Carrum Health Privacy Statement

Your Privacy Is Important to Us.

At Carrum Health, Inc. we know that you care about how your personal information is used and shared, and we take your privacy seriously. This privacy statement explains how Carrum Health collects, processes, and shares personal data about you when you visit our website or use our Services. If you have any questions about our practices as they relate to your data, please contact us using the information below.

Importantly, the data we collect belongs to you. As such, we will always strive to provide you with choices to stop providing us with data, to no longer allow us to share your data, or to ask that we no longer retain your data. If you would like to exercise any of these rights, please contact us at privacy@carrumhealth.com

When Does This Privacy Statement Apply?

You must be at least 18 years old to use our Services and we do not knowingly collect, use, process, or disclose personally identifiable data from any visitor to our website that is under the age of 18. None of our Services or products are directed to users under the age of 18 unless their parent or guardian consents. Should we discover any user under the age of 18, we will immediately revoke their access and terminate their account by the Health Insurance Portability and Accountability Act (HIPAA) and includes information related to your treatment or care such as health records, health histories, test results, medical bills, insurance information, etc. Personal Information and Personal Health Information are collectively referred to herein as Personal Data.

ATTENTION: PLEASE READ CAREFULLY THIS CARRUM HEALTH PRIVACY STATEMENT BEFORE YOU ACCESS ANY CONTENT FROM, OR OTHERWISE USE THE WEBSITE, located at https://carrumhealth.com.

ACCESSING, DOWNLOADING OR OTHERWISE USING THE SERVICES INDICATES THAT YOU ACCEPT AND AGREE TO BE BOUND BY THIS PRIVACY STATEMENT IN FULL. IF YOU DO NOT ACCEPT THIS PRIVACY STATEMENT, DO NOT ACCESS, DOWNLOAD OR OTHERWISE USE THE SERVICES.

What Data Does Carrum Health Collect?

Carrum Health collects data about you from different sources and in various ways when you use our Services:

Information you provide directly. We collect Personal Data that you provide to us directly. This may include:
1. registration or contact information when you sign up for our Services (such as username, password, etc.).
2. information you choose to input into any feature we offer through our Services such as eligibility verification information, medical or treatment information, treatment results, medical history, etc.
3. any other information that you voluntarily and intentionally enter into webforms, our Services or our Sites.
4. any other Personal Data that is requested and required in order to provide our Services.

You will always control what data you choose to provide directly to Carrum Health in connection with our Services, but please be aware that certain of our Services may be impacted by this choice.

Information that is collected automatically. When you use our Services, certain information is collected automatically:
1. Device information (model, operating system version, mobile network information, operating system and system settings, browser type, browser language, Internet Protocol (IP) address, country and time zone in which your device is located, the pages you viewed and how long you viewed them, and similar identifiers). We may associate this information with your account to provide the Services.
2. Mobile application information (application and metadata stored on your device when allowed by your operating system settings).
3. Our Sites may store and retrieve data using cookies set on your device.

Information received from COEs, providers, or other third-parties.

How Does Carrum Use Cookies and Other Data Collection Technologies?

We collect the anonymous information we mentioned above through the use of various technologies, one of which is called “cookies”. A cookie is an element of data that the website can send to your browser, which may then be stored on your hard drive. Cookies may last for only a single session or may span multiple sessions. We use cookies to track user activity by our registered users. Finally, cookies are employed in other applications that require the storage of user data from one screen to the next.

We use third-party analytics tools to better understand who is using the Sites and how people are using them. These tools may use cookies and other technologies to collect information about your use of the Services and Sites and your preferences and activities. These tools collect information sent by your device and other information that assists us in improving the Services. This information may be used to analyze and track data, determine the popularity of certain content, and better understand your online activity, among other things.

Carrum uses Google Analytics, including custom dimensions and metrics features, to better understand who is using the Services and how people are using them. Google uses cookies, pixel tags and other technologies to collect and store information such as content pages visited, places where users click, time spent on each content page, IP address, app instance identifier, type of operating system used, location-based data, device ID, search history, gender, age, and phone number. To better understand how Google collects and processes data, You may review Google’s policies at www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time. You may also visit https://tools.google.com/dlpage/gaoptout for more information about the Google Analytics Opt-Out Browser Add-On. Google may track Your activity over time and across websites.

We use Google Firebase to authenticate users, facilitate account management, provide security, deliver messages, and detect and fix crashes. Specifically, We use Firebase Cloud Messaging, Firebase Crashlytics, and Firebase Authentication. As part of these services, Google may collect information related to your password, email address, telephone number, user agent, IP address, instance ID, crash traces, activity within the apps, breakpad minidump formatted data (for NDK crashes), and other stored device information relevant to debugging crashes. For more information, please visit the Google privacy policy at: https://policies.google.com/privacy?hl=en-US. Carrum also uses an in-house analytics service to better understand who is using the Sites and how people are using them. Carrum uses cookies and other technologies to collect and store information such as member identifier number, browser information, hardware/software type, interaction data, page views, and IP address collected from third parties.

