided by Google Inc. Google uses collected data to track and examine the use of our website(s), to prepare reports on its activities, and share them with other Google services. Google may use the data it collects to contextualize and personalize the ads of its own advertising network.Google Analytics Privacy Policy

The use of Google Analytics in connection with our Services might use Google’s Interest-based advertising, 3rd-party audience data and information from the DoubleClick Cookie to extend analytics with demographics, interests and ads interaction data.Google Analytics Privacy Policy

We use Google Firebase to send notifications to users of the Android version of our software. Firebase may collect data about you regarding engagement with our application, what kind of device you are using, your location, and other data regarding you and your use of our Services.Development and Crash Reporting ToolsWe may capture and disclose data about you and your use of the Services in order to develop, test, and refine our offerings using tools and services developed by third parties. Such third-party tools include but are not limited to Bitrise, Bugsnag, Firebase, and Pusher, among others.Bitrise Privacy PolicyBugsnag Privacy PolicyFirebase Privacy PolicyPusher Privacy Policy

Apple

If enabled by you, the iOS version of our mobile application Services may use Apple iCloud for the storage and syncing of DocBuddy data. Similarly, if enabled by you, we may use data collected by Apple Analytics to help us better understand how our users use our Services.Apple Privacy Policy

We may store content that you disclose to us on virtual servers owned by third parties, including but not limited to Amazon Web Services (each, a Cloud Service Provider). A Cloud Service Provider may disclose, move, access, or use data disclosed by you in accordance with the agreements between DocBuddy and such Cloud Service Providers, as well as the terms of service or privacy policies of such Cloud Service Providers.AWS Privacy Policy

We may use, in limited instances, certain third-party services (each, an Integration Platform) to transfer PHI between our systems and electronic health records systems licensed or accessed by your affiliated healthcare organization. In connection with our use of an Integration Platform, if any, we may disclose and transmit PHI to the owner or licensee of such an Integration Platform, as well as information regarding software, devices, and network configurations used by you or your affiliated healthcare organization, for the purposes of providing services to you or your affiliated healthcare organization.

Certain aspects of our services require you to enter speech data in order to use and derive the benefits of our software applications. These applications collect and transmit the speech data you input into the software applications. One or more third parties acting under our direction, pursuant to confidentiality agreements, use the speech data to develop, tune, enhance, and improve their services and products. Neither DocBuddy nor its vendors will use the contents of any speech data provided to us through your use of DocBuddy services for any purpose except as set forth above. Speech Data means the audio files, associated text and transcriptions and log files provided by you hereunder or generated in connection with our applications and may include personal information or PHI.

Unless otherwise specified, all data requested is mandatory and your choice to not provide data may make it impossible to provide Services to you. In cases where we have made clear that some data is not mandatory, you are free not to communicate this data without any consequences on the availability or the functioning of the Service. If you are uncertain about which PII (Personal Data under the GDPR) is mandatory, then you are welcome to contact us at the e-mail address specified above.

In addition to the information contained in this Privacy Policy, upon your request we may provide you with additional and contextual information concerning particular services or the collection and processing of Personal Data.

Solely to the extent applicable to DocBuddy, if you are subject to the GDPR regime, then you have the right, at any time, to know whether your Personal Data has been stored. You and can consult DocBuddy to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to the Privacy Officer at the contact information set out above.

DocBuddy takes security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to DocBuddy, in some cases, the data may be accessible to certain types of persons in charge, involved with the operation of this website (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as data processors by DocBuddy. If applicable, this list may be requested and by a GDPR-covered person from DocBuddy at any time.

DocBuddy may process Personal Data relating to users if one of the following applies:

• users or their agents (including hospital systems, managed care providers, and other employers) have given their consent for one or more specific purposes. Note: Under some legislation, DocBuddy may be allowed to process Personal Data until the user objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases;
• provision of data is necessary for the performance of an agreement with the user or an authorized agent of the user (including hospital systems, managed care providers, and other employers) and/or for any precontractual obligations thereof;
• processing is necessary for compliance with a legal obligation to which DocBuddy is subject;
• processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in DocBuddy; and/or
• processing is necessary for the purposes of the legitimate interests pursued by DocBuddy or by a third party.In any case, DocBuddy will help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Personal Data is processed at DocBuddy’s operating offices, in data centers located in the United States, and in any other places where the parties involved in the processing are located. The United States has different (and often lesser) privacy protections than other jurisdictions. By providing data, using this website, using mobile applications provided by DocBuddy, or requesting services, you consent to the transfer of your data to the United States and the processing of such data in the United States.

Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.Therefore:

• Personal Data collected for purposes related to the performance of services shall be retained until the longer of (a) such services are completed, (b) as specified in a relevant agreement (such as an agreement with a hospital system, managed care organization, or employer), and (c) as required to maintain records of such services.
• Personal Data collected for the purposes of DocBuddy’s legitimate interests shall be retained as long as needed to fulfill such purposes, including but not limited to retention of records of completed services as required by law, regulation and healthcare practice, and for the other reasons described in this Privacy Policy. Users may find specific information regarding the legitimate interests pursued by DocBuddy within the relevant sections of this document or by contacting DocBuddy.DocBuddy may be allowed to retain Personal Data for a longer period whenever the user has given consent to such processing, as long as such consent is not withdrawn. Furthermore, DocBuddy may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation (including but not limited to retention of records of healthcare services performed or recommended) or upon order of an authority.The right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after information has been deleted.

Data about you is collected to allow us to provide services to you, as well as for the following purposes: analytics, managing contacts and sending messages, user database management, heat mapping and session recording, displaying content from other platforms, content performance and features testing (A/B testing), generation models of medical and clinical conditions, generation models of physician and clinical performance, infrastructure monitoring and contacting the user.

More details concerning the collection or processing of Personal Data may be requested from the Privacy Officer at any time. Please see the contact information at the beginning of this document.

The Data Protection Officer is the Privacy Officer.

This privacy statement has been prepared based on provisions of multiple legislations, including the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Health Information Technology for Economic and Clinical Health Act (“HITECH”), and Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”).