Privacy Policy

Last updated [01/04/2024]

This Privacy Policy (the “Policy”) governs an end user’s use of DocToMe, Inc.’s (“DocToMe”) ethizo™ mobile application and online platform (the “Software” or “ethizo”). DocToMe is committed to maintaining the security and privacy of your personal information. This Policy discloses DocToMe’s information collection and dissemination practices in connection with the Software and applies solely to the information we collect through those means. This Policy is incorporated by reference into the ethizo End User License and Terms of Use. As used in this Policy, an “end user” may refer to a patient, patient family member or other authorized user of patient’s account, health care provider, or any member of a health care provider’s team, as applicable. This Privacy Policy also provides additional information required under California law about our collection, use and disclosure of the information of California residents from both online and offline sources, along with other required information such as rights that may be available to California residents.

ethizo
For Patients: ethizo’s patient portal allows patient end users to gather, edit, supplement, store, and track certain health care data. It also allows patients to communicate directly with their health care providers. Your health care provider will have provided you with certain privacy notices and practices that allow the health care provider to share your medical information via the Software. DocToMe’s access to your health care data is made available through a separate agreement between your health care provider and DocToMe.

For Health Care Providers: The Software’s provider portal allows health care providers and their team members to enter, edit, view, and share patient-related data. It also allows health care providers to communicate with team members and patients. All access and use of this data are subject to the privacy notices and practices legally required of health care providers with respect to patient health information. Health care providers are responsible for determining uses and disclosures of patient medical information maintained in the Software, in accordance with their legal and professional responsibilities as health care professionals and state and federal medical privacy laws, including the federal Health Insurance Portability and Accountability Act (“HIPAA”).

HOW PATIENTS CAN USE AND SHARE THEIR INFORMATION
Patients can use and share the information made available about them on ethizo with their health care providers and others, as follows:

  • Patients can add Personal Information to their accounts, such as their address, phone number, date of birth, a profile photo, gender, blood type, health conditions, medications, allergies, and body measurements.
  • Patients can upload important documents to their ethizo health profiles, such as medical, lab, insurance, legal, and other documents. Patients may also choose to include Personal Information about others in their profiles by providing DocToMe with names and contact information for emergency contacts and health care providers.
  • Patients can manage their family’s records in the same ethizo account. When a patient adds a family member, the patient may choose to provide Personal Information about them as the patient builds a health profile.
  • Patients can also allow family members or others to log in to their ethizo account using the patient’s email and password. Upon approval by the health care provider, your family member or other party will be granted access to your Personal Information. If you are a patient end user, and you allow a family member to log in to your account, you may select settings to control what information they can see. These settings can be changed by the patient at any time.
  • Patients can create individual ethizo accounts for their family members or others. If a patient creates an account for a family member or other person, this information is transmitted to your health care provider.
  • If a patient chooses to request health records, the health care provider will ask the patient to provide Personal Information as needed to complete a request form that complies with HIPAA requirements. Such Personal Information may include a Social Security number.

Please note that every end user has certain responsibilities when they share or access information via ethizo. When you provide Personal Information about other people, you represent that you have the authority to do so. If you give other people your username and password, it is your sole responsibility to keep that information secure. If you authorize use of your account by another person, you are in charge of deciding how much access that person has to your information.

HOW HEALTH CARE PROVIDERS USE PATIENT INFORMATION VIA ethizo
A patient’s Personal Information is collected by their care team as per guidelines described in the privacy policies provided to a health care provider, and with approval and under supervision of a health care provider. Collection, recording and sharing of a patient’s Personal Information under supervision by a health care provider means that the health care provider and his/her staff can collect, record and share a patient’s Personal Information using the Software. A Patient’s health care provider may also communicate with the patient through ethizo or other means enabled by the Software, such as through text messages, push notifications, video communication, or in-app messaging.

HOW DOCTOME USES INFORMATION
DocToMe’s mission is to help patients manage health information in coordination with their health care providers. To accomplish this, DocToMe must collect certain information, including personal information, about patients and health care providers. When we say “Personal Information,” we mean information that alone or in combination with other information may be used to readily identify, contact, or locate a specific person, such as: name, address, email address, phone number, medical records or certain other health data, insurance information, and payment information including credit or debit card numbers or other financial account numbers. DocToMe does not collect or transmit Personal Information, except as indicated herein.