How does Carrum Health Use Personal Data?

Carrum Health uses the Personal Data it collects as described in this privacy statement or as otherwise disclosed to you. We use Personal Data to:

Provide and deliver the Services.
Enhance your experience when using our Services. This may include data relating to your use of our Services so we can recommend a more relevant experience.
Operate our business (including by improving our own operations, securing our systems, conducting analytics, and detecting fraudulent or illegal activity).
Provide care team concierge support, customer support and respond to your questions as well as to communicate with you about our Services and those of others.
Communicate with you about our products and services and those of our selected third-party partners so you can choose to sign up for those services. We may use your name and email address for this purpose.

Legal Bases for Processing Personal Data. Carrum Health may use Personal Data for any of the following purposes:

Performance of a contract

The use of Personal Data may be necessary to perform the agreement you have with Carrum to provide products and services. Here are some examples: to complete your registration, to maintain your account, and to respond to your requests.

Legitimate interests

We may use Personal Data for Carrum’s legitimate interests. For example, We rely on our legitimate interest to administer, analyze and improve our Sites and Services, to operate our business including through the use of service providers and subcontractors (who may have access to your data, to send you notifications about Carrum Services, for archiving, records keeping, statistical and analytical purposes, or to use Personal Data for administrative, fraud detection, audit, training, security, or legal purposes.

Compliance with legal obligations

We may use Personal Data to comply with legal obligations to which we are subject, including to comply with legal process.

Carrum Health may anonymize your Personal Information, or de-identify your Personal Health Information in a way that meets the HIPAA de-identification standard.

Carrum Health does not sell your Personal Data.

How Long Does Carrum Health Keep Personal Data?

Carrum Health may share your Personal Data in the following ways:

With your health plan for purposes of administering benefits available to you, without limitation, processing appeals and exceptions.
With Centers of Excellence and healthcare providers who may conduct a consultation and/or treat you.
With our employees, authorized contractors, and subcontractors who have a need to know such information to provide the Services.
With your health plan in order to invoice and get payment for our Services.

In addition, we may disclose your Personal Data:

If we believe that disclosure is necessary to: (i) detect, prevent or address fraud and other illegal activity, or (ii) identify, contact or bring legal action against someone who may be causing injury to or interference with (either intentionally or unintentionally) our rights or property, other users, or anyone else;
In connection with any legal or other investigation, including an investigation related to a suspected breach of our Terms of Service.
When we believe disclosure is required or permitted by law, including when responding to subpoenas, warrants, production orders, or similar orders; or
If we believe disclosure is needed to protect your safety or the safety of others, including when there is an emergency involving potential harm, loss of security or serious injury to anyone or even threats of such emergencies.

Third-Party Service Providers and Business Partners

Carrum may use third party service providers and business partners to perform functions in connection with the Services, such as payment processing, analyzing and improving the Services usefulness, reliability, user experience, and operation, advertising, storing data, and as otherwise described in this Privacy Statement.

Business Changes

If Carrum becomes involved in a merger, acquisition, sale of assets, joint venture, securities offering, bankruptcy, reorganization, liquidation, dissolution, or other transaction or if the ownership of all or substantially all of our business otherwise changes, we may transfer Personal Data to a third party or parties in connection therewith.

Affiliates

We may also share Personal Data with Carrum affiliates for purposes consistent with this Privacy Statement. Our affiliates will be required to maintain that information in accordance with this Privacy Statement.

Investigations and Law

We may disclose Personal Data to third parties if Carrum believes that such disclosure is necessary to:

Comply with the law or guidance and cooperate with government or law enforcement officials or private parties;
Investigate, prevent or take action regarding suspected illegal activities, suspected fraud, False Claims Act violations, the rights, reputation, safety, and property of Carrum, users, or others, or violations of Carrum policies or other agreements;
Respond to claims and legal process (for example, subpoenas); and/or
Protect against legal liability.

How Long Does Carrum Health Keep Personal Data?

Carrum Health will retain your data only as long as necessary to fulfill the legitimate business need for which the data was collected (such as to provide you with the Services). We may retain data for a longer period if necessary to comply with our legal obligations, to resolve disputes, to enforce agreements or for similar purposes.

How long we keep data is determined by criteria including: i) the length of our relationship with you; ii) whether we have a legal obligation to retain the data; or iii) whether retention is advisable considering current legal positions such as any regulatory investigations.

Once Carrum Health no longer has any legitimate need to protect your data, we follow our internal procedures and policies and, if possible, will either delete your data or render it impossible to identify you from the data. If we cannot take these steps, we will archive the data and ensure it is no longer used until the steps can be taken. Please note that there are times that we need to continue to use and retain your data (such as to complete pending requests or for record keeping purposes) and that our databases or other repositories may have residual data that we cannot remove or to which we are unable to provide access.

