Carrum Health Privacy Statement

Your Privacy Is Important to Us.

At Carrum Health, Inc. we know that you care about how your personal information is used and shared, and we take your privacy seriously. This privacy statement explains how Carrum Health collects, processes, and shares personal data about you when you visit our website or use our Services.  If you have any questions about our practices as they relate to your data, please contact us using the information below.

Importantly, the data we collect belongs to you.  As such, we will always strive to provide you with choices to stop providing us with data, to no longer allow us to share your data, or to ask that we no longer retain your data.  If you would like to exercise any of these rights, please contact us at privacy@carrumhealth.com

You must be at least 18 years old to use our Services and we do not knowingly collect, use, process, or disclose personally identifiable data from any visitor to our website that is under the age of 18.  None of our Services or products are directed to users under the age of 18 unless their parent or guardian consents.  Should we discover any user under the age of 18, we will immediately revoke their access and terminate their account.

When Does This Privacy Statement Apply?

This privacy statement applies to Carrum Health and our affiliated companies (if any). When we reference our “Services” in this privacy statement, that includes our public-facing website (www.carrumhealth.com), and any other linked pages, features, content, or application services we offer in connection with that website (“Sites”).  “Services” also includes the use of our platform and any mobile or other applications we provide to you in order to provide you with information, to communicate with you or to offer our surgery benefit services. This privacy statement applies to personal data collected through the Services and not to any website or service we link to or that links to its own privacy statement.

This privacy statement applies when Carrum Health obtains your Personal Information or Personal Health Information in one of the ways described below.  “Personal Information” includes any information that could be used to identify you and includes data such as your name, address, username, email address, telephone number, IP address or other digital identifying information.  “Personal Health Information” or “PHI” has the meaning provided by the Health Insurance Portability and Accountability Act (HIPAA) and includes information related to your treatment or care such as health records, health histories, test results, medical bills, insurance information, etc. Personal Information and Personal Health Information are collectively referred to herein as Personal Data.

What Data Does Carrum Health Collect?

Carrum Health collects data about you from different sources and in various ways when you use our Services:

A. Information you provide directly. We collect Personal Data that you provide to us directly. This may include:

  1. registration or contact information when you sign up for our Services (such as username, password, etc.).
  2. information you choose to input into any feature we offer through our Services such as medical or treatment information, treatment results, medical history, etc.
  3. any other information that you voluntarily and intentionally enter into webforms, our Services or our Sites.
  4. any other Personal Data that is requested and required in order to provide our Services.

You will always control what data you choose to provide directly to Carrum Health in connection with our Services, but please be aware that certain of our Services may be impacted by this choice.

B. Information that is collected automatically. When you use our Services, certain information is collected automatically:

  1. Device information (model, operating system version, mobile network information, operating system and system settings, browser type, browser language, Internet Protocol (IP) address, country and time zone in which your device is located, the pages you viewed and how long you viewed them, and similar identifiers). We may associate this information with your account to provide the Services.
  2. Mobile application information (application and metadata stored on your device when allowed by your operating system settings).
  3. Our Sites may store and retrieve data using cookies set on your device.

C. Information received from COEs, providers, or other third-parties.

How Does Carrum Use Cookies and Other Data Collection Technologies?

We collect the anonymous information we mentioned above through the use of various technologies, one of which is called “cookies”. A cookie is an element of data that the website can send to your browser, which may then be stored on your hard drive. Cookies may last for only a single session or may span multiple sessions. We use cookies to track user activity by our registered users. Finally, cookies are employed in other applications that require the storage of user data from one screen to the next.

How does Carrum Health Use Personal Data?

Carrum Health uses the personal data it collects as described in this privacy statement or as otherwise disclosed to you.  We use Personal Data to:

  • Provide and deliver the Services.
  • Enhance your experience when using our Services. This may include data relating to your use of our Services so we can recommend a more relevant experience.
  • Operate our business (including by improving our own operations, securing our systems, conducting analytics, and detecting fraudulent or illegal activity).
  • Provide care team concierge support, customer support and respond to your questions as well as to communicate with you about our Services and those of others.
  • Communicate with you about our products and services and those of our selected third-party partners so you can choose to sign up for those services. We may use your name and email address for this purpose.

Carrum Health may anonymize your Personal Information, or de-identify your Personal Health Information in a way that meets the HIPAA de-identification standard.

Carrum Health does not sell your Personal Data.

How Does Carrum Health Share Personal Data?

Carrum Health may share your Personal Data in the following ways:

  • With your health plan for purposes of administering benefits available to you, without limitation, processing appeals and exceptions.
  • With Centers of Excellence and healthcare providers who may conduct a consultation and/or treat you.
  • With our employees, authorized contractors, and subcontractors who have a need to know such information to provide the Services.
  • With your health plan in order to invoice and get payment for our Services.

