Effective date: December 31, 2021
Updated: March 15, 2022
Our mission is to improve health literacy and to bring healthcare plans, providers and health organizations closer to healthcare consumers and patients through innovative software and information solutions that enable mobile engagement and communication.
Our cloud-based software as a service mobile healthcare consumer engagement platform (our “Platform”) enables our customers to send automated mobile messages to healthcare consumers, such as when a healthcare plan seeks to remind members to get an annual flu vaccination and one-to-one text-based mobile communications between our customers and healthcare consumers, such as when a care coordinator wishes to respond personally to a text message received from a healthcare consumer via the Platform.
Leafpoint processes two broad categories of personal information when you use our products and services:
Your personal information as a customer of the Services — information that we refer to as Customer Data, and
The personal information of your end users who use or interact with the mobile engagement campaigns that you’ve implemented using the Platform – information that we refer to as Consumer Data. This Consumer Data category includes both Consumer Attributes (e.g., user records and communication metadata) and Consumer Content (e.g., communication content).
Leafpoint processes these categories of personal information differently because the direct relationship we have with you, our customer, is different than the indirect relationship we have with your end user (the healthcare consumer).
Health Insurance Portability and Accountability Act of 1996
Some of our customers - such as healthcare insurance plans and healthcare providers - are subject to laws and regulations governing the use and disclosure of health information they create or receive, including the Health Insurance Portability and Accountability Act of 1996, as amended from time to time, together with the regulations adopted thereunder ("HIPAA"). When we store, process or transmit "individually identifiable health information" (as defined by HIPAA) on behalf of a healthcare provider who has entered into a Healthcare Provider User Agreement, we do so as its "business associate" (as also defined by HIPAA). Under this agreement, we cannot use or disclose individually identifiable health information in a way that the provider itself may not. We are also required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of the individually identifiable health information we store and process on behalf of such providers. For the purpose of this Policy, the term "healthcare provider" means any user who is a "health care provider" (as defined by HIPAA) or any user who is a member of such health care provider's "workforce" (as also defined by HIPAA).
Information Collected by Our Services
Information You Submit or We Collect on Your Behalf:
We collect information from you when you:
Enter information on our Platform, such as when you register for our Services, use our Services to send a message to someone else, or complete a form;
Upload or transfer Consumer Data to our Platform, such as when you provide contact information for healthcare consumers or patients;
Upload a document, image, or other data file on our Services;
Contact us; or
Make a customer service request or attend one of our individual or group training sessions
We also collect information on your behalf when you authorize us to retrieve and import information from another user or other third party within our Services or as set forth in the MSA.
Information we collect about you may include your name, address, telephone number, email address, or the information you enter on or upload to our Services.
Automatically Collected Information:
We and our partners automatically gather information whenever you visit, log in, or otherwise interact with our Services, including when you receive emails delivered via our Services. We and our partners use the technologies described below and similar technologies that may not be expressly described (which we collectively call "Engagement Tools") to gather this information to enhance and operate our Services in a number of ways, such as to:
Save user preferences and information;
Preserve session settings and activity;
Enable support and security features;
Tailor the delivery of informational messages, media, advertising and other content; and
Analyze the performance and use of our Services and its various features and content.
Even if you do not register with us or submit any information on our Services, our Engagement Tools will automatically receive information about, and the software running on, the computer, mobile phone, or tablet (each, a "Device") you use to interact with our Services.
Device Information: When you interact with our Services, we collect information about your Device such as the URL of services your Device is requesting and the referring web pages, your IP address, Device type, operating system, browser type, application identifier, and, under certain circumstances, the location information your Device sends to us.
Cookies & Similar Technologies: We and our partners collect information about you and your Devices through cookies, web beacons, and similar technologies. A "cookie" is a small data file sent from a website and stored on your Device to identify your Device in the future and allow for an enhanced personalized user experience based on your previous activity on the website. A "session cookie" disappears after you close your web browser or may expire after a fixed period of time. A "persistent cookie" remains after you close your web browser and may be accessed every time you use our Services. We and our partners may use both session and persistent cookies on our Services. You should consult your web browser to modify your cookie settings. Please note that if you delete or choose not to accept cookies from us, you may not be able to use certain features of our Services.
Information from Other Sources:
We may receive or proactively gather information about you from other sources and add it to information we otherwise have about you for any purpose described in this Policy. This may include situations where a third party seeks to communicate with you through the Services or establish an "Integration" (as more fully describe below under the heading, Third Party Integrations).
How We Use Information
We may use the information we collect for the following purposes:
Operating our Services and developing new functionality and features;
Responding to questions and communications, or obtaining your feedback about our Services;
Administering and logging your participation in educational and informational programs, including webinars and other classes, and any product or support matters that may arise from such programs;
Providing you with more relevant content, including clinical support tools, assessments or medical-related information or services, patient support programs, advertising, or other programs appearing on our Services or third-party services;
Analyzing usage trends and patterns and measuring the effectiveness of content, programs, advertising or the features or functionality of the Services, including emails that may be sent by us to you;
Preparing reports for any of the purposes described in this Policy, including for current or future sponsors, advertisers or other partners to show utilization or trends about the use of our Services. Such reports may include demographic or other general user information, but will not include personally identifiable information unless the recipient has agreed to confidentiality obligations;
Safeguarding and protecting our Services, the information we collect, and the rights of us, our users or third parties, and in response to legal process;
Any other purpose described in this Policy or your User Agreement; or
When we otherwise have your permission.
