Summary of Key Points

This Privacy Policy explains how Evolve Health (“we”, “us”, or “our”) collects, uses, discloses, and safeguards your information when you visit our website or use our healthcare services. Please read this Privacy Policy carefully. By accessing and using our site, you acknowledge that you have read, understood, and agree to be bound by all terms of this Privacy Policy and our Terms of Service.

We may collect personal information that you voluntarily provide to us when you register on the site, express interest in obtaining information about us or our healthcare services, participate in activities on the site, or otherwise contact us. We automatically collect certain information when you visit, use, or navigate the site. This information does not reveal your specific identity but may include device and usage information. We process your information for purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent. We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations. We may use cookies and similar tracking technologies to access or store information. We keep your information for as long as necessary to achieve the purposes outlined in this Privacy Policy unless otherwise required by law.

We aim to protect your personal information through a system of organizational and technical security measures. You have specific rights regarding your personal information, which vary depending on your location.

What Information Do We Collect

Personal Information You Disclose to Us

We collect personal information that you voluntarily provide us when you register on the site, express interest in obtaining information about us or our healthcare services, participate in activities on the site, or otherwise contact us.

The personal information that we collect depends on the context of your interaction with us and the site, the choices you make, and the products and features you use. The personal information we collect may include the following:

• Personal Identifiers. We collect names, phone numbers, email addresses, mailing addresses, usernames, passwords, and other similar identifiers.
• Payment Information. We collect data necessary to protect your payment, such as your payment instrument number (e.g., a credit card number) and the security code associated with your payment instrument. Our payment processor stores all payment data. You should review its privacy policies and contact the payment processor directly to address any questions you may have.
• Health Information. As a healthcare provider, we collect information about your health conditions, medical history, medications, treatments, diagnoses, healthcare providers, health insurance information, and other health-related information when you use our healthcare services or features. This information is protected under the Health Insurance Portability and Accountability Act (HIPAA) and applicable state laws, such as California’s Confidentiality of Medical Information Act (CMIA).
• Account Information. We collect information related to your account preferences, settings, and activity history. We collect information regarding your communication preferences and your communication with us.All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information Automatically Collected

We automatically collect certain information when you visit, use, or navigate our site. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preference, referring URLs, device name, country, location, information about how and when you use our site, and other technical information. This information is primarily needed to maintain the security and operation of our site, as well as for our internal analytics and reporting purposes. The information we collect automatically includes:

• Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our site, and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity on the site (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports – sometimes called “crash dumps”) – and hardware settings).
• Device Data. We collect device data, including information about the computer, phone, tablet, or other device you use to access our site. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification number, location, browser type, hardware model, Internet Service Provider and/or mobile carrier, operating system, and system configuration information.
• Location Data. We collect data such as information about your device’s location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the site. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location. You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note, however, that if you choose to opt out, you may not be able to use certain aspects of the services.

How Do We Process Your Information

We process your information for a variety of purposes, depending on how you interact with our site and healthcare services, including:

• To Facilitate Account Creation and Authentication, and Otherwise Manage User Accounts. We may process your information to enable you to create and log in to your account, as well as to maintain the functionality of your account.
• To Deliver and Facilitate the Delivery of Healthcare Services to You. We may process your information to provide you with the requested healthcare services, including scheduling (through DrChrono), providing medical advice, prescribing medication, and coordinating care with other healthcare providers.
• To Respond to User Inquiries/Offer Support to Users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested services.
• To Send Administrative Information to You. We may process your information to send you details about our healthcare services, changes to our terms and policies, and other similar information.
• To Request Feedback. We may process your information when necessary to request feedback and to contact you about your use of our site or healthcare services.
• To Send You Marketing and Promotional Communication. We may process the personal information you send us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time.
• To Deliver Targeting Advertising to You. We may process your information to develop and display personalized content and advertising tailored to your interests, location, and other relevant factors.
• To Protect Our Services. We may process your information as part of our effort to keep our site safe and secure, including fraud monitoring and prevention.
• To Identify Usage Trends. We may process information about how you use our site to better understand how they are being used so we can improve them.
• To Determine the Effectiveness of Our Marketing and Promotional Campaigns. We may process your information to better understand how to provide marketing and promotional campaigns that are most relevant to you.
• To Save or Protect an Individual’s Vital Interest. We may process your information when necessary to save or protect an individual’s vital interest, such as to prevent harm.
• For Treatment, Payment, and Other Healthcare Operations. As a healthcare provider, we may use and disclose your health information for treatment purposes, such as providing, coordinating, or managing your healthcare and related services; payment purposes, such as obtaining reimbursement for services, confirming coverage, billing or collection activities, and utilization review; healthcare operations, such as conducting quality assessment and improvement activities, auditing functions, cost-management analysis, and customer service.

