Privacy Policy | Graphite Health

Effective Sept 1, 2023

Privacy Policy Overview

This Privacy Policy explains how Graphite Health, Inc. and its direct and indirect subsidiaries (collectively, “Graphite,” “we,” or “us”) handle your Personal Information (as defined herein) and data. We value your trust, and we have strived to make this clear to you.

We do not sell Personal Information. We do not use the patient as a marketing opportunity and do not share Personal Information for others to market to patients. We keep Personal Information private as provided by law.

We try to limit our collection of Personal Information to what is necessary to offer our services. Much of the Personal Information we receive relates to patients and is subject to the privacy requirements of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (“HIPAA”). Because data covered by HIPAA is subject to the privacy policies of member health systems, such protected health information is not subject to this Privacy Policy.

This Privacy Policy applies to all customer-facing websites and mobile applications we offer that post or include a link to this Privacy Policy. We refer to those apps and websites collectively as the “Services” in this Privacy Policy. However, those seeking information about or applying for positions with Graphite are providing any Personal Information to a third-party service provider and that Personal Information is subject to the privacy policy of that third party. Their privacy policy is linked on the Current Job Openings page.

Questions?

For questions regarding our Privacy Policy or practices, contact us by emailing compliance@graphitehealth.io.

Changes to this Privacy Policy.

We may modify this Privacy Policy at any time. If we do, we will notify you by publishing the changes on and in the Services. We will also update the effective date.

By using the Services, you consent to the described in this Privacy Policy. If you continue to use the Services following a modification of this Privacy Policy, you give your consent to and acceptance of the modifications.

Personal Information

For purposes of this Privacy Policy, the term “Personal Information” means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“Personal Information”). Personal Information does not include any personally identifiable information or protected health information that is subject to HIPAA or any publicly available information from government records, deidentified or aggregated consumer information, or other information excluded from the scope of state privacy laws.

Our Collection of Personal Information

At this time for most users, we do not knowingly collect Personal Information. For users requesting additional information about the Services, we provide the option of submitting a request form (“Request Form”). The Request Form asks for basic contact information, some of which may constitute Personal Information.

We may share your Personal Information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the Personal Information confidential, and prohibit using the disclosed information for any purpose except performing the contract. As we have noted, we do not sell your Personal Information.

Where Personal Information has been collected, below is additional information regarding the collection to address applicable privacy law requirements. In the preceding twelve (12) months we have disclosed, or in the future may disclose, Personal Information for a business purpose to the categories of third parties indicated in the chart below. Our practices regarding the collection of Personal Information may change over time as we develop the Services.

Personal Information Category	Whether Category is Collected and the Source of Collection	Retention Period	Business or Commercial Purpose for Sharing or Use	Whether This Category is Sold	Whether This Category is Shared for Cross-Context Behavioral Advertising and Categories of Third-Party Recipients
A. Identifiers (including government-issued identifiers) Examples: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, or email address.	Yes, from: You Your device Our Service Providers or Business Partners	For the duration of an individual’s relationship with Graphite Health and consistent with legal and regulatory requirements and statutes of limitations.	Provide the services you request Improve our services Inform you about our other products, services and offers that may be of interest to you Meet our contractual obligations with Service Providers or Business Partners Meet legal and regulatory requirements Provide customer service Detect and protect against security events and fraud Audit consumer interaction & transactions	No	No
B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) Examples: A name, address, or telephone number.	Yes, from: You Your device Our Service Providers or Business Partners	For the duration of an individual’s relationship with Graphite Health and consistent with legal and regulatory requirements and statutes of limitations.	Provide the services you request Improve our services Inform you about our other products, services and offers that may be of interest to you Meet our contractual obligations with Service Providers or Business Partners Meet legal and regulatory requirements Provide customer service Detect and protect against security events and fraud Audit consumer interaction & transactions	No	No
C. Protected classification characteristics under California or federal law Examples: Examples: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, union membership, genetic information (including familial genetic information).	No	N/A	N/A	No	No
D. Commercial Information Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	No	No	No	No	No
E. Biometric information Examples: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	No	N/A	N/A	No	No
F. Internet or other similar network activity Examples: Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.	Yes, from: You Your device Our Service Providers or Business Partners	For the duration of an individual’s relationship with Graphite Health and consistent with legal and regulatory requirements and statutes of limitations.	Provide the services you request Improve our services Inform you about our other products, services and offers that may be of interest to you Meet our contractual obligations with Service Providers or Business Partners Meet legal and regulatory requirements Provide customer service Detect and protect against security events and fraud Audit consumer interaction & transactions	No	No
G.Geolocation data Examples: Physical location or movements.	No	N/A	N/A	No	No
H. Sensory data Examples: Audio, electronic, visual, thermal,olfactory, or similar information.	No	N/A	N/A	No	No
I. Professional or employment-related information Examples: Current or past job history orperformance evaluations.	No	N/A	N/A	No	No
J. Non-publiceducation information (per the Family Educational Rights and Privacy Act (20U.S.C. Section 1232g, 34 C.F.R. Part 99)) Examples: Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists,student schedules, student identification codes, student financial information, or student disciplinary records.	No	N/A	N/A	No	No
K. Inferences drawn from other Personal Information Examples: Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior,attitudes, intelligence, abilities, and aptitudes.	No	N/A	N/A	No	No