How Is My Personal Data Protected by Carrum Health?

We are committed to ensuring the data we collect, process and share is kept private and secure, and we have implemented reasonable and appropriate measures to protect against the loss, misuse and alteration of the information under our control. Despite these measures, we cannot guarantee that a security breach will not occur. We also expect that you will use appropriate security measures to protect your Personal Data when using our Services.

To help maintain the security of your Personal Data, you must accept responsibility for maintaining the security of your account credentials. This includes using a strong password, never sharing your password or account details with anyone, and not using the same password with multiple accounts. If your credentials are used to login to the Services, Carrum Health will treat that access as authorized by you. If we learn of any unauthorized access to your account or any disclosure of data that affects the security of your Personal Information, we will provide you with notice as required by applicable law.

While Carrum takes reasonable measures to protect the information you submit via the Sites against loss, theft and unauthorized use, disclosure, or modification, Carrum cannot guarantee its absolute security. No Internet, email, or mobile application transmission is ever fully secure or error free. Email or other messages sent through the Services and Sites may not be secure. You should use caution whenever submitting information and take special care in deciding with which information you provide.

We cannot guarantee that transmissions of your Personal Information will be fully secure and that third parties will never be able to defeat our security measures or the security measures of our partners. WE ASSUME NO LIABILITY FOR DISCLOSURE OF YOUR INFORMATION DUE TO TRANSMISSION ERRORS, THIRD PARTY ACCESS, OR CAUSES BEYOND OUR CONTROL.

California Data and Privacy Rights

If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (the “CCPA”), you have certain rights with respect to that information. To exercise any of your rights with respect to the information that Carrum Health collects, please contact us in one of the ways described in the Contact section below.

Right to Know. You have a right to request the following information:

The categories and specific pieces of personal information collected about you.
The categories of sources from which personal information is collected.
The purposes for collecting, using, or selling personal information.
The categories of third parties with which personal information is shared.
The categories of personal information we have disclosed about you for a business purpose. Note that the CCPA defines “business purpose” broadly; and because we use service providers for a number of business purposes that require access to our systems that hold personal information (such as supplying cloud data storage, maintaining the security of our systems, and providing customer support), in the past 12 months we have disclosed for a business purpose data from each of the categories of personal information that we maintain.
The categories of personal information we have “sold” about you (if any), for each category of third party to which the personal information was sold. See the “Right to Opt-Out” below for more information.

Please note that we have provided much of this information in this privacy statement.

Right to Request Deletion: The CCPA also provides Californian residents the right to request that we delete personal information under certain circumstances, subject to a number of exceptions. These exceptions to deletion include when information is: (1) needed to complete the transaction for which it was collected or to provide goods or services requested by the consumer; (2) used in the context of the business relationship with the consumer; (3) required to perform a contract; (4) used to detect security incidents and protect against malicious, fraudulent or illegal activity; (5) needed to engage in scientific, historical, or statistical research in the public interest; (6) used solely for internal uses that are reasonably aligned with the expectations of the consumer; or (7) required to comply with a legal obligation or applicable laws.

Right to Opt-Out. Carrum Health does not sell your data for advertising or other purposes.

Right to Non-Discrimination. If you exercise any of your privacy rights as a California resident, Carrum Health will not discriminate against you by offering you different pricing or services, or by providing you with a different level or quality of service, based solely upon this request. Certain Carrum Health Services, however, may require your consent to have your personal information shared with Carrum Health to provide the Services or to allow us to use and disclose your personal information to provide the Services. When you exercise your rights, you may lose access to certain aspects of Carrum Health’s Services that require your personal information to perform the Services.

Notification of Changes

This privacy statement may be revised over time, as changes are deemed necessary and any such updated Privacy Statement will be posted (together with its effective date) on this page. If we make material changes that reduce your privacy rights, we will notify you in advance by sending you an email and/or by posting a notice in the Services at least 30 days prior to the change in either this Privacy Statement or how we handle your data to allow you to make an informed choice.

Terms of Service

Please also visit the Carrum Health Terms of Service at Terms of Service – Carrum Health , which state the terms, disclaimers, and limitations of liability governing your use of the Services and Sites.

Contact

If you have any questions or concerns about our website, privacy statement, or terms of use, please feel free to contact us at info@carrumhealth.com or at Carrum Health, Inc., 100 1^st Street, Suite 350, San Francisco, CA 94105. We will make every effort to resolve your concerns. If you have a complaint concerning our privacy practices, we will investigate your complaint and, if it is justified, we will take appropriate measures. If you are not satisfied with our response to your complaint or concerns, we will also suggest additional avenues of recourse.

Last Updated: February 2024