Last updated [01/24/2025]

This Privacy Policy (the “Policy”) governs an end user’s use of DocToMe, Inc.’s (“DocToMe”) ethizo™ mobile application and online platform (the “Software” or “ethizo”). DocToMe is committed to maintaining the security and privacy of your personal information. This Policy discloses DocToMe’s information collection and dissemination practices in connection with the Software and applies solely to the information we collect through those means. This Policy is incorporated by reference into the ethizo End User License and Terms of Use. As used in this Policy, an “end user” may refer to a patient, patient family member or other authorized user of patient’s account, health care provider, or any member of a health care provider’s team, as applicable. This Privacy Policy also provides additional information required under California law about our collection, use and disclosure of the information of California residents from both online and offline sources, along with other required information such as rights that may be available to California residents.

ethizo
For Patients: ethizo’s patient portal allows patient end users to gather, edit, supplement, store, and track certain health care data. It also allows patients to communicate directly with their health care providers. Your health care provider will have provided you with certain privacy notices and practices that allow the health care provider to share your medical information via the Software. DocToMe’s access to your health care data is made available through a separate agreement between your health care provider and DocToMe.

For Health Care Providers: The Software’s provider portal allows health care providers and their team members to enter, edit, view, and share patient-related data. It also allows health care providers to communicate with team members and patients. All access and use of this data are subject to the privacy notices and practices legally required of health care providers with respect to patient health information. Health care providers are responsible for determining uses and disclosures of patient medical information maintained in the Software, in accordance with their legal and professional responsibilities as health care professionals and state and federal medical privacy laws, including the federal Health Insurance Portability and Accountability Act (“HIPAA”).

HOW PATIENTS CAN USE AND SHARE THEIR INFORMATION
Patients can use and share the information made available about them on ethizo with their health care providers and others, as follows:

• Account creation: On the direction of the patient’s health care provider, the patient must provide Personal Information such as name, email address and a phone number to create an account. This will allow DocToMe to connect patients and their health care providers.
• Communication: We may send emails to the email address provided by the end user for purposes such as verifying an account, delivering informational and operational updates, managing the account, providing customer service, and performing system maintenance.
• Customization: We use information we collect through the Software to customize an end user’s ethizo experience.
• Organization: We may organize information and patient data at the request of the health care provider.
• Other Services: A patient may choose to link their Ethizo account to certain other services or devices, such as calendars, wearables, scales, fitness trackers, or other health monitoring devices. DocToMe may collect information related to the patient’s use of such services or devices to enhance their healthcare experience. When these services or devices are administered by a third party, the information practices and privacy policies of those third parties govern the collection, use, and disclosure of any data by those services or devices.
• Questions: If an end user contacts DocToMe with questions and requests, we may collect information from the end user in order to provide assistance.

Please note that the end users have certain responsibilities when they share or access information via ethizo. When they provide Personal Information about other people, they represent that they have the authority to do so. If they authorize use of their account by another person, they are in charge of deciding how much access that person has to their information.

HOW HEALTH CARE PROVIDERS USE PATIENT INFORMATION VIA ethizo
Patients Personal Information is collected by their health care provider and the health care provider’s staff included in the patient’s care team as per guidelines described in the privacy policies provided to the patients by their health care provider, and with approval and under supervision of their health care provider. Collection, recording and sharing of a patient’s Personal Information under supervision by a health care provider means that the health care provider and his/her staff can collect, record and share a patient’s Personal Information using the Software. A Patient’s health care provider may also communicate with the patient through ethizo or other means enabled by the Software, such as through text messages, push notifications, video communication, or in-app messaging.

HOW DOCTOME USES INFORMATION
DocToMe’s mission is to help patients manage health information in coordination with their health care providers. To accomplish this, DocToMe must collect certain information, including personal information, about patients and health care providers. When we say “Personal Information,” we mean information that, alone or in combination with other information, may be used to readily identify, contact, or locate a specific person. This includes: name, address, email address, phone number, medical records, certain other health data, insurance information, and payment information such as credit or debit card numbers or other financial account numbers, which are processed securely through our PCI-compliant feature. DocToMe does not collect or transmit Personal Information, except as indicated herein.

• Account creation: An end user must provide Personal Information such as name, email address, and a password to create an account. This will allow DocToMe to connect patients and their health care providers, and for patients, is done in coordination with their health care providers.
• Communication: We may send email to the email address an end user provides to us to verify an account and for informational and operational purposes, such as account management, customer service and system maintenance.
• Customization: We use information we collect through the Software to customize an end user’s ethizo experience.
• Organization: We may organize information and patient data at the request of the health care provider.
• Other Services: A patient may choose to link their Ethizo account to certain other services or devices, such as calendars, wearables, scales, fitness trackers, or other health monitoring devices. DocToMe may collect information related to the patient’s use of such services or devices to enhance their healthcare experience. When these services or devices are administered by a third party, the information practices and privacy policies of those third parties govern the collection, use, and disclosure of any data by those services or devices.
• Questions: If an end user contacts DocToMe with questions and requests, we may collect information from the end user in order to provide assistance.