Other Information Collection

Cookies:

A Cookie is a small text file placed on the device you use to access our Services. Most browsers are set to accept Cookies by default, and by using our Services, you are consenting to our use of Cookies as described herein. We use information we obtain from Cookies for several reasons:

To Make Our Site Easier to Use. If you set up an account on our sites, we may store your username in a Cookie to make it quicker for you to sign in whenever you return to a Graphite website. For security reasons, we use Cookies to authenticate your identity, such as confirming whether you are currently logged into a Graphite website.
To Provide You with Personalized Content. We may store user preferences, such as your default language, in Cookies to personalize the content you see. We also use Cookies to ensure that users cannot retake certain surveys that they have already completed.
To Improve Our Services. We may use Cookies to measure your usage of our websites and track referral data, as well as to occasionally display different versions of content to you. This information helps us to develop and improve our Services and optimize the content we display to users.

If you would like to opt-out of the Cookies we employ on our Services, you may block, delete, or disable them through your browser, or set your browser to alert you when Cookies are being sent, as applicable:

The help function on most browsers contains instructions on how to set your browser to notify you before accepting Cookies or to disable Cookies entirely. Because each browser is different, please consult the instructions provided by your browser.
Some of our third-party partners may be members of the Network Advertising Initiative, which offers a single location to opt out of ad targeting from member companies. To learn more, please click here or here.
Some devices you may use may also have platform controls to make choices about Cookies. Please note that you must separately opt out in each browser and on each device and that Cookie-based opt-outs are not effective on mobile applications.
Due to differences between websites and mobile apps, you may need to take additional steps to opt out of interest-based advertising for mobile applications. Please check your device settings and mobile app permissions for additional information on how to opt out. You also may stop further data collection from a mobile application by removing it from your mobile device.If you choose to refuse, disable, or delete Cookies, some of the functionality of the Services may no longer be available to you and any differences in service are related to the data. Deleting Cookies may in some cases cancel the opt-out selection in your browser.

Analytics:

We may use third-party providers to monitor and analyze the use of the Graphite website.

Google Analytics. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of the Graphite website. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. You can opt-out of having made your activity on the Graphite website available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page.

‍Safety of Minors and the Children's Online Privacy Protection Act (COPPA)

Our Services are not intended for and may not be used by minors. "Minors" are individuals under the age of majority in their place of residence. This age varies by jurisdiction, but generally includes those under 16 years old. Excluding information subject to HIPAA that we may access through our customers, we do not knowingly collect Personal Information from minors or allow them to register as users. If it comes to our attention that we have collected Personal Information from a minor in a manner that violates applicable law, we may delete this information without notice. If you have reason to believe that we may have any Personal Information for or about a child under the age of 16 in violation of this Privacy Policy, please contact us at compliance@graphitehealth.io.

Security

The security of your data and information is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information submitted to us, intended to protect it from unauthorized access, destruction, use, modification, or disclosure. However, please be aware that no method of transmission over the internet, or method of electronic storage is completely secure, and we are unable to guarantee the absolute security of your data and information.

Supplemental Notice to Data Subjects for Residents of Certain US States (including California)

Residents of certain states (including California) may have certain rights regarding your Personal Information under state law. This section describes privacy rights applicable to residents of certain states and explains how to exercise those rights. These rights apply only where applicable by law.

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months (the "right to know"). Once we receive your request and confirm your identity, we will disclose to you:

The categories of Personal Information we collected about you.
The categories of sources for the Personal Information we collected about you.
Our business or commercial purpose for collecting or selling that Personal Information.
The categories of third parties with whom we share that Personal Information.
If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:
sales, identifying the Personal Information categories that each category of recipient purchased; and
disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.
The specific pieces of Personal Information we collected about you (also called a data portability request).

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity, we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
Debug products to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.
Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify Personal Information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

If you choose to exercise these rights, we ask you to provide sufficient information, including the services you have used in the past, your state and country of residence, and contact information, in order for us to verify your identity and process your request. Depending on the types of requests, additional information may be requested. We will only use Personal Information provided in this context to verify the requestor’s identity or authority to make it.

You may use an authorized agent to submit a request on your behalf related to your Personal Information. If you choose to use an authorized agent, you should supply your agent with written permission to act on your behalf in relation to your request, and your agent must provide us with proof of such authorization before we process your request.

To exercise a right related to your Personal Information, please contact us by email to compliance@graphitehealth.io.

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact: compliance@graphitehealth.io. We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

We will not discriminate against you for exercising any of your state-specific privacy rights. Unless permitted by law, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by applicable law that can result in different prices, rates, or quality levels. Any permitted financial incentive we offer will reasonably relate to your Personal Information's value and contain written terms that describe the program's material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

Browser Do Not Track Signals

At this point, our website does not respond to browser “do not track” or similar signals.

Alternative Format

If you need to access this Policy in an alternative format due to having a disability, please contact compliance@graphitehealth.io.