When and With Whom Do We Share Your Personal Information

 We may share your information in the following situations:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, a merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• We may share information with our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control of ours.
• Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
• Healthcare Providers and Services. We may share your health information with other healthcare providers who are involved in your care, such as specialists, hospitals, pharmacies, and laboratories, to ensure you receive appropriate and coordinated care.
• Health Insurance and Payment Processors. We may share your information with your health insurance company or payment processors to verify coverage, process claims, and receive payment for services rendered.
• Third-Party Services Providers. We may share your information with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. Examples include: payment processing, data analysis, email delivery, hosting services, customer services, and marketing efforts. We may allow selected third parties to use tracking technology on the site, which will enable them to collect data on our behalf about how you interact with our site over time. This information may be used to, among other things, analyze and track data, determine the popularity of certain content, pages, or features, and better understand online activity. Unless described in this notice, we do not share, sell, rent, or trade any of your information with third parties for their promotional purposes.
• With Your Consent. We may disclose your personal information for any other purpose with your consent.
• To Comply with Laws. We may disclose your information where we are legally required to do so in order to comply with applicable law, government requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
• Vital Interests and Legal Rights. We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, illegal activities, or as evidence in litigation in which we are involved.
• Public Health and Safety. We may disclose your health information when necessary to prevent a serious threat to your health, the health of others, or the public health. These disclosures would be made only to someone able to help prevent the threat.

Do We Use Cookies and Other Tracking Technology

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out below.

Types of Cookies we Use

• Essential Cookies. These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not then function properly.
• Performance Cookies. These cookies enable us to track visits and traffic sources, allowing us to measure and improve the performance of our site. They help us determine which pages are the most and least popular and show us how visitors navigate the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not be able to track visits to our site and monitor its performance.
• Functional Cookies. These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these services may not function properly.

Your Cookie Choice

Most web browsers are set to accept cookies by default. If you prefer, you can easily choose to set your browser to remove cookies and to reject cookies. If you choose to remove or reject cookies, this may affect certain features or services on our site. To opt out of interest-based advertising by advertisers on our site, visit http://www.aboutads.info/choices/.

How Long Do We Keep Your Information

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). We will not retain your personal information for longer than the period of time during which users have an account with us.

For health information, we are required by law to maintain patient records for a minimum period, typically between 5 and 10 years, depending on state law requirements, or in some cases, indefinitely. We will retain health records in accordance with applicable federal and state law.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize (deidentify) such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

How Do We Keep Your Information Safe

We have implemented appropriate technical and organizational security measures to protect the confidentiality, integrity, and security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security, and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our site is at your own risk. You should only access the site within a secure environment.

For health information, we maintain physical, technical, and administrative safeguards that comply with HIPAA and other applicable laws to protect your health information from unauthorized access, use, or disclosure. These measures include:

• Physical safeguards, such as locked facilities and restricted access to areas where health information is stored.
• Technical safeguards, such as encryption, firewalls, and secure password protocols.
• Administrative safeguards, such as staff training, policies and procedures, and business associate agreements.

