WHAT WE COLLECT
The following describes the types of personal and other information that DocBuddy may collect about you, the organization you represent, and patients treated by you or by an affiliated organization, as well as how we may use and maintain that information, including, but not limited to:
Before you can use certain functionality offered through the Services, we will ask you, your employer, or a healthcare institution with whom you are affiliated toregister with DocBuddy and provide your email address, a password, your first and last name, your institutional affiliations, other contact information, and personal details. We request this information for identification purposes, to communicate with you regarding your account, in connection with security functions, and to facilitate the functioning of certain aspects of the Services. We may keep this information indefinitely.
To fully employ the Services, you may be required to fill out forms that collect contain personal information including but not limited to your name, address, telephone number,DEA number, account information, employment, and other personal information relevant to a patient’s diagnosis and treatment.
If you correspond with us via electronic transmission, we may gather in a file specific to you the information that you submit. We may keep this information indefinitely.
URL and IP addresses.
Like many other websites, we collect information about the use and navigation of our Services. This information helps us to design our Services to better suit our users’ needs. For example, our Services will track the URL that you visited before you came to our website(s), the URL to which you next go and your Internet Protocol (IP) address. We may use your IP address to help diagnose problems with our server and to administer our Services. Your IP address also is used to help identify you and to gather broad demographic information.
Information Collected with Cookies.
We will not share, rent, sell or otherwise disclose any of the PII that we collect about you, your organization(s), or your patients, except when we have your permission or in any of the following situations:
- We may disclose information that we collect about you or your patients to affiliates, vendors, and suppliers who perform services for us in order to provide certain services, to complete or confirm a transaction that you conduct with us, or to correct errors in our services.
- We may disclose the results of aggregated data about you for marketing or promotional purposes (for instance, that a certain percentage of our Service’s users are living in the United States). In these situations, we do not disclose to these entities any information that could be used to personally identify you. Certain information, such as your password, is not disclosed to marketing advertisers at all, even in aggregate form.
- We may disclose information about you as part of a merger, acquisition, or other sale or transfer of its assets or business. We do not guarantee that any entity receiving such information in connection with one of these transactions will comply with all terms of this policy; you may, however, request that we delete protected health information (PHI) accessible to us in connection with such an event.
- We may disclose information about you, your affiliated healthcare organizations, or your patients to provide services to you; to enforce our client’s rights; to protect against actual or potential fraud; to resolve our users’ inquiries or disputes; to receive payments; to carry out our business; to protect the confidentiality or security of our records; to enable our service providers to perform marketing services on our behalf and inform members about our own products or services; to facilitates the transmission of encrypted PHI to one or more electronic health records systems used by you, your employers, or an affiliated healthcare organization; and to comply with federal or state laws and other applicable legal requirements.
- We may be legally obligated to disclose information about you to the government or to third parties under certain circumstances, such as in connection with illegal activity in our Services or to respond to a subpoena, court order, or other legal process. We reserve the right to release information that we collect to law enforcement or other government officials, as we, in our sole and absolute discretion, deem necessary or appropriate. If you use our Services or services outside of the United States, information that we collect about you may be transferred to servers inside the United States and maintained indefinitely, which may involve the transfer of information out of countries located in the European Economic Area. By allowing us to collect information about you, you consent to such transfer and processing of your data.
Our Services require users to give us unique identifiers in order to log into many areas of our Services. We utilize these unique identifiers to verify the user’s identity and eligibility, in order to protect our members from the release of sensitive or PII to unauthorized users. To help protect the privacy of data you transmit through our Services or through a mobile device, where PII is requested, we also use technology designed to encrypt the information that you input before it is sent to us using Secure Sockets Layer (SSL) technology or similar encryption technology. In addition, we take steps to protect the data we collect against unauthorized access. However, you should keep in mind that our Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control.
CORRECTING OR UPDATING INFORMATION COLLECTED ABOUT YOU
You may correct or update information collected about you by managing your account profile or by contacting our Privacy Officer at the address noted below. We will use reasonable efforts to update our records. For our records, we may retain original and updated information for reasons such as technical constraints, dispute resolution, troubleshooting, and agreement enforcement.
