Privacy Policy

Last updated: July 1, 2023

Previous version

Scope

Peppy Health Corporation (“Peppy”, “we”, “us”, or “our”) created this Privacy Policy to describe its collection, use, and disclosure practices with respect to information that identifies or may reasonably identify you (“Personal Information” or “PI”). This Privacy Policy applies to our healthcare services, including our menopause, endometriosis and PCOS support, including any related medical prescription services, and any accompanying features or products that we may develop (“Services”) and the mobile application and other platforms that we may develop in the future (collectively, the “Platform”). This Privacy Policy supplements our Terms of Service and Notice of Privacy Practices, which describes our collection, use, and disclosure of your Protected Health Information pursuant to the Health Insurance Portability and Accountability Act (HIPAA).

Depending on your relationship with us, our collection, use, and disclosure of Personal Information may differ. We use the term “Users” to describe individuals who sign up for and access the Services. We use the term “Providers” to describe the physicians, nurses, or other clinicians or supporting staff members who administer our Services to Users. Any references to “you” or “yours” refers to both Users and Providers.

Updates

We may update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective when we notify you of the changes and may apply to PI that we have already collected. Our means of notifying you may vary and may include a banner or notification on our Platform, an email communication from us, or another form of reasonable notice. Unless otherwise stated in the notice, your use of the Platform following these updates will constitute your acceptance of these updates.

Children

Our Platform is not targeted to children under the age of 18.  If you know that we have received PI directly from a child under the age of 18, please contact us by referencing the information in Contacting Us, below, so that we may delete that PI from our system. Please note, however, that there may be occasions where you choose to submit PI about your dependents during the course of your care.

What Personal Information do we collect?

We may collect the following PI about you:

  • Contact information. This includes your full name and preferred name, postal address, phone number, and work and personal email address. This also includes your username* and password* when you create an account with us.
  • Photograph. You have the option to upload a picture when you create an account.
  • Demographic information.* This includes your birthdate, gender, and race.
  • Employment information. This includes your occupation and current employer. For Providers, this also includes licensing and credentialing information.
  • Health Information.* This includes data that Users provide to us through our Platform. This may include data that Users share during chat sessions with Providers, biometric data, test results where Users have requested diagnostic test services, pictures or descriptions of symptoms that Users share, prior medical and medication history, health content preferences, and any other health information that Users choose to share with us.
  • Internet and device information. This includes device and browser characteristics, including unique or online identifiers such as your device ID, IP address, and mobile operating system.
  • Usage information. This includes information about how you interact with our Platform and engage the Services, such as pages visited or programs completed.
  • Geolocation information. This includes the geolocation of the device(s) you use to access our Platform. We collect this information at the state, city, or zip code level in order to set the appropriate time zone for the Platform and monitor the integrity and security of our Platform.

Categories marked with an asterisk (*) may be considered “sensitive” categories of information according to some U.S. state laws. We intend to retain each of the above categories of PI for as long as necessary to comply with legal obligations, fulfill your requests or inquiries, and improve our Platform.

How do we collect Personal Information?

We collect PI from the following sources:  

  • Directly from you. For example, when you fill out our forms or sign up to join the Platform, you provide PI like your contact, demographic, and employment information. As noted above, Users provide health information when they engage with our Services.
  • At your direction. For Users, we may receive PI about you if you specifically instruct a third party to share it with us.
  • Automatically. For example, when you visit our Platform, we use tools such as cookies or pixel tags, to collect PI such as your geolocation or other internet or device information. For more information on this, see Cookies, pixels, and other tracking technologies.  
  • Third-party service providers. We work with third parties to help us provide and manage the Services and Platform. These third parties may collect PI about you on our behalf, such as:
    • For Providers, we work with a third-party service to help us verify and manage the healthcare credentialing process.
    • We may also receive PI about you from videoconferencing providers and calendar management tools when you use certain parts of our Services, like attend an event or program.
    • We also use third-party data analytics providers to help us track how you interact with our Platform and engage with our Services.
  • Users’ employers. We collect Users’ work email addresses from Users’ employers so that we may verify access to the Platform. Upon sign up, we ask Users to provide their personal email address so that we may communicate with Users through a personal account.

