GREENLIGHT HEALTH DATA SOLUTIONS PRIVACY STATEMENT
Effective Date: July 08, 2024
At Greenlight, we place the highest importance on respecting and protecting your privacy. Our most important asset is our relationship with you. We want you to feel comfortable and confident when using our Service. We would like to share with you information on our privacy practices and other privacy aspects of the Service. Specifically, we address:
- To what products or services does this Privacy Statement apply?
- How do we protect your personal information?
- What information do we collect and how do we use it?
- When do we share your information?
- Can I opt-out of receiving future communications?
- How do I update my contact information?
- Will I be notified of changes to your privacy practices?
- Who can I contact with a privacy question?
- If I am a California resident, where can I learn more about my California privacy rights?
- To what products or services does this Privacy Statement apply?
This Privacy Statement defines privacy aspects specific to the Service available to users. In this Privacy Statement, we refer to those services (whether one or both of them) as the “Service”. Throughout this Privacy Statement, we refer to information that personally identifies you as “personal information.”
- How do we protect your personal information?
We work to protect your personal information from loss, misuse or unauthorized access, alteration or destruction by maintaining appropriate physical, electronic, and administrative security standards and procedures to safeguard our data systems. It is protected by:
A secure Internet connection using secure socket layer (SSL) technology.
Encryption during transmission to make your information unreadable as it passes over the Internet.
Username /passwords [when required] and Health Data are encrypted as saved to render them unreadable by anyone without a decrypting key.
We also educate our employees on the importance of our privacy and security policies, including a training program that includes ongoing certification of completion and we require that they comply with those policies.
- What information do we collect and how do we use it?
When you use the Service, we collect the following types of information:
- Contact Information. When you register for the Service, we ask for your contact information, such as your email address. We use this information in the event we need to contact you about your use of the Service. If you request customer or technical support, we may use your contact information to elicit your feedback regarding your support experience.
- Health Care and Other Information. In order to offer you the Service, we obtain your permission to act as your agent to access your own health information. To provide this Service, as authorized and directed by you, we retrieve a copy of your health information, which may be obtained from Data Sources who maintain copies of your health information (e.g., patient portal applications and FHIR API endpoints provided by your health care providers), and we use that information to provide you the Service. If you elect to have the Service access other health related record data sources with Data Sources, we will obtain this healthcare-related information from the Data Sources. This Privacy Statement applies to our handling of this information. If you wish to cancel your use of the Service, you may request to do so by emailing cancelmyaccount@greenlighthealth.com. When you request that we close your account, we will remove access to your personal information.
- Anonymous and Technical Information. We use anonymous, aggregate statistical information to help improve our services to you. For example, we review what features are used the most frequently, how many total customers may be viewing their information or what types of data are most commonly entered. Statistics like these help us to understand how our Service is being used, what user trends may be and how to improve our Service in future versions. This anonymous, aggregate information also assists us with troubleshooting and technical support. We may collect anonymous technical information, such as the software or browser version, or operating system. We may also collect the IP address of the device used to access the Service. To help us evaluate usage of the Service, we also collect anonymous information about the pages viewed and links selected by users while using our Service. This information helps us to determine areas of the Service that are most helpful to our users and what areas may need improvement. We use cookies to help us track usage. We also use cookies to make your visit to our websites easier by recognizing you when you return or by customizing your experience.
- Other Information Sources. We may use publicly available sources outside of the Service to verify or supplement the information you give us. For example, we may obtain address updates from the U.S. Postal Service or demographic information from direct marketing companies. We use this data to help us maintain accurate records and to improve the products and services that we deliver to you.
- Children. The Service is not designed to appeal to children under the age of 13. We do not knowingly request or receive any information from children. If you are the parent or guardian of a child under the age of 13 and you believe that he/she has used the Service and provided us with personal information, please contact us as described below so that we may delete that information.
- Former Users. If you are a former user of the Service, we protect your information in the same manner that we treat information about our current users.
- When and with whom do we share your information?
We understand that you are entrusting us with your personal information. That’s why we don’t sell, rent, or share any of the personal information you provide to us with companies outside of Greenlight for their own promotional or marketing use. There are occasions, however, where we must share your information to provide you with the Service or as required by law. Descriptions of when we share and with whom we may share your information are provided below.
- To fulfill or meet the reason you provided the information—i.e., to allow you to share your health and medical information with your designated Authorized Recipients.
- To provide, support, personalize, and develop our Service, products, and services.
- To create, maintain, customize, and secure your account with us.
- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- To help maintain the safety, security, and integrity of our Service, products and services, databases and other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve the Service.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal information.
