Privacy Policies

OtisHealth Personal Health Application

Privacy Policy and TEFCA IAS Privacy and Security Notice

Last Updated/Effective Date: August 06, 2024

OtisHealth, Inc. is committed to preserving the privacy and security of your personal and medical information. Our OtisHealth Privacy Policy and TEFCA IAS Privacy and Security Notice (“Policy”) explains what information we gather, use and share when you use otishealth.net and the OtisHealth mobile applications (collectively, “OtisHealth” or the “Platform”).

TEFCA IAS is an optional service members may use to retrieve their health records from national sources.  It stands for Trusted Exchange Framework and Common Agreement Individual Access Services (TEFCA IAS).  This new exchange framework is an initiative of the US Department of Health and Human Services (HHS) and the Office of National Coordinator (ONC).  More information about TEFCA may be found at ONC TEFCA. 

Acceptance of Notice

By using OtisHealth, you agree to the terms of this Policy. If you do not agree to the terms of this Notice, please do not use OtisHealth. We may update this Notice from time to time, and your continued use of the Platform will mean that you agree to any changes. We are required to obtain your express written consent to the terms of this Notice.

Revocation of Consent to Notice

You may revoke consent to this Notice at any time by sending us a secure message from within the platform, or an email message to privacy@otishealth.net, after which you will no longer have the right to access the Platform and our services.

Information We Collect and How We Collect It 

Personal Information

We collect your name, mailing address, e-mail address, phone number, date of birth, and your emergency contact details. We collect this Personal Information when you sign up as a member of OtisHealth.

Health Information

We collect your health information including items such as past and current clinical diagnoses, medications, allergies, vitals, family history, healthcare providers, and insurance plans

We collect your health information in the following ways:

1. you may manually enter your personal and health information into the Platform such as your vitals, medical conditions, medications, healthcare providers and medical institutions where you have received care,

2. you may direct the Platform to connect to the electronic record systems of your healthcare providers, laboratories, pharmacies, and health plans in order to request and retrieve your electronic health records,

3. you may directly upload electronic health records, files, and other health documents.

4. you may provide permission for the Platform to access data and applications on your mobile device, such as your camera, photos, contacts, and health monitoring devices.

Information Automatically Collected

Account Activity

We may collect data about how you use your online account and the Platform when you are logged into your account. We may use IP addresses to conduct website analyses and performance reviews and to administer our website.

Cookies & Other Tracking Technologies

A cookie is a small text file that our Platform saves onto your computer or device when you use the Platform that provides us certain information about your activities. Other tracking technologies like web beacons/pixel tags are small graphics on a webpage that monitor your activity when viewing a webpage.

These tools (collectively, “Cookies”)

• allow the Platform: to remember your actions and preferences and recognize you or your browser, along with some information you provided.

• allow us to provide you with a more personalized experience.

Cookies may collect information such as your device’s IP address, location and pages visited. Most browsers automatically accept cookies, and you can manually delete Cookies through your browser settings. Also you can disable this function by changing your browser settings, but disabling cookies may impact your use and enjoyment of the Platform. Not all features or functions of the Platform may work properly if you disable Cookies. You cannot disable all Cookies, such as Cookies that are essential to the functioning of the Platform.

CALIFORNIA’S “DO-NOT-TRACK” REQUIREMENT. WE CURRENTLY DO NOT HONOR “DO NOT TRACK” REQUESTS.

Web Analytics

We use 3rd party web analytics tools and services to collect and process information about your use of OtisHealth. These tools and services set cookies on your browser or device, and then your web browser will automatically send information to us. We use this information to better understand and measure how users interact with the Platform.

Online Behavioral Advertising

We do not use third parties and/or service providers to provide interest-based advertising services.

How We Use Your Information

We collect and use your identifiable data and information for the following purposes:

• To provide the primary service of the Platform. To verify your identity before we begin collecting your health information and records. For example, we use your phone number to send you text messages for multi-factor authentication and other security measures. Additional verification information may be required by healthcare providers before they release your electronic health records to you.

• To respond to your questions, comments, or complaints. We may also use personal information as requested or consented to by you.