Do We Collect Information from Minors

We do not knowingly solicit data from or market to children under the age of 18. By using the site, you represent that you are at least 18 or that you are the parent or guardian of such minor and consent to such minor’s use of the site. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under 18, please contact us at contact@healthevolves.com

For minors who are parents, we collect and use health information as permitted or required by HIPAA and applicable state laws, with appropriate authorization from a parent or legal guardian.

What are Your Privacy Rights

In some regions (like the European Economic Area, the United Kingdom, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information; (ii) to request recertification or erasure; (iii) to restrict the processing of your personal information; and (iv), if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please use the contact details below. We will consider and act upon any request in accordance with applicable data protection laws and regulations.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note, however, that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

HIPAA Rights

As a healthcare provider, we are subject to HIPAA, which provides you with certain rights regarding your health information, including:

• Right to Access. You have the right to inspect and obtain a copy of your health information that may be used to make decisions about your care.
• Right to Amend. If you feel that the health information we have is incorrect or incomplete, you may ask us to amend the information.
• Right to an Accounting of Disclosure. You have the right to request a list of certain disclosures we made of your health information for purposes other than treatment, payment, healthcare operations, and certain other activities.
• Right to Request Restrictions. You have the right to request a restriction or limitation on the use or disclosure of your health information for treatment, payment, or healthcare operations. You also have the right to request a limit on the health information we disclose to someone involved in your case or the payment of your care.
• Right to Request Confidential Communication. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location.
• Right to a Paper Copy of This Notice. You have the right to a paper copy of this Privacy Policy, even if you have agreed to receive it electronically.

To exercise these HIPAA rights, please submit a written request to our Director of Compliance using the contact information provided below.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:

• Log in to your account settings and update your user account.
• Please get in touch with us using the information provided.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active database. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms and Use, and/or comply with applicable legal requirements.

Opting Out of Email Marketing

You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link in the emails that we send or by contacting us using the details provided below. You will then be removed from the marketing email list; however, we may still communicate with you, for example, to send you service-related emails that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes. To otherwise opt out, you may:

• Access your account settings and update your preferences.
• Please get in touch with us using the information provided.

Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or settings you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choices not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.

Do California Residents, Other Specific States, or Other Countries Have Specific Privacy Rights?

California Residents

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the name and address of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

If you are under 18 years of age, reside in California, and have a registered account with the site, you have the right to request removal of unwanted data that you publicly post on the site. To request removal of such data, please get in touch with us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will ensure that the data is not publicly displayed on the site. However, please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups).

CCPA/CPRA Privacy Notice for California Residents

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provided California residents with specific rights regarding their personal information. This section describes your CCPA/CPRA rights and explains how to exercise those rights.

Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected on you.
• Our business or commercial purpose for collecting, selling, or sharing that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you (also called a data portability request).
• If we sold or disclosed your personal information for a business purpose, we maintain two separate lists: one disclosing sales, identifying the personal information categories that each category of recipient purchased, and another disclosing disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Response Timing and Format

 We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosure we provide will only cover 12 months preceding the receipt of the verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reason for our decision and provide a cost estimate before proceeding with your request.

Non-Discrimination

 We will not discriminate against you for exercising any of your CCPA/CPRA rights. Unless permitted by the CCPA/CPRA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you with a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services, or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA/CPRA, which may result in different prices, rates, or quality of care. Any CCPA/CPRA-permitted financial incentives we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

Colorado Residents

Under the Colorado Privacy Act (CPA), Colorado residents have the following rights:

• Right to opt out of the processing of personal data for purposes of targeting advertising, the sale of personal data, or profiling that produces legal or significant effects on the consumer.
• Right to access personal data.
• Right to correct inaccuracies in personal data.
• Right to delete personal data.
• Right to data portability
• Right to appeal a controller’s decision regarding a consumer request.

To exercise any of these rights, please submit a request through our designated request methods: contact@healthevolves.com

We will respond to your request within 45 days, with a possible extension of an additional 45 days when reasonably necessary. If we decline to take action regarding your request, we will inform you of our decision and reasoning.