DocToMe may utilize Personal Information (which in some instances may include protected health information, or “PHI” as defined under privacy laws) on a limited basis as necessary to provide the services, including the following uses and disclosures:

DocToMe will maintain aggregate information regarding usage of the ethizo patient portal for product improvement purposes, but that data will not identify individual patients. Please note that we do not consider Personal Information or PHI to include information that has been anonymized so that it does not allow a third party to identify a specific individual.

AUTOMATICALLY COLLECTED INFORMATION AND ANONYMOUS INFORMATION
We or our third-party service providers use cookies and related tools to provide features and services that enhance your ethizo experience. For example, these technologies may allow ethizo to recognize your device and log you in automatically, remember your preferences, and analyze how you use the DocToMe Services so we can improve your experience.

• Cookies: A cookie is a small text file that may be stored on the hard drive of a computer or device when you access a website. When you visit ethizo, we may assign your device one or more cookies to facilitate access to our Software and to personalize your experience. You may refuse the service of cookies to your device or delete any existing cookies by changing your browser preferences. As the means by which you can do this vary from browser to browser or device, please refer to your browser’s help menu or device setting for more information. If you refuse or delete cookies, you may not be able to take advantage of all features and functionality of ethizo.
• We may automatically collect information from your browser or device when you use ethizo. This information may include an IP address, device identifier, your browser type, access times, the content of any undeleted cookies your browser received from us, and other non-personally identifiable information that can help us optimize the Software.

HOW WE MAY SHARE YOUR PERSONAL INFORMATION (NOT INCLUDING PHI)
DocToMe will not rent or sell any Personal Information,However, a patient’s healthcare provider may share the patient’s Personal Information with other healthcare providers and entities, solely at their own discretion as permitted under HIPAA and HITECH regulations, for purposes such as providing care to the patient or as required by law. We do not share personal information, including text messaging opt-in data or consent details, with third parties, individuals, or nonaffiliated companies for their independent use.

• With permission: We may share Personal Information or other information about an end user with third parties with the end user’s permission or at their direction, including when a patient or healthcare provider instructs us to share information with another healthcare provider or entity.
• As required by law and similar disclosures: We may access, preserve, and disclose end user Personal Information, other account information, and content if we believe doing so is required or appropriate to: comply with law enforcement requests and legal process, such as a court order or subpoena; defend against legal claims; respond to end user requests; protect the rights, property, and safety of end users, DocToMe, or others; or as otherwise required by law.
• In connection with a merger, sale, or other asset transfer: If we are involved in a merger, acquisition, financing, reorganization, or other substantial corporate transaction, or in the unlikely event of bankruptcy, any information we possess, including Personal Information and Protected Health Information (PHI), may be shared, sold, or transferred as part of such a transaction, as permitted by law and any applicable contractual obligations. Any party receiving such information will be required to adhere to HIPAA and HITECH regulations, and obligation to safeguard and protect PHI as required under the law.

HOW WE MAY SHARE YOUR PROTECTED HEALTH INFORMATION
In some cases, it may be necessary for a patient end user to allow us to use Protected Health Information (PHI) to facilitate or improve the Software. When DocToMe uses your PHI to facilitate or improve the Software without specific direction from your healthcare provider, it will always be anonymized or de-identified before being transferred to a third party. We may share aggregate or de-identified data with third parties for any purpose. DocToMe will never rent or sell any Personal Information, including anonymized or de-identified data

MODIFYING OR CLOSING YOUR ACCOUNT
An end user may change the settings in their account at any time. However, information related to a health record provided by a healthcare provider can only be modified or deleted by the healthcare provider. Any patient request for modification or deletion of a health record must be made directly to the healthcare provider. If an end user no longer wishes to use the Software, they may close their account by sending an email to info@doctome.org. After an account is closed, the end user will no longer be able to sign in or access any information. However, a patient’s healthcare provider is required to retain the patient’s Personal Information and/or Protected Health Information (PHI) for six years, as mandated by law and described in the Business Associate Agreement (“BAA”) between DocToMe and the healthcare provider. A patient end user may open a new account at any time through their healthcare provider.
We may retain and use your information as described in the “Data Retention” section below. Please note: If you have provided or shared information with third parties, the retention of that information will be subject to the policies and practices of those third parties.