• To locate your health records and assist healthcare providers and health plans with accurately verifying and sending us your correct health records for your account. To support company operations like quality control, fraud detection and developing new products and services. To notify you of new features, services or products.

Storage of Data

We store your data on your device. We also store your data outside the device at our company or through third party secure cloud storage services.

Encryption of Data

We automatically encrypt your data, both in transit and at rest, in the device or app, whether stored on company servers or outside cloud computing service providers.

Retention of Information

You have the right to require that all of your individually identifiable information maintained by us be deleted unless such deletion is prohibited by Applicable Law; provided, however, that the foregoing shall not apply to such information contained in audit logs.

You have the right to an export of your individually identifiable information in a computable, interpretable format.

Unless a longer retention period is permitted or required by law, when your account is deactivated/terminated by you or OtisHealth, your data is deleted after 30 days.

Disclosure and Sharing of Your Information

All the following disclosures are in accordance with the permitted and required Uses and Disclosures specified in the Common Agreement and applicable U.S. Department of Health and Human Services guidance. We are not generally not subject to HIPAA rules except in instances where we are acting as a business associate of a HIPAA covered entity.

We do not sell, rent or lease any of your identifiable or non-identifiable (data in which personal identifiers have been removed) personal information to any third party. We do not share your identifiable data. We will not access, exchange, use, or disclose your information to assert any type of claim against you.

After receiving your express written consent to the terms of this Notice, which you must provide before using the Platform, we may share your personal and non-personal information in the following ways:

Personal information

We may share personal information and data only after removing identifiers (note that remaining data may not be anonymous) for the purposes of providing the primary service of the app or technology, supporting company operations and developing and improving new and current products and services. Such identifier-removed information may be also be shared with the following parties, in compliance with applicable laws:

• Employees and Affiliates. We may share personal information with our employees and affiliates who have a need to know the information for our business purposes.

• Third-Parties and/or Service Providers. We may share personal information with third party contractors and/or service providers that provide services for us. For example, we may share personal information with cloud storage providers, e-mail marketing vendors, security vendors, and data analytics vendors.

• Clinical Trial Organizations/Research Partners. We may provide your de-identifiable personal and health information to a clinical trial organization or research partner for the purpose of finding potential study candidates. If OtisHealth notifies you that you qualify for a specific clinical research opportunity, and you request to participate, with your permission, we will share your personal information, including necessary health information and records, with the sponsoring clinical trial organization or research partner to match you with a specific clinical trial or research study.

• Government Officials/Law Enforcement. We will cooperate with law enforcement and other governmental agencies, and may disclose personal information, including reproductive healthcare services: (i) if we believe in good faith we are legally required to disclose that personal information, (ii) if we are advised to disclose personal information by our legal counsel, (iii) when necessary to identify, contact or bring a legal action against someone who may cause or be causing harm to, or interfering with the legal rights of, OtisHealth or any other party,  or (v) in accordance with a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure including across state lines in accordance with applicable law. Electronic notice will be provided to the affected Individual(s) (unless prohibited by applicable law) within three (3) business days of our receipt of a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure in accordance with applicable law with respect to the individually identifiable information unless such notice is prohibited (e.g., under the Patriot Act). The affected Individual(s) receiving such notice have the right to object to the production of the identifiable information or seek a protective order or other appropriate remedy consistent with applicable law. Furthermore, electronic notice will be provided to the affected Individual(s) (unless prohibited by Applicable Law) within three (3) business days of the IAS Provider making TEFCA Information available to law enforcement agencies.

• Professional Advisors. We may share personal information with our professional advisors, such as our attorneys, accountants, financial advisors and business advisors, in their capacity as advisors to OtisHealth.

• Change in Ownership. In the event OtisHealth is the subject of a change of control or in the event the Platform changes ownership, in whole or in part, or in the event of a bankruptcy, receivership or a similar transaction, we may provide personal information to the subsequent owner(s).

• Other. We may share personal information with third parties when explicitly requested by or consented to by you, or for the purposes for which you disclosed the personal information to us as indicated at the time and point of the disclosure (or as was obvious at the time and point of disclosure).