How do we use your Personal Information?

We may use your PI for various purposes, including to:  

  • Provide and administer the Services and allow you access and use of our Platform
  • Process your requested transaction(s) and facilitate your interaction with our Services or Platform
  • Personalize your experience with our Services or Platform
  • Deliver or suggest content in which you may be interested based on your interactions with our Platform
  • Address your customer service requests or communicate with you in relation to other follow up items or correspondence
  • Develop and improve our Services or Platform for you and other future Users and Providers, for example, by developing additional features or tools to offer within our Platform or seeking your responses to a survey or marketing communication
  • Help maintain and enhance the security and integrity of our Services or Platform
  • Communicate with you about our Platform, including this Privacy Policy
  • The information that we use to provide some or most of the Services is Protected Health Information and therefore subject to our HIPAA Notice of Privacy Practices.

How do we disclose your Personal Information?

We may disclose your PI in the following ways:

  • Within Peppy and its affiliates, in order to provide our Services and Platform to you. Please note that in order to ensure continuity of services, your health data submitted during consultations may be accessible to multiple practitioners who are qualified to provide you with assistance.
  • With third-party service providers to help us provide and manage our Services and Platform. We share PI with these third parties according to a contract that ensures they take appropriate steps to safeguard the confidentiality, integrity, and security of the PI that we share with them. We also limit PI provided to these third parties to the amount reasonably necessary to perform their function. These third parties include:
    • Healthcare credentialing providers to help us verify and manage the healthcare credentialing process;
    • Videoconferencing providers and calendar management tools so that we may provide you with Services like events and programming;
    • Data analytics providers to help us track how you interact with our Platform and engage with our Services;
    • Business service providers, like accountants, auditors, consultants, attorneys, and insurers;
    • Customer service providers that may provide services through chatbots or other automated assistance features;
    • Communications services for email and SMS messaging; and
    • IT service providers that assist us with data storage, diagnostics, and system maintenance for our Platform.
  • With any successors to all or part of our business in the event that we assess or actually merge with, acquire or are acquired by, or sell a brand or part of our business to another entity as part of an asset sale, corporate reorganization, or other change of control, including bankruptcy.
  • With certain parties in order to comply with the law, or otherwise assess or defend our legal rights and obligations. This includes government agencies, investigatory bodies, law enforcement, and certain advisers such as our attorneys or other auditors. This may also include other third parties in response to a court order or subpoena. We may also release PI when its release is appropriate to enforce our site policies, or protect others’ rights, property, or safety.

Please note that we do not share PI with Users’ employers. We may, however, share aggregated data (such as statistical data indicating the percentage of Users who access a particular service) for any purpose with any party because this does not identify the individual.

The information that we share to provide some or most of the Services is Protected Health Information and therefore subject to our HIPAA Notice of Privacy Practices.

How do we protect your Personal Information?

We take security seriously and have implemented reasonable technical, organizational, and physical safeguards to protect your PI. However, please keep in mind that no system, including our Platform, is 100% secure. Please take reasonable steps to maintain your own security. We recommend that you select complex passwords for your accounts and not reuse login credentials for multiple accounts.

Cookies, pixels, and other tracking technologies

Cookies, and other technologies like web beacons or pixels, optimize your experience with our Platform by remembering your browsing preferences. Our Platform does not currently recognize “Do Not Track” signals, but depending on your device model and operating system, you may be able to modify how mobile applications collect information in your device’s settings. We use these tracking technologies within our Platform for many reasons as described above, including customizing the Services and Platform for you and improving the Services and Platform for others. However, we do not currently use any tracking technologies for the purposes of targeted advertising.

Third-party links

Occasionally, at our discretion, we may include or offer third-party products or services on our Platform. We do not own or control these third-party sites. Your use of these third-party sites is subject to the third parties’ privacy policies and/or other applicable terms, and we are not responsible for the content or activities of these linked sites.

Your Privacy Choices

Depending on your state of residence (including California, Virginia, Colorado, Utah, Connecticut, and potentially other states), you may have certain rights with respect to your PI. We will strive to honor these rights no matter your place of residence, but we reserve our ability to fulfill your requests as legally required.