DTM as a Business Associate
Certain Services we provide to our customers or make available to their patients, such as the Portals, as well as certain support operations, involve access to, and the processing of, PHI. This PHI is provided to us pursuant to a service agreement, business associate agreement, or other document with terms and conditions for the Services (the “Customer Documents”) that we have entered with our customers (health care providers or their firms, “Providers”) that also govern our use of PHI of their patients provided by our Provider customers or their patient users. This Privacy Policy supplements the Customer Documents. DocToMe (DTM) only uses Protected Health Information (PHI) as a “business associate” of its Providers, who are “covered entities,” in accordance with the instructions or restrictions provided to DTM by the Provider and in full compliance with the applicable provisions of HIPAA. If you are a patient of a Provider, our use and disclosure of your PHI are governed by HIPAA, other applicable laws, and the Customer Documents with your Provider — not by this Privacy Policy. Your Provider’s collection, use, disclosure, and transfer of PHI are governed by the terms and conditions and privacy practices established between you and your Provider.
Please submit all requests and questions related to your PHI directly to your Provider. We are not responsible for how our Provider customers handle the PHI we collect on their behalf, and we recommend reviewing your Provider’s privacy policies for further details.
Ethizo’s other Permissions
Ethizo requires certain permissions to deliver its services effectively. All data collected through these permissions will be used exclusively for the purposes described in this Privacy Policy and only with the end user’s explicit consent. We retain data collected through these permissions only for as long as necessary to fulfill its intended purposes or to comply with applicable legal retention requirements. Any disclosure of such data will be strictly limited to what is necessary to provide the App’s services or to meet legal obligations.
SMS Data
Ethizo mobile app accesses SMS messages solely for the purpose of facilitating two-factor authentication (2FA) login. This functionality is designed to enhance the user experience by automatically detecting and populating One-Time Passwords (OTPs) received via SMS during the 2FA login process. The app does not access, store, or use SMS messages for any other purpose.
Media and Storage Access
Ethizo mobile app enables healthcare providers to access media and storage data on their device, including images, videos, and audio files. This access is strictly limited to purposes such as managing patient records, uploading documents, and integrating multimedia content relevant to healthcare services. The app does not access or use this data for any other purposes.
Microphone Access
Healthcare providers may utilize the device’s microphone to collect audio data for features such as voice dictation and patient documentation. This access is exclusively intended to support healthcare workflows and is not used for any other purposes.
Bluetooth Connectivity
The Healthcare provider can access Bluetooth features if needed, to scan for and connect to nearby devices, such as medical instruments, to facilitate real-time data exchange and enhance patient care.
Phone Call Functionality
The App may use phone call permissions to initiate calls for healthcare-related communication. This feature is only activated with the healthcare provider’s explicit consent. Any recording of phone calls with patients is solely at the discretion of the healthcare provider and must comply with applicable laws and regulations, including obtaining the patient’s consent where required. Phone call recordings are used only as necessary to provide the Services and must adhere to all relevant privacy and security requirements.
Location Data
The App may collect precise or approximate location data (via GPS or network-based methods) exclusively for healthcare providers. This data is used to assist providers in calculating real-time traffic conditions and estimating travel times to reach specific facilities. Location data is collected only as necessary to provide this functionality, is not used for any other purpose, and is only activated with the provider’s explicit consent.
Biometric Data
ethizo mobile app may collect or use biometric data, such as fingerprints or facial geometry scans, for authentication and verification of your identity. This data is used solely for the purposes described in this Privacy Policy.

AGGREGATED DE-IDENTIFIED INFORMATION
DocToMe (DTM) may provide aggregated information derived from your Personal Information to some of DTM’s business partners. This information is used in a collective manner for purposes such as analytics, or improving services, and does not identify you individually in any way. This ensures that any data shared is anonymized and cannot be traced back to any specific individual.

PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
This Privacy Notice for California Residents supplements the information provided in our general Privacy Policy and applies solely to individuals residing in the State of California. It is provided to comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Any terms defined in the CCPA/CPRA have the same meaning when used in this Notice.
COLLECTION OF CCPA/CPRA PERSONAL INFORMATION
We collect the following categories of personal information from California residents:

• Identifiers Examples: Name, address, email, phone number, login credentials, and unique user IDs.
• Personal Information Categories Listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)) Examples: Medical history, treatment records, insurance details, and payment information.
• Protected Classification Characteristics Under California or Federal Law Examples: Age, gender, marital status, and disability status (if provided voluntarily).
• Commercial Information Examples: Details of transactions, such as payments for services or products.
• Internet or Other Electronic Network Activity Information Examples: Interaction history with our web application, mobile applications, or portals, including log-in times and IP addresses.
• Geolocation Data Examples: Approximate physical location based on device IP address or settings.
• Professional or Employment-Related Information Examples: For healthcare providers, licensing details, and affiliated institution information.
• Inferences Drawn from Other Personal Information Examples: Preferences or insights derived from service usage to enhance user experience