How our Services Allow Customers to Share Information:
Our Services can be used to facilitate one-on-one communications between customers and healthcare consumers. Examples include:
Sending an appointment confirmation or other notification to a patient or healthcare plan member;
Making a referral to another healthcare provider; or
Sending a message to a patient or healthcare plan member.
In any one-on-one communication, Customers are sending information to an individual or entity who may not be a user of the Services. Depending on the message, this could include the sharing of contact and other personally identifiable information.
Surveys, Feedback, Informational Programs:
From time to time, you may receive survey requests through emails or displays within our Services that request feedback on a variety of topics. These programs may be sponsored or funded by third parties and may include branded or unbranded content about safety and regulatory information resources. If you choose to engage with or use one of these requests, you may be asked to provide information that may be used to supplement information that you submitted to our Services. This information may be shared with the sponsor of the program.
Emails and Other Communications:
Our Services allow customers to communicate with others through our in-product SMS text messaging services, instant messaging services, emails, and other electronic communication channels. Communications that are sent by or on behalf of a customer are indicated as being "From" that customer, such as when our Services send an appointment notification from, and on behalf of, a healthcare provider to his or her patient. Additionally, we may communicate administrative or Service-related announcements to customers through email or other communications within our Services. These communications may be "real time" communications or communications triggered automatically upon the occurrence of certain events or dates - such as a repeated sign-in failure. Please note that you may not be able to opt out of receiving certain messages from us.
Third Party Integrations
Sharing of Information
Consumer Data you submit to us will never be shared with third parties with the following exceptions:
To detect, prevent, investigate, or address fraud, illegal activity, or violations of our terms and agreements;
In response to legal process, such as a search warrant, court order, or subpoena, or when we have a good faith belief that the law requires us to do so;
We may share information you submit to us with third parties provided it is not classified as Consumer Data under the following circumstances:
When you choose to share such information through our Services, such as "one-to-one" communications between a provider and a patient or another healthcare provider;
When your account has been issued by an account administrator with administrative rights over your account, your account administrator will have access to your account information;
With third party service providers that have agreed to confidentiality obligations, which may include, as applicable, business associate contract obligations;
To protect our Services, the information we collect, and the rights of us, our users, and any third parties, including to verify your identity;
With our current and future subsidiaries or corporate affiliates or actual or potential investors;
In connection with a potential or actual sale, merger, transfer, exchange, reorganization or other disposition (whether of assets, stock, or otherwise) of all or a portion of the business conducted by our Services. If such a transaction occurs, the acquiring company's use of your information will remain subject to this Policy, as may be subsequently amended;
Any other purposes described in this Policy or your User Agreement; or
When we otherwise have your permission.
To help prevent unauthorized access, maintain data accuracy, and protect against the inappropriate use of the information we collect, store, and transmit, we deploy a range of technical, physical and administrative safeguards. Under our Master Services Agreement and applicable law, we are required to apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of individually identifiable health information residing on, and processed by, those elements of our Services that we operate as a business associate on behalf of healthcare providers. It is important to remember, however, that no system can guarantee 100% security at all times. Accordingly, we cannot guarantee the security of information stored on or transmitted to or from our Services.
Third Party Services
This Policy applies only to our Services. It does not apply to services offered by third parties, including websites and other online services that our Services may display links to. When you click on such links, you will be visiting websites or interactive services operated by third parties, who have their own information collection practices and may also collect information through the use of Engagement Tools. We do not have control over how any third party collects or uses information, so you should review their privacy policies to learn of their practices.
Changes to this Policy
We believe in continuous innovation, which, along with changes in our business, may require that we amend this Policy from time to time. We will post a revised Policy along with its effective date on this page. Because this Policy can change at any time, we encourage you to reread it periodically to see if there have been any changes, amendments, or updates. If you object to the changes or any terms within this Policy or the User Agreements, you should discontinue using our Services. Your continued use of our Services following the effective date means that you have consented to the Policy, as amended, changed, or updated.
Viewing and Updating Your Information
Our Services aim to provide you with access to the information you submit and the means to update it within our Services consistent with applicable law. This can be accomplished by logging into our Services and updating that information, or contacting a customer support representative, although please be advised of the important limitations described below. Under certain circumstances, we may ask you to verify your identity before your request is processed.
Please note that, unless you have administrative rights over another user's account pursuant to our Master Services Agreement, you are not entitled to access, update, or delete the content of another user's account.
If you have used our Services to share information with another user or a third party, you will not be able to access, update, or delete that shared information. Further, if another user of our Services submits information that identifies you, you will not be able to access, update, or delete that information.
Certain users - such as healthcare providers - may be required under applicable laws or regulations to retain information about you for extended periods of time or indefinitely. Additionally, we may have independent obligations under applicable laws or regulations to retain such information indefinitely. Finally, for disaster recovery and business continuity purposes we retain copies of data stored by our Services for indefinite periods of time.
HIPAA grants patients certain rights to access and amend certain health information that their healthcare providers retain about them. Patients should submit requests to access or amend their health information directly to their healthcare providers.
If you are a California resident, you may be afforded certain additional rights under the California Consumer Privacy Act of 2018 regarding our use of your personal information. To learn more about your California privacy rights, please see our CALIFORNIA PRIVACY NOTICE.