DocToMe may utilize Personal Information (which in some instances may include protected health information, or “PHI” as defined under privacy laws) on a limited basis as necessary to provide the services, including the following uses and disclosures:

  • Account creation: An end user must provide Personal Information such as name, email address, and a password to create an account. This will allow DocToMe to connect patients and their health care providers, and for patients, is done in coordination with their health care providers.
  • Communication: We may send email to the email address an end user provides to us to verify an account and for informational and operational purposes, such as account management, customer service and system maintenance.
  • Customization: We use information we collect through the Software to customize an end user’s ethizo experience.
  • Organization: We may organize information and patient data at the request of the health care provider.
  • Other Services: A patient may choose to link its ethizo account to certain other services or devices, such as calendars, wearables, scales, fitness trackers, or other health monitoring devices, and DocToMe may collect information related to patient’s use of such services or devices. When these services or devices are administered by a third party, the information practices and policies for those services or devices are the responsibility of that third party.
  • Questions: If an end user contacts DocToMe with questions and requests, we may collect information from the end user in order to provide assistance.

DocToMe will maintain aggregate information regarding usage of the ethizo patient portal for product improvement purposes, but that data will not identify individual patients. Please note that we do not consider Personal Information or PHI to include information that has been anonymized so that it does not allow a third party to identify a specific individual.

AUTOMATICALLY COLLECTED INFORMATION AND ANONYMOUS INFORMATION
We or our third-party service providers use cookies and related tools to provide features and services that enhance your ethizo experience. For example, these technologies may allow ethizo to recognize your device and log you in automatically, remember your preferences, and analyze how you use the DocToMe Services so we can improve your experience.

  • Cookies: A cookie is a small text file that may be stored on the hard drive of a computer or device when you access a website. When you visit ethizo, we may assign your device one or more cookies to facilitate access to our Software and to personalize your experience. You may refuse the service of cookies to your device or delete any existing cookies by changing your browser preferences. As the means by which you can do this vary from browser to browser or device, please refer to your browser’s help menu or device setting for more information. If you refuse or delete cookies, you may not be able to take advantage of all features and functionality of ethizo.
  • Information collected automatically: We may automatically collect information from your browser or device when you use ethizo. This information may include an IP address, device identifier, your browser type, access times, the content of any undeleted cookies your browser received from us, and other non-personally identifiable information that can help us optimize the Software.

HOW WE MAY SHARE YOUR PERSONAL INFORMATION (NOT INCLUDING PHI)
DocToMe will not rent or sell any Personal Information, though we may provide Personal Information of patients to third parties only as per direction from the patient’s health care provider. We do not share Personal Information with other people or nonaffiliated companies for their direct marketing purposes unless we have the end user’s permission.

  • With permission: We may share Personal Information or other information about an end user with third parties at end user’s permission or direction, including when a patient or health care provider directs us to send information to a health care provider.
  • Service providers: We may share any information we receive with vendors and service providers retained to help us provide or improve the Software.
  • As required by law and similar disclosures: We may access, preserve, and disclose end user Personal Information, other account information, and content if we believe doing so is required or appropriate to: comply with law enforcement requests and legal process, such as a court order or subpoena; defend against legal claims; respond to end user requests; protect the rights, property, and safety of end users, DocToMe, or others; or as otherwise required by law.
  • In connection with a merger, sale, or other asset transfer: If we are involved in a merger, acquisition, financing, reorganization, or other substantial corporate transaction, or in the unlikely event of bankruptcy, any information we possess, including Personal Information, may be shared, sold, or transferred as part of such a transaction as permitted by law and/or contract. In such cases, we cannot control how other entities may use or disclose such information.

HOW WE MAY SHARE YOUR PROTECTED HEALTH INFORMATION
In some cases, it may be necessary for a patient end user to allow us to use PHI to facilitate or improve the Software.

WHEN DOCTOME USES YOUR PHI TO FACILITATE OR IMPROVE THE SOFTWARE WITHOUT DIRECTION FROM YOUR HEALTH CARE PROVIDER, IT WILL ALWAYS BE ANONYMIZED PRIOR TO TRANSFER TO A THIRD PARTY.

We may share aggregate or de-identified data with third parties for any purpose.