Purpose of Collection
We collect personal information to:

• Provide, maintain, and improve our software and services.
• Facilitate communication between patients, providers, and administrators.
• Ensure compliance with legal, regulatory, and contractual obligations.
• Enhance user experience through personalized features and technical support.
• Process payments and manage transactions securely.
• CCPA/CPRA PERSONAL INFORMATION THAT DTM COLLECTS As a California resident, you have the following rights regarding your personal information:
  • Right to Know: You can request information about the personal data we collect, use, and disclose.
  • Right to Delete: You can request deletion of your personal information, subject to exceptions under the law.
  • Right to Correct: You can request corrections to inaccurate personal information.
  • Right to Opt-Out: You can direct us not to sell or share your personal information.
  • Right to Limit Use of Sensitive Personal Information: You can restrict the use of sensitive personal information to what is necessary for our service delivery.

How to Exercise Your Rights
To exercise these rights, you can contact us via the contact details provided at the bottom of this page, we will verify your identity and respond to your request in accordance with applicable law.
Do Not Sell or Share My Personal Information
We do not sell or share personal information as defined under CCPA/CPRA. If our practices change in the future, we will update this policy and provide a mechanism for opting out.
Retention of Personal Information
Personal information is retained only as long as necessary to fulfill the purposes outlined in this policy and to comply with applicable legal, regulatory, and contractual obligations.
Security Measures
We implement robust security practices, including encryption, access controls, and periodic audits, to safeguard your personal information. However, no security method is infallible, and we encourage users to take steps to protect their accounts.
Non-Discrimination
We will not discriminate against you for exercising your CCPA/CPRA rights. Updates to This Notice We may update this Privacy Notice from time to time. The “Last Updated” date at the top of this page reflects the most recent changes.
INFORMATION SECURITY
We take steps to ensure that information is treated securely and in accordance with this Policy. DocToMe strictly follows HIPAA/HITECH guidelines and regulations as described in the BAA between DocToMe and a health care provider. Unfortunately, neither the Internet nor any form of electronic storage can be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information provided to us. We do not accept liability for any unintentional disclosure. DocToMe has a BAA with every health care provider that utilizes the Software. The BAA provides details about DocToMe’s responsibilities in case of an information security breach. By using ethizo or providing an email address to us, the end user agrees that we may communicate with him or her electronically regarding security, privacy, and administrative issues relating to their use of the Software.
DATA RETENTION
We will retain your information for as long as an account is active or as needed to provide the end user the Software and as per data retention polices described in the BAA between DocToMe and a health care provider. We will retain and use an end user’s information as necessary to comply with our legal obligations, prevent fraud or abuse, resolve disputes, enforce our agreements, or take other actions permitted by law. Anonymous or aggregated information that does not identify you personally may be retained indefinitely.
CHILDREN’S PRIVACY
We do not knowingly collect, maintain, or use Personal Information or PHI from children under 13 years of age, and no part of the Software is designed for or directed to children under the age of 13. If you learn that your child has provided us with Personal Information or PHI without your consent, you may alert us at info@doctome.org. If we learn that we have collected any Personal Information from children under 13, we will promptly take steps to delete such information and terminate any account created by such children. If you are the parent or guardian of a child under the age of 13, you may choose to manage your child’s health information through your ethizo account.
INTERNATIONAL USERS
DocToMe is located in the United States. By choosing to use ethizo or otherwise provide information to us, you agree that any dispute over privacy or the terms contained in this Policy will be governed by U.S. laws and the adjudication of any disputes arising in connection with DocToMe Services will be in accordance with our End User License Agreement and Terms of Use. If you are visiting or using the Software from the European Union or other regions with laws governing data collection and use, please note that you are agreeing to the transfer of your information to the United States and to processing globally. By providing your information, you consent to any transfer and processing in accordance with this Policy.
CHANGES TO THIS POLICY
DocToMe reserves the right to update this Policy at any time, and we will notify our users of material changes to this Policy by sending a notice to the primary email address specified in the user’s account. Material changes will also be noted in the updated policy. We encourage users to periodically review this page for the latest information on our privacy practices.

CONTACT US
If you have any questions about this Policy, please contact us at:
DocToMe, Inc. 3118 Judson Street, P.O BOX 160 Gig Harbor, WA 98335 US,
Email: info@ethizo.com