Effective Date: March 3, 2021
At Buoy Health, Inc. (“We,” “us,” or “Buoy”), we are committed to helping you take the guesswork out of healthcare. To do that, we need to collect, use, and share some of your information. This Privacy Notice is meant to help you understand how Buoy does that and how to exercise the choices and rights you have in your information.
Please read this Privacy Notice carefully. We respect your privacy and we want you to understand how we manage the information you provide to us and the measures we take to protect it.
This Privacy Notice applies to all Buoy users (whether registered or not), to all Buoy platforms and services, including our websites, product features, and other services (collectively, the “Buoy Services” or “Services”), and to our practices for collecting, using, and sharing the Personal Information you provide to us in using the Buoy Services. In this Privacy Notice, the term “you” or “your” refers to the individual who uses the Buoy Services.
You may access our Services through your employer, health plan, health care provider, or another entity or platform that participates in one of Buoy’s enterprise programs (“Enterprise Program”). For some of these Enterprise Programs, Buoy may qualify as a “Business Associate” (as defined by 45 C.F.R. 160.103) under the Health Insurance Portability and Accountability Act of 1996 as amended (“HIPAA”). In these cases, the data that the "Covered Entity" (as defined by 45 C.F.R. 160.103) provides to Buoy about you or the data that we collect from you on behalf of the Covered Entity are also subject to specific terms and conditions under a Business Associate Agreement, as required by HIPAA. Buoy considers such terms and conditions to be part of the Supplemental Terms (as defined below) associated with Buoy's relationship with the corresponding Enterprise Program.
2. THE INFORMATION YOU SHARE WITH US
When you choose to share information with us, we collect and use it to operate the Services. We require certain information to provide you with our Services and any relevant content tailored to you. This information is listed below. In some cases when you use the Buoy Services, we may ask you for Personal Information. “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information may include any of the types of information listed below.
Account Information. When you use the Buoy Services, we may ask you for Account Information. “Account Information” means any information that we may use to identify or contact you, such as your name, age, gender, zip code, telephone number, or email address. You may use our Services whether or not you register a user account (an “Account”). We may combine your Account information with other information you submit to provide you with a better experience and to improve the quality of our Services. In some cases, your Health Information, Employment Information, and/or Health Plan Information may be linked to your Account Information for your convenience to prevent repeat entry and allow you to document your usage of the Services. We also may provide the Services to you without collecting or combining such information. We may also contact you regarding updates about our Services, including relevant changes to this Privacy Notice.
Health Information. As you use the Buoy Services, we may collect Health Information that you provide to us. “Health Information” means any information related to your health, such as symptoms you have identified, your past medical history, and medical testing results that you report to us.
Employment Information. When you use the Buoy Services, we may ask you for Employment Information. “Employment Information” means any information that we may use to identify you relative to your employer, such as your occupation, employer’s name, or workplace location.
Health Plan Information. As you use the Buoy Services, we may ask you for Health Plan Information. “Health Plan Information” means any information that we may use to identify you relative to your health plan or pharmacy benefits plan, such as the name of your health plan, the type of health plan coverage you have, or any identification numbers associated with your health benefits coverage.
Household Information. For some of our Services, we may ask you for information about you or the other people in your household (“Household Information”). Household Information may include whether you, or people in your household, use public transportation, are at higher risk for severe illness, or have been exposed to certain communicable diseases, like COVID-19.
Ratings and Feedback. When you rate or submit feedback about your experience with the Buoy Services, we collect all of the information you provide in your ratings and feedback.
Communicating with Us. When you send email or other communications to Buoy, such as user support inquiries, we may retain those communications in order to process your inquiries, respond, and improve our services. We may use your email address to communicate with you about our services.
3. INFORMATION WE COLLECT FROM THIRD PARTIES
Third parties may provide us with information needed to provide you with the Buoy Services. This information is listed below.
Location Information. When you use the Buoy Services, we may use a third party to collect location information about you by sharing your IP address with that third party. “Location Information” may include your location at the time you access the Buoy Services.
On Behalf of Someone Else. If you use our Services on behalf of someone else, such as a friend or family member, we may collect information about you and that someone else, including the name, age, and gender of you and that someone else.
Other Users and Sources. Other users or public or third-party sources such as law enforcement may provide us with information about you, such as part of an investigation into an incident or to provide you support.
Enterprise Programs. If you use our Services through one of Buoy’s Enterprise Programs, Buoy may collect information about you from the entity that sponsors the Enterprise Program, including your name and contact information. The information we collect from you may be subject to additional terms and conditions set forth between Buoy and that entity (the “Supplemental Terms”), and any Supplemental Terms are hereby incorporated by reference as they may apply. For more information about the Supplemental Terms that may govern your use of our Services through an Enterprise Program, please contact the entity that sponsors your access to the Buoy Services.
4. HOW WE PROTECT THE INFORMATION WE COLLECT
Buoy strives to use reasonable physical, technical, and administrative safeguards (such as firewalls, encryption, identity management, and intrusion prevention and detection) to protect the information you share with us, but no data transmission over the Internet or data storage system is guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your Buoy account might have been compromised), please contact us immediately in accordance with the “Contact Us” section in this Privacy Notice.