MODIFYING OR CLOSING YOUR ACCOUNT
An end user may change the settings in its account at any time. Information related to a health record provided by a health care provider can only be modified or deleted by a health care provider. Any patient request for modification or deletion of a health care record must be made directly to the health care provider. If an end user no longer desires to use the Software, it may close the account by sending us an email to info@doctome.org. After an account is closed, an end user will not be able to sign in or access any information. However, a patient’s health care provider is required to retain a patient’s Personal Information and/or PHI for six years as required by law and described in detail in Business Associate Agreement (“BAA”) between DocToMe and the health care provider. A patient end user can open a new account at any time through its health care provider. We may retain and use your information as described in “Data Retention” below. Please note: if you have provided or shared information to third parties, retention of that information will be subject to those third parties’ policies and practices.

DTM as a Business Associate
Certain Services we provide to our customers or make available to their patients, such as the Portals, as well as certain support operations, involve access to, and the processing of, PHI. This PHI is provided to us pursuant to a service agreement, business associate agreement, or other document with terms and conditions for the Services (the “Customer Documents”) that we have entered with our customers (health care providers or their firms, “Providers”) that also govern our use of PHI of their patients provided by our Provider customers or their patient users. This Privacy Policy supplements the Customer Documents. DTM only uses such PHI as a “business associate” of its Providers, who are “covered entities,” in accordance with any instructions or restrictions provided to DTM by the Provider and in full compliance with the applicable provisions of HIPAA. If you are a patient of a Provider, our use and disclosure of your Protected Health Information are governed by HIPAA and other applicable law and the Customer Documents with your Provider — not by this Privacy Policy. Your Provider’s collection, use, disclosure, and transfer of such PHI are governed, in turn, by your Provider’s terms and conditions and privacy practices between you and your Provider. Please submit all requests and questions related to your PHI directly to your Provider. We are not responsible for how our Provider customers treat PHI we collect on their behalf, and we recommend you review their own privacy policies. Our Sites are generally not intended to collect or retain any PHI. Thus, sections of this Privacy Policy that discuss Personal Information collection on the Sites do not apply to PHI, and we do not request, obtain, use or disclose any PHI through our Sites such as ethizo.com

Biometric Data
In connection with the Services, DTM may collect or store biometric data, such as fingerprints or facial geometry scans that may identify you, which are used for authentication and verification of your identity. This information may be biometric data under certain laws governing the collection, use, storage, and disclosure of biometric data. By providing such information, you acknowledge that you have been advised of, and understand that, DTM, and its agents and contractors, may collect, use, store, and disclose biometric data for the purposes described in this Privacy Policy. We will not sell, lease, or trade your biometric information. We will retain such biometric data only until the occurrence of the first of the following, at which point the data will be scheduled for deletion: (a) the purposes outlined in this Section have been satisfied, (b) any date of deletion required by applicable law, or (c) three (3) years have passed since your last interaction with our Services. Notwithstanding the foregoing, (1) DTM will not delete biometric data that is PHI unless requested by the applicable Provider, and (2) except as provided in subsection (1), the collection, use, storage, disclosure, and retention of biometric data that is PHI through the use of any of the Services shall be governed by Section 4 of this Privacy Policy and any applicable Customer Documents, not by this Section 9.

AGGREGATED DE-IDENTIFIED INFORMATION
DTM may provide aggregated information related to your Personal Information to some of DTM’s business partners. This information is used in a collective manner and does not identify you individually in any way. If you are a patient of a Provider, we may only create, use or disclose aggregated or certain de-identified PHI as authorized by your Provider in the Customer Documents.

PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
Effective Date: January 1, 2024 This Privacy Notice for California Residents (this “Notice”) supplements the information contained in this Privacy Policy and applies to all visitors to our Site, users and others who reside in the State of California (“you” or as the context requires “your”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), and any terms defined in the CCPA/CPRA have the same meaning when used in this Notice.