- To third-party service providers whom we have engaged to facilitate collection of health records in addition to those we have access to, or to fulfill a service you request. These service providers act on our behalf, for example to facilitate access to medical images when our Customer and you request their inclusion. In addition, we may use service providers to provide technical support or to host the Service.
- To include services from third parties. We clearly identify third party services, so you will know who is retrieving your information as part of the Service.
- To share de-identified information with third parties. De-identified information means that your information has been anonymized such that it cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to you.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Service users is among the assets transferred.
- Can I opt out of receiving future communications?
If you have subscribed to email notifications, alerts, or newsletters you can cancel your subscription by following the instructions provided in each email. We use your information to provide you service. You can opt out of these marketing communications by replying “STOP” to SMS messages or emailing support at support@greenlighthealth.com.
- How do I update my contact information?
You can update or correct your Service account information by using applicable features in the Service to update your profile or by emailing support at support@greenlighthealth.com.
- Will I be notified of changes to your privacy practices?
If we make material changes to any of our privacy policies or practices regarding personal information, we will update this Privacy Statement.
- Who can I contact with a privacy question?
If you have privacy-related questions that are not addressed here, please send an email to compliance@greenlighthealth.com or write us at:
Privacy Team
Greenlight Health Data Solutions, Inc.
801 Corporate Center Drive, Suite 320
Raleigh, NC 27607
- If I am a California resident, where can I learn more about my California privacy rights?
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, see the GREENLIGHT PRIVACY NOTICE FOR CALIFORNIA RESIDENTS.
Tell Me More about Greenlight’s Security Practices
We protect personal information stored on our servers from unauthorized access using reasonable safeguards such as firewalls, coupled with carefully developed security procedures to protect your information from loss, misuse or unauthorized alteration.
Our employees are trained and required to safeguard your information and, using physical, electronic and procedural safeguards, we restrict access to personal information to those employees and agents for business purposes only. Additionally, we use internal and external resources to review the adequacy of our security procedures.
To protect the information that you store on your personal computer system, we recommend installation of a personal firewall and anti-virus software. The FTC’s OnGuard Online Website has information on computer security and tips on safeguarding personal information that you may find useful.
Tell Me More about Greenlight’s Web Technologies
We use a variety of technologies to manage our websites. Among these are cookies, which are pieces of information that our websites provide to your browser. Cookies allow us to track overall site usage and determine areas users prefer. Cookies also allow us to customize your visit to the web-based version of the Service by recognizing you when you return. If you choose to decline cookies while using the web-based version of the Service, you may not be able to access certain areas of the Service. Most browsers accept and maintain cookies by default. You can check the “Help” menu of your browser to learn how to change your cookie preference.
When we track activity on the web-based version of the Service, we collect information such as your IP address, browser type and version, and pages you view. We also keep track of how you got to our site and any links you click on to leave our site. We do not track URLs that you type into your browser, nor do we track you across the Internet once you leave our sites. We use your website activity to assist you by reducing the need to re-enter your data and to help us resolve technical support issues. We may also use this information to offer you a personalized experience and to tailor our offerings to you. Remember, you control whether you receive Greenlight promotional materials.
We may access and set cookies using web beacons, also known as single-pixel GIFs which are invisible graphical images. These web beacons tell us useful information regarding the web-based version of the Service, such as which pages users access. When we send you emails, we may include a single-pixel GIF to determine the number of people who open our emails. When you click on a link in an email, we record this individual response to allow us to customize our offerings to you.
We use single-pixels, or transparent GIF files, and cookies to help manage our online advertising. These cookies and GIF files are provided on our behalf by our ad-serving service providers and enable us to learn which links bring users to our websites. Limited demographic and transactional information is transmitted back to our ad-serving service providers when you use our websites. This information is anonymous and does not contain your name, address, telephone number, or email address. This information is used only in the aggregate to evaluate which links users find most helpful in reaching our websites.
Support and Feedback. When contacting us for assistance or submitting feedback to us about Greenlight services, we may collect information about the product you are using, the help screen you are on, browser version and operating system. This information helps us to better understand your issue or suggestion.
United States. Please note that the Service is intended for the exclusive use of residents in the United States of America. It is not our intent to gather personal information from individuals residing outside of the United States. THE SERVICE IS DESIGNED TO COMPLY WITH THE LAWS AND REGULATIONS OF THE UNITED STATES ONLY. Nothing within the Service or on our websites should be considered a solicitation or promotion of any product or any indication for any product that is not permitted by the laws or regulations of the country where the user (or prospective user) of the Service resides.