• Social Media. This Platform does NOT allow you to share the collected data with your social media accounts, like Facebook.

Use and Disclosure of Non-Personal Information

OtisHealth may collect, use, share, transfer and otherwise process de-identified and aggregated information that it receives or creates for any purposes in its sole discretion, in compliance with applicable laws. OtisHealth is the sole and exclusive owner of such de-identified and aggregated information, including if OtisHealth de-identifies personal information so that it is no longer considered personal information under applicable laws.

Children’s Information

Our Platform is not directed at children under 18 years of age. We do not knowingly collect, use, or share personal information from children under 18. If a parent or legal guardian learns that their child provided us with personal information without his or her consent, please contact us and we will make commercially reasonable attempts to delete such personal information.

Data Security

We are required to act in conformance with the Privacy and Security Notice and must protect the security of the information it holds in accordance with Section 10 of the Common Agreement.

We use commercially reasonable technical and organizational measures to protect all individually identifiable information from unauthorized or illegal access, modification, use, or destruction, loss, misuse, and alteration appropriate to the type of personal information processed. If a breach of your personal information occurs, Members affected will be notified electronically as required by Section 10.5.3 of the Common Agreement. Our obligations under the Privacy and Security Notice will continue for as long as identifiable information survives in accordance with Section 10.6 of the Common Agreement. Passwords for affected accounts will be invalidated and will require new passwords to be established. Any data deleted or corrupted by a bad actor (i.e. hacker or malicious software) will, if possible, be recovered from secure back-up servers. Public disclosure of any data breach will be made as required by FTC and HHS Health Data Breach regulations as applicable.

YOU UNDERSTAND THAT NO DATA TRANSMISSION OVER THE INTERNET OR DEVICE CAN BE GUARANTEED TO BE 100% SECURE. WHILE WE STRIVE TO PROTECT PERSONAL INFORMATION, WE DO NOT GUARANTEE THE SECURITY OF PERSONAL INFORMATION AND YOU PROVIDE PERSONAL INFORMATION AT YOUR OWN RISK.

Access from Outside the United States

If you access the Platform from outside the United States, please be aware that personal information may be transferred to, stored in, and processed in the United States. Certain governmental authorities may not consider the level of protection of personal information in the United States to be equivalent to that required by the in other jurisdictions.

Third-Party Websites

The Platform may link to, or be linked to, websites not controlled by us. We are not responsible for third-parties’ privacy policies or practices. This Policy does not apply to any third-party websites or to any data that you provide to third parties. You should read the privacy policy for each website that you visit.

Access & Update Your Information

This platform allows you to access, edit, share or delete the data we have about you. Data sharing may only occur using the Platform and only to other users and individuals to whom you have authorized access. To access or update your personal information as it exists in our records, please visit your account or contact us using the information below.

Content Provided is NOT Medical Advice and is For Informational Purposes Only

All content found on the Platform including text, images, audio, or other formats were created for informational purposes only. The content is not intended to be medical advice or a diagnosis. The content is not a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition. Never disregard professional medical advice or delay in seeking it because of something you have read on this platform. Links to content not created by OtisHealth are taken at your own risk. OtisHealth is not responsible for the claims of external websites and education companies.

If you think you may have a medical emergency, call your doctor, go to the emergency department, or call 911 immediately. OtisHealth does not recommend or endorse any specific tests, physicians, products, procedures, opinions, or other information that may be mentioned on the website or app. Reliance on any information provided by OtisHealth, is solely at your own risk.

Use By Non-Residents

This Privacy Policy is intended to meet the laws and regulations of the United States, which may not necessarily be consistent with the laws and regulations of your home country. Any information that you provide OtisHealth will be treated in accordance with this Privacy Policy, the Terms and Conditions, and U.S. laws. The Platform is not intended for use outside the United States.

Contact Us

If you have questions, concerns or complaints regarding this Policy, contact us at:

OtisHealth, Inc.

21701 Stevens Creek Blvd. #1442, Cupertino, CA 95015 USA

Privacy Policy: www.otishealth.net/privacy

Contact Form: www.otishealth.net/contact

Email: privacy@otishealth.net

Phone: ‪(408) 320-6330‬