LINKED SITES AND OTHER THIRD PARTIES
USE OF THE SERVICES BY CHILDREN
We do not knowingly collect or maintain PII from persons under 13 years old, and no part of our Services are directed to persons under 13. IF YOU ARE UNDER 13 YEARS OF AGE, PLEASE DO NOT USE OR ACCESS OUR SERVICES AT ANY TIME OR IN ANY MANNER. If we learn that PII of persons less than 13 years old has been collected without verifiable parental consent, then we will take appropriate steps to delete this information.
DESTRUCTION OR MODIFICATION OF MEDICAL RECORDS IN THE EVENT OF A MERGER, ACQUISITION, OR DISSOLUTION OF DOCBUDDY
To the extent DocBuddy is deemed to store PHI identifiable in medical records provided by or to you, upon merger, acquisition, or dissolution of DocBuddy, you may request that we restrict the use of or delete such records.
- Restrictions on the Use of Records. Your request for a restriction must be made in writing. In your request, you must tell us: (i) what information you want to limit; (ii) whether you want to limit how we use or disclose your information, or both; and (iii) to whom you want the restrictions to apply.
- Destruction of Records. Your request to delete PHI records must be made in writing. If destruction of PHI occurs, the information will be destroyed in accordance with HIPAA guidance with appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI and the disposal of such information.
If we deny your request for restriction in the use or destruction of PHI, we will notify you in writing. You then have the right to submit to us a written statement of disagreement with our decision and we have the right to rebut that statement.
5860 S. Clayton Ct.
Greenwood Village, CO 80121
INFORMATION ABOUT PARTICULAR THIRD-PARTY SERVICES USED BY DOCBUDDY
GOOGLE ANALYTICS (GOOGLE INC.)
Google Analytics is a web analysis service provided by Google Inc. Google uses collected data to track and examine the use of our website(s), to prepare reports on its activities, and share them with other Google services. Google may use the data it collects to contextualize and personalize the ads of its own advertising network.
DISPLAY ADVERTISING EXTENSION FOR GOOGLE ANALYTICS (GOOGLE INC.)
The use of Google Analytics in connection with our Services might use Google’s Interest-based advertising, 3rd-party audience data and information from the DoubleClick Cookie to extend analytics with demographics, interests and ads interaction data.
We use Google Firebase to send notifications to users of the Android version of our software. Firebase may collect data about you regarding engagement with our application, what kind of device you are using, your location, and other data regarding you and your use of our Services.
Development and Crash Reporting Tools
We may capture and disclose data about you and your use of the Services in order to develop, test, and refine our offerings using tools and services developed by third parties. Such third-party tools include but are not limited to Bitrise, Bugsnag, Firebase, and Pusher, among others.
If enabled by you, the iOS version of our mobile application Services may use Apple iCloud for the storage and syncing of DocBuddy data. Similarly, if enabled by you, we may use data collected by Apple Analytics to help us better understand how our users use our Services.
CLOUD HOSTING SERVICES
We may store content that you disclose to us on virtual servers owned by third parties, including but not limited to Amazon Web Services (each, a Cloud Service Provider). A Cloud Service Provider may disclose, move, access, or use data disclosed by you in accordance with the agreements between DocBuddy and such Cloud Service Providers, as well as the terms of service or privacy policies of such Cloud Service Providers.
TRANSFER OF PHI
We may use, in limited instances, certain third-party services (each, an Integration Platform) to transfer PHI between our systems and electronic health records systems licensed or accessed by your affiliated healthcare organization. In connection with our use of an Integration Platform, if any, we may disclose and transmit PHI to the owner or licensee of such an Integration Platform, as well as information regarding software, devices, and network configurations used by you or your affiliated healthcare organization, for the purposes of providing services to you or your affiliated healthcare organization.