Connecticut Residents

Under the Connecticut Data Privacy Act (CTDPA), Connecticut residents have the following rights:

• Right to confirm whether we are processing your personal data and access such data.
• Right to correct inaccuracies in your personal data.
• Right to delete personal data provided by or obtained about you.
• Right to obtain a copy of your personal data processing by us in a portable format.
• Right to opt out of the processing of your personal data from targeting advertising.
• Right to opt out of the sale of your personal data.
• Right to opt out of profiling performed in furtherance of solely automated decisions that produce legal or similarly significant effects on you.

To exercise any of these rights, please submit a request through our designated request method: contact@healthevolves.com

We will respond to your request without undue delay but within 45 days, with a possible extension of an additional 45 days when reasonably necessary. If we decline to take action regarding your request, we will inform you of our decision and reasoning.

Utah Residents

Under the Utah Consumer Privacy Act (UCPA), Utah residents have the following rights:

• Right to confirm whether we are processing your personal data.
• Right to access your personal data.
• Right to delete the personal data you provided to us.
• Right to obtain a copy of the personal data that you have provided to us in a portable format.
• Right to opt out of processing your personal data for targeting advertising.
• Right to opt out of the sale of your personal data.

To exercise any of these rights, please submit a request through our designated request method: contact@healthevolves.com

We are required to respond within 45 days of receipt of your request. If we decline to take action regarding your request, we must notify you within 45 days and explain our decision.

Virginia Residents

Under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents have the following rights:

• Right to confirm whether or not we are processing your personal data and access that data.
• Right to correct inaccuracies in your personal data.
• Right to delete personal data provided by or obtained about you.
• Right to obtain a copy of your personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format.
• Right to opt out of the processing of your personal data for purposes of targeting advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

To exercise any of these rights, please submit a request through our designated method: contact@healthevolves.com

We will respond to your request without undue delay but within 45 days, with a possible extension of an additional 45 days when reasonably necessary. If we decline to take action regarding your request, we will inform you of our decision and reasoning.

European Union and United Kingdom Residents

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that governs the protection of personal data for individuals in the European Union (EU) and the United Kingdom (UK). It establishes strict guidelines for how businesses collect, process, and store personal information, granting individuals rights such as access, rectification, erasure, and data portability. The GDPR also regulates the transfer of personal data outside of the EU and UK, ensuring that such transfers meet stringent privacy standards.

If you are a resident of the European Economic Area (EEA) or the UK, you have the following rights under GDPR:

• Right to Access. You have the right to request copies of your personal data.
• Right to Rectification. You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
• Right to Erasure. You have the right to request that we erase your personal data, under certain conditions.
• Right to Restrict Processing. You have the right to request that we restrict the processing of your personal data, under certain conditions.
• Right to Object to Processing. You have the right to object to our processing of your personal data, under certain conditions.
• Right to Data Portability. You have the right to request that we transfer your data that we have collected to another organization, or directly to you, under certain conditions.

 If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please get in touch with us using the contact information provided.

Legal Basis for Processing Personal Data Under GDPR

We may process personal data under the following conditions:

• You have given your consent for processing personal data for one or more specific reasons.
• Performance of a Contract. Provisions of personal data are necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
• Legal Obligations. Processing personal data is necessary for compliance with a legal obligation to which we are subject.
• Vital Interest. Processing personal data is necessary to protect the vital interests of yourself or another natural person.
• Public Interest. Processing personal data is related to a task that is carried out in the public interest or in the exercise of official authority vested in us.

International Transfers of Personal Data

We may transfer your personal data to countries outside the EEA or the UK. When we do so, we ensure that appropriate safeguards are in place to protect your data and to comply with our legal obligations. These safeguards may include:

• Standard Contractual Clauses approved by the European Commission.
• Binding Corporate Rules for transfers within a corporate group.
• Compliance with approved codes of conduct or certification mechanisms.

Do We Make Updates to This Notice

We reserve the right to update this Privacy Policy from time to time. The updated version will be indicated by an updated “Last Updated” date, and the updated version will be effective as soon as it is accessible. If we make material changes to this Privacy Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.