In addition, we may disclose your personal information:

  • If we believe that disclosure is necessary to: (i) detect, prevent or address fraud and other illegal activity, or (ii) identify, contact or bring legal action against someone who may be causing injury to or interference with (either intentionally or unintentionally) our rights or property, other users, or anyone else;
  • In connection with any legal or other investigation, including an investigation related to a suspected breach of our Terms of Service.
  • When we believe disclosure is required or permitted by law, including when responding to subpoenas, warrants, production orders, or similar orders; or
  • If we believe disclosure is needed to protect your safety or the safety of others, including when there is an emergency involving potential harm, loss of security or serious injury to anyone or even threats of such emergencies.

How Long Does Carrum Health Keep Personal Data?

Carrum Health will retain your data only as long as necessary to fulfill the legitimate business need for which the data was collected (such as to provide you with the Services).  We may retain data for a longer period if necessary to comply with our legal obligations, to resolve disputes, to enforce agreements or for similar purposes.

How long we keep data is determined by criteria including: i) the length of our relationship with you; ii) whether we have a legal obligation to retain the data; or iii) whether retention is advisable considering current legal positions such as any regulatory investigations.

Once Carrum Health no longer has any legitimate need to protect your data, we follow our internal procedures and policies and, if possible, will either delete your data or render it impossible to identify you from the data. If we cannot take these steps, we will archive the data and ensure it is no longer used until the steps can be taken. Please note that there are times that we need to continue to use and retain your data (such as to complete pending requests or for record keeping purposes) and that our databases or other repositories may have residual data that we cannot remove or to which we are unable to provide access.

How Is My Personal Data Protected by Carrum Health?

We are committed to ensuring the data we collect, process and share is kept private and secure, and we have implemented reasonable and appropriate measures to protect against the loss, misuse and alteration of the information under our control. Despite these measures, we cannot guarantee that a security breach will not occur. We also expect that you will use appropriate security measures to protect your Personal Data when using our Services.

To help maintain the security of your Personal Data, you must accept responsibility for maintaining the security of your account credentials. This includes using a strong password, never sharing your password or account details with anyone, and not using the same password with multiple accounts. If your credentials are used to login to the Services, Carrum Health will treat that access as authorized by you.  If we learn of any unauthorized access to your account or any disclosure of data that affects the security of your personal information, we will provide you with notice as required by applicable law.

California Data and Privacy Rights

If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (the “CCPA”), you have certain rights with respect to that information.  To exercise any of your rights with respect to the information that Carrum Health collects, please contact us in one of the ways described in the Contact section below.

Right to Know.  You have a right to request the following information:

  • The categories and specific pieces of personal information collected about you.
  • The categories of sources from which personal information is collected.
  • The purposes for collecting, using, or selling personal information.
  • The categories of third parties with which personal information is shared.
  • The categories of personal information we have disclosed about you for a business purpose. Note that the CCPA defines “business purpose” broadly; and because we use service providers for a number of business purposes that require access to our systems that hold personal information (such as supplying cloud data storage, maintaining the security of our systems, and providing customer support), in the past 12 months we have disclosed for a business purpose data from each of the categories of personal information that we maintain.
  • The categories of personal information we have “sold” about you (if any), for each category of third party to which the personal information was sold. See the “Right to Opt-Out” below for more information.

Please note that we have provided much of this information in this privacy statement.

Right to Request Deletion:  The CCPA also provides Californian residents the right to request that we delete personal information under certain circumstances, subject to a number of exceptions. These exceptions to deletion include when information is: (1) needed to complete the transaction for which it was collected or to provide goods or services requested by the consumer; (2) used in the context of the business relationship with the consumer; (3) required to perform a contract; (4) used to detect security incidents and protect against malicious, fraudulent or illegal activity; (5) needed to engage in scientific, historical, or statistical research in the public interest; (6) used solely for internal uses that are reasonably aligned with the expectations of the consumer; or (7) required to comply with a legal obligation or applicable laws.

Right to Opt-Out. Carrum Health does not sell your data for advertising or other purposes.

Right to Non-Discrimination.  If you exercise any of your privacy rights as a California resident, Carrum Health will not discriminate against you by offering you different pricing or services, or by providing you with a different level or quality of service, based solely upon this request. Certain Carrum Health Services, however, may require your consent to have your personal information shared with Carrum Health to provide the Services or to allow us to use and disclose your personal information to provide the Services. When you exercise your rights, you may lose access to certain aspects of Carrum Health’s  Services that require your personal information to perform the Services.

Notification of Changes

This privacy statement may be revised over time, as changes are deemed necessary and any such updated Privacy Statement will be posted (together with its effective date) on this page. If we make material changes that reduce your privacy rights, we will notify you in advance by sending you an email and/or by posting a notice in the Services at least 30 days prior to the change in either this Privacy Statement or how we handle your data to allow you to make an informed choice.

Contact

If you have any questions or concerns about our website, privacy statement, or terms of use, please feel free to contact us at info@carrumhealth.com or at Carrum Health, Inc. 611 Gateway Blvd, Suite 120, South San Francisco, CA 94080. We will make every effort to resolve your concerns. If you have a complaint concerning our privacy practices, we will investigate your complaint and, if it is justified, we will take appropriate measures.  If you are not satisfied with our response to your complaint or concerns, we will also suggest additional avenues of recourse.

Last Updated: November 10, 2022