To exercise any of the following rights (“Data Subject Right”), you or your authorized agent may contact us via the instructions in Contacting Us, below.

We may request additional information to verify the authenticity of your request, including confirming PI or other information that you have already provided to us, or potentially requesting additional PI.

  • Right to Know and Access. You may request that we confirm whether we are processing your PI and other details about that processing. Furthermore, you may request that we provide you with a copy of your PI, including the specific pieces of PI if applicable.
  • Right to Correct. If you believe that your PI is inaccurate or incomplete, you may request that we correct your PI.
  • Right to Delete. You may request that we delete the PI that you have provided to us, subject to certain exceptions.
  • Right to Opt Out of Targeted Advertising. Targeted advertising is the practice of serving you personalized ads based on information gathered about you across different websites, devices, or applications. We do not engage in targeted advertising.
  • Right to Opt Out of Sales. Some U.S. state laws define sales as exchanges of PI for monetary or other valuable consideration. We do not “sell” your PI.
  • Right to Restrict Certain Processing. You may have the right to limit the use or disclosure of your “sensitive” PI or opt out of other processing activities, such as those involving automated decision-making, as defined by applicable U.S. state law.
  • Right to Nondiscrimination. We will not discriminate against you for exercising these rights. However, where permitted by law, we may charge a reasonable fee in fulfilling certain requests.
  • Right to Appeal. If we deny your request to exercise a Data Subject Right, you may have the right to appeal the decision with us. If you would like to appeal a prior decision, please be sure to include information about your prior request so that we may locate our earlier determination.

In addition to these Data Subject Rights, you can always manage your communication preferences. If at any time you would like to unsubscribe from receiving future emails, you can follow the unsubscribe or opt-out instructions included in the email communication.

Notice to Nevada Residents

We do not “sell” PI according to Nevada law. If you would like to request that we not sell your PI in the future, please following the instructions in Contacting Us.

Notice to California Residents

The following statements are made in compliance with the California Consumer Privacy Act (“CCPA”), as amended.

We do not “sell” or “share” PI as defined by CCPA. “Share” as defined by CCPA refers to sharing PI for the purposes of cross-context behavioral advertising, also referred to as online targeted advertising.

We do not process sensitive information for purposes other than those specified in Cal. Code Regs. tit. 11, § 7027(m).

In the past 12 months, we have collected PI described above, under What Personal Information do we collect? from the sources listed in How do we collect Personal Information?. This PI falls into the following categories of PI under the CCPA:

  • Identifiers
  • Categories listed in California Civil Code 1798.80(e)
  • Characteristics of protected classifications under California or federal law
  • Health information
  • Internet or electronic network activity information
  • Professional or employment-related information

The Personal Information that we have disclosed to or shared with third parties in the past 12 months is described above, under How do we share your Personal Information?, and includes PI from the following categories of PI under the CCPA:

  • Identifiers
  • Visual information (if you choose to upload a photograph of yourself to your account)
  • Categories listed in California Civil Code 1798.80(e)
  • Characteristics of protected classifications under California or federal law
  • Health information
  • Internet or electronic network activity information
  • Professional or employment-related information

Notice to EU Data Subjects

For the purposes of applicable data protection legislation including the General Data Protection Regulation 2016/679/EU (‘GDPR’), Peppy is the data controller for the personal data we process, as described in this privacy policy unless otherwise stated. Our data protection officer is 8foldGovernance Limited (company registration number 12085647) and can be contacted at dpo.contact@peppy.health.

If you are resident in the EU/EEA, our data protection representative for the purposes of Article 27 GDPR is Data Protection Representative Limited (trading as ‘DataRep’), a company registered in the Republic of Ireland with registered number 616588. You should contact DataRep in the first instance for any requests in relation to your personal data by emailing datarequest@datarep.com or completing a web form at www.datarep.com/data-request. Your request will be forwarded to the DPO as required.

Contacting Us

If you have any questions regarding this Privacy Policy, or would like to submit individual requests in accordance with this Privacy Policy, including those listed in Your Privacy Rights and Choices, you may contact us at: hello@peppy.health and/or Peppy Health Corporation, 511 Ave of the Americas, Unit #967, New York, NY 10011.