COLLECTION OF CCPA/CPRA PERSONAL INFORMATION
Through a user’s interactions with our Services, DTM collects information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“CCPA/CPRA Personal Information”). CCPA/CPRA Personal Information does not include: Publicly available information or lawfully obtained, truthful information that is a matter of public concern; De-identified or aggregated consumer information; or Information excluded from the CCPA’s scope, like: Certain information excluded from the CCPA/CPRA’s scope, such as PHI, health or medical information covered by HIPAA and the California Confidentiality of Medical Information Act (“CMIA”) or clinical trial data

CCPA/CPRA PERSONAL INFORMATION THAT DTM COLLECTS

Categories of Collected CCPA/CPRA Personal InformationExamples
IdentifiersA real name, alias, postal address, unique personal identifiers, Internet Protocol address, e-mail address, account name, Social Security number, driver’s license or state identification number, passport number, telephone number, fax number, username, National Provider Identifier (NPI), APU ID, or other similar identifiers
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Note that some CCPA/CPRA Personal Information included in this category may overlap with other categories.
Biometric informationIf you have biometric authentication integration as part of DTM’s Services, then we may collect information concerning your fingerprints, faceprints, voiceprints, and iris or retina scans.
Internet or other similar network activityBrowsing history, search history, information on a consumer’s interaction with a website, application, or advertisement, page views, first and recent conversion, domain name, and hosting space
Geolocation dataGeolocation data from attendees at our conference events, users of our applications, including conference event application, and based on IP address, where associated with a geographic location
Audio, electronic, visual, thermal, olfactory, or similar informationCall recordings, photographs such as from practices or depicting providers or staff, videos from practices, photos and videos relating to marketing
Professional or employment-related informationCurrent or past job-related information, including role, job history, and performance evaluation data; information related to a particular company or practice; NPI
Education informationEducation credentials; school or university attended; year of graduation
Inferences drawn from any of the information identified in this table to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudesProfile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Sensitive personal informationDriver’s license or state identification number; account passwords
OtherInformation you provide us regarding your attending an DTM event; customer information regarding products and services; testimonials; other information as described in this Privacy Policy.

INFORMATION SECURITY
We take steps to ensure that information is treated securely and in accordance with this Policy. DocToMe strictly follows HIPAA/HITECH guidelines and regulations as described in the BAA between DocToMe and a health care provider. Unfortunately, neither the Internet nor any form of electronic storage can be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information provided to us. We do not accept liability for any unintentional disclosure. DocToMe has a BAA with every health care provider that utilizes the Software. The BAA provides details about DocToMe’s responsibilities in case of an information security breach. By using ethizo or providing an email address to us, the end user agrees that we may communicate with him or her electronically regarding security, privacy, and administrative issues relating to their use of the Software.

DATA RETENTION
We will retain your information for as long as an account is active or as needed to provide the end user the Software and as per data retention polices described in the BAA between DocToMe and a health care provider. We will retain and use an end user’s information as necessary to comply with our legal obligations, prevent fraud or abuse, resolve disputes, enforce our agreements, or take other actions permitted by law. Anonymous or aggregated information that does not identify you personally may be retained indefinitely.

CHILDREN’S PRIVACY
We do not knowingly collect, maintain, or use Personal Information or PHI from children under 13 years of age, and no part of the Software is designed for or directed to children under the age of 13. If you learn that your child has provided us with Personal Information or PHI without your consent, you may alert us at info@doctome.org. If we learn that we have collected any Personal Information from children under 13, we will promptly take steps to delete such information and terminate any account created by such children. If you are the parent or guardian of a child under the age of 13, you may choose to manage your child’s health information through your ethizo account.

INTERNATIONAL USERS
DocToMe is located in the United States. By choosing to use ethizo or otherwise provide information to us, you agree that any dispute over privacy or the terms contained in this Policy will be governed by U.S. laws and the adjudication of any disputes arising in connection with DocToMe Services will be in accordance with our End User License Agreement and Terms of Use. If you are visiting or using the Software from the European Union or other regions with laws governing data collection and use, please note that you are agreeing to the transfer of your information to the United States and to processing globally. By providing your information, you consent to any transfer and processing in accordance with this Policy.

CHANGES TO THIS POLICY
DocToMe reserves the right to update this Policy at any time, and we will notify our users of material changes to this Policy by sending a notice to the primary email address specified in the user’s account. Material changes will also be noted in the updated policy. We encourage users to periodically review this page for the latest information on our privacy practices.

CONTACT US
If you have any questions about this Policy, please contact us at:
DocToMe, Inc. 3118 Judson Street, P.O BOX 160 Gig Harbor, WA 98335 US,
Email: info@ethizo.com