GREENLIGHT HEALTH DATA SOLUTIONS PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
Effective Date: July 08, 2024
This Privacy Notice for California Residents supplements the information contained in Greenlight’s Privacy Statement and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you“). We adopt this Privacy Notice to comply with the California Consumer Privacy Act of 2018 (CCPA), and any terms defined in the CCPA have the same meaning when used in this Privacy Notice.
Information We Collect
Our Service collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information“). Personal information does not include:
Publicly available information from government records.
Deidentified or aggregated consumer information.
In particular, our Service has collected the following categories of personal information from its consumers within the last twelve (12) months:
Category | Examples | Collected |
A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. | YES |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). |
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. |
YES |
C. Protected classification characteristics under California or federal law. |
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). |
YES |
D. Commercial information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | NO |
E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | YES |
F. Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | NO |
G. Geolocation data. | Physical location or movements. | NO |
H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. | NO |
I. Professional or employment-related information. | Current or past job history or performance evaluations. | NO |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | NO |
K. Inferences drawn from other personal information. | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | NO |
Our Service obtains the categories of personal information listed above from the following categories of sources:
Directly from you. For example, from forms you complete when creating an account to use the Service.
From third-party websites and software platforms. For example, in order to use the Service’s data retrieval functions, you will need to provide us with your access credentials to third-party websites and software platforms (such as patient portals operated by your health care providers), which we will then use to access and retrieve your data from those third-party sources.
Use of Personal Information
We may use or disclose the personal information we collect for one or more of the following purposes:
- To fulfill or meet the reason you provided the information—i.e., to allow you to share your health and medical information with your designated Authorized Recipients.
- To provide, support, personalize, and develop our Service, products, and services.
- To create, maintain, customize, and secure your account with us.
- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- To help maintain the safety, security, and integrity of our Service, products and services, databases and other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve the Service.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal information or as otherwise set forth in the CCPA.
- To third-party service providers whom we have engaged to provide a product you order, to fulfill a service you request, or to market one of our products or services. These service providers act on our behalf. For example, we may use service providers to provide customer support or to host the Service. Service providers who host web pages and collect information on our behalf are strictly prohibited from using your personal information for their own purposes and must comply with our privacy and security policies.
- To offer you products or services from third parties that we believe you may find beneficial. Some of these are “co-branded” products or services. We clearly identify third-party services, applications and sites, so you will know who is receiving your information. When you request or use any of these third-party products or services, such as the iOS Health app, you are permitting us to provide your personal information to the third party to fulfill your request or provide the product or service.
- To offer links to partner or other third-party Web sites. We do not control the privacy or security practices used on these sites. Before you provide your personal information to these third parties, we recommend that you review their privacy policies to learn more about how they may use your information.
- To share your contact information (name, address, phone number, email address), and the types of Greenlight products and services that you have used, among Greenlight and our subsidiaries (companies that are part of our corporate family through ownership or control) to provide you with a service or product you have requested. Unless you have asked us not to contact you, we may occasionally use your contact information to update you about a service you have requested. Greenlight does not share personal information with subsidiaries.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Service users is among the assets transferred.
- We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing Personal Information
As noted above, we may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
Disclosures of Personal Information for a Business Purpose
In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
- Category A: Identifiers.
- Category B: California Customer Records personal information categories.
- Category C: Protected classification characteristics under California or federal law.
- Category E: Biometric information.
We disclose your personal information for a business purpose to the following categories of third parties:
- Service providers.
- Our customers whom you have expressly authorized to receive your personal information—i.e., your Authorized Recipient(s).
Sales of Personal Information
In the preceding twelve (12) months, we have not sold any of our users’ personal information.
Deidentified Patient Information
We may disclose deidentified patient information exempt from the CCPA to third parties. To deidentify the patient information, we follow the HIPAA safe harbor method.
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
- Emailing us at Compliance@greenlighthealth.com
- Visiting our website at https://greenlighthealth.com
- Via U.S. Mail addressed to: Privacy Officer, Greenlight Health Data Solutions, Inc., 801 Corporate Center Dr., Suite 320, Raleigh, NC 27607
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Personal Information Sales
We do not sell the personal information of our users.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
Changes to Our Privacy Statement
We reserve the right to amend this Privacy Notice at our discretion and at any time. When we make changes to this Privacy Notice, we will post the updated notice on the Service and update the notice’s effective date. Your continued use of our Service following the posting of changes constitutes your acceptance of such changes.
Contact Information
If you have any questions or comments about this Privacy Notice, the ways in which we collect and use your information described here and in the Greenlight Privacy Statement, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Email:
Compliance@greenlighthealth.com
Mail:
Greenlight Health Data Solutions, Inc.
801 Corporate Center Drive, Suite 320
Raleigh, NC 27607