Certain aspects of our services require you to enter speech data in order to use and derive the benefits of our software applications. These applications collect and transmit the speech data you input into the software applications. One or more third parties acting under our direction, pursuant to confidentiality agreements, use the speech data to develop, tune, enhance, and improve their services and products. Neither DocBuddy nor its vendors will use the contents of any speech data provided to us through your use of DocBuddy services for any purpose except as set forth above. Speech Data means the audio files, associated text and transcriptions and log files provided by you hereunder or generated in connection with our applications and may include personal information or PHI.
ADDITIONAL INFORMATION FOR EU / EEC USERS
DATA IS REQUIRED TO PROVIDE SERVICES
Unless otherwise specified, all data requested is mandatory and your choice to not provide data may make it impossible to provide Services to you. In cases where we have made clear that some data is not mandatory, you are free not to communicate this data without any consequences on the availability or the functioning of the Service. If you are uncertain about which PII (Personal Data under the GDPR) is mandatory, then you are welcome to contact us at the e-mail address specified above.
ADDITIONAL INFORMATION ABOUT YOUR PERSONAL DATA
YOUR GDPR RIGHTS
Solely to the extent applicable to DocBuddy, if you are subject to the GDPR regime, then you have the right, at any time, to know whether your Personal Data has been stored. You and can consult DocBuddy to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to the Privacy Officer at the contact information set out above.
ADDITIONAL INFORMATION REGARDING METHODS OF PROCESSING
DocBuddy takes security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to DocBuddy, in some cases, the data may be accessible to certain types of persons in charge, involved with the operation of this website (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as data processors by DocBuddy. If applicable, this list may be requested and by a GDPR-covered person from DocBuddy at any time.
LEGAL BASIS FOR PROCESSING
DocBuddy may process Personal Data relating to users if one of the following applies:
- users or their agents (including hospital systems, managed care providers, and other employers) have given their consent for one or more specific purposes. Note: Under some legislation, DocBuddy may be allowed to process Personal Data until the user objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases;
- provision of data is necessary for the performance of an agreement with the user or an authorized agent of the user (including hospital systems, managed care providers, and other employers) and/or for any precontractual obligations thereof;
- processing is necessary for compliance with a legal obligation to which DocBuddy is subject;
- processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in DocBuddy; and/or
- processing is necessary for the purposes of the legitimate interests pursued by DocBuddy or by a third party.
In any case, DocBuddy will help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
PLACE OF PROCESSING
Personal Data is processed at DocBuddy’s operating offices, in data centers located in the United States, and in any other places where the parties involved in the processing are located. The United States has different (and often lesser) privacy protections than other jurisdictions. By providing data, using this website, using mobile applications provided by DocBuddy, or requesting services, you consent to the transfer of your data to the United States and the processing of such data in the United States.
Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.
- Personal Data collected for purposes related to the performance of services shall be retained until the longer of (a) such services are completed, (b) as specified in a relevant agreement (such as an agreement with a hospital system, managed care organization, or employer), and (c) as required to maintain records of such services.
DocBuddy may be allowed to retain Personal Data for a longer period whenever the user has given consent to such processing, as long as such consent is not withdrawn. Furthermore, DocBuddy may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation (including but not limited to retention of records of healthcare services performed or recommended) or upon order of an authority.
The right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after information has been deleted.
THE PURPOSES OF PROCESSING
Data about you is collected to allow us to provide services to you, as well as for the following purposes: analytics, managing contacts and sending messages, user database management, heat mapping and session recording, displaying content from other platforms, content performance and features testing (A/B testing), generation models of medical and clinical conditions, generation models of physician and clinical performance, infrastructure monitoring and contacting the user.
INFORMATION NOT CONTAINED IN THIS POLICY
More details concerning the collection or processing of Personal Data may be requested from the Privacy Officer at any time. Please see the contact information at the beginning of this document.
DATA PROTECTION OFFICER
The Data Protection Officer is the Privacy Officer.
This privacy statement has been prepared based on provisions of multiple legislations, including the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Health Information Technology for Economic and Clinical Health Act (“HITECH”), and Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”).