We retain your Personal Information for as long as necessary to provide you with the Buoy Services, and as otherwise required by law. This means that we keep your information for as long as you maintain an Account or until we process a request by you to delete your Personal Information (see the “Deleting Your Account” section below), whichever is sooner. In those cases where you have not created an Account, we keep your information for as long as necessary to provide you with the Buoy Services. We may retain Non-Personal Information for as long as we choose to do so.
We retain transactional information, such as contracts related to our enterprise programs, payments, and user support emails, for at least six years to ensure that we can perform legitimate business functions, such as accounting for tax obligations or audits for security purposes.
5. HOW WE USE YOUR INFORMATION
We use your Personal Information to:
- Provide the Buoy Services;
- Maintain the safety and security of the Buoy Services and its users;
- Provide customer support;
- Improve the Buoy Services; and
- Respond to legal proceedings and obligations.
We may also de-identify and/or aggregate your Personal Information such that it no longer constitutes Personal Information. See the “Non-Personal Information” section of this Privacy Notice for more information.
Providing the Buoy Services. We use your Personal Information to provide a unique experience to you with our Services. To do this, we use your Personal Information to:
- Verify your identity and maintain your account, settings, and preferences;
- Connect you to more relevant Buoy Services;
- Communicate with you about the Buoy Services and your experience;
- Collect feedback regarding your experience; and
- Connect you to additional services and programs provided by third parties, such as health care providers and other services in-network, to the extent permitted by law and this Privacy Notice.
Maintaining the Safety and Security of the Buoy Services and its Users. Providing you the Buoy Services safely and securely is important to us. To do this, we use your Personal Information to:
- Authenticate users;
- Investigate and resolve incidents;
- Respond to user support requests;
- Find and prevent fraud; and
- Block and remove unsafe or fraudulent users from the Buoy Services.
Providing Customer Support. We want to provide you with the best experience possible, including support and information when you need it. To do this, we use your Personal Information to:
- Provide you support or respond to you;
- Personalize and provide content, experiences, and communications to inform you about our Services; and
- Investigate, and assist you in resolving questions or issues you have regarding the Buoy Services.
Improving the Buoy Services. We are always working to improve your experience and provide you with new and helpful features. To do this, we use your Personal Information to:
- Perform research, testing, and analysis;
- Prevent, find, and resolve software or hardware bugs and issues; and
- Monitor and improve our operations and processes, including security practices, algorithms, and other models.
Responding to Legal Proceedings and Obligations. In some cases, laws, government entities, or other regulatory bodies impose demands and obligations on us with respect to the services we seek to provide you. In these cases, we may use your Personal Information to respond to those demands or obligations.
6. HOW WE SHARE THE INFORMATION WE COLLECT
We do not sell your Personal Information. To operate the Buoy Services, we may need to share your Personal Information with other users and third parties, for legal reasons, in connection with a sale or merger, or upon your further direction. This section explains when and why we share your information.
Other Users. We only share your information with other users of the Buoy Services when you permit us to do so, such as when you submit a User Story or if you refer someone to the Buoy Services. When you refer someone to the Buoy Services, we will let them know that you generated the referral. If another user referred you, we may share information about your use of the Buoy Services with that user, where permitted by law. For example, we may notify them when you create an Account.
Third Parties. We may share the following categories of your Personal Information to third parties for a business purpose to provide you with the various features of the Buoy Services:
- Account Information, including name, age, gender, zip code, telephone number, or email address;
- Health Information, including symptoms you have identified and your past medical history;
- Employment Information, including your employer’s name, the name of your health plan, or the type of health plan coverage you have; and
- Location Information.
We only share this information with third parties to:
- Maintain and service your Account;
- Provide you with user support;
- Verify your identity;
- Detect and prevent fraud;
- Provide analytics services to Buoy;
- Promote workplace health and safety, and document clearance to return to a workplace during the COVID-19 pandemic if the third-party is your employer;
- Evaluate the effectiveness of the Services;
- Provide support and assist with care coordination, if to your health plan or pharmacy benefits plan; and
- With your consent, connect you to certain third-party services.
For Legal Reasons. We may share your Personal Information in response to a legal obligation, or if we have determined that sharing your Personal Information is reasonably necessary or appropriate to:
- Satisfy any applicable law, regulation, legal process, or enforceable government request;
- Detect, prevent, or otherwise address fraud, security, or technical issues; and
- Exercise or defend legal claims or protect against harm to the rights, property, or safety of Buoy, its users, or the public as required or permitted by law.
In Connection with a Sale or Merger. We may share your Personal Information while negotiating or in relation to a change of corporate control, such as a restructuring, merger, transfer, or sale of our assets.
Upon Your Further Direction. With your permission or upon your direction, we may share your Personal Information in other instances or for other purposes. Unless you permit us to do so, or unless the Service is an essential component to evaluating whether it is safe for you to return to your workplace during the COVID-19 pandemic, we generally do not share your Health Information with your employer (or your spouse’s or parent’s employer if you receive health benefits through their employer’s plan).
7. YOUR RIGHTS REGARDING YOUR INFORMATION
Buoy enables you to access, control, and delete your Personal Information. This section explains the ways you may exercise these rights.
A. All Users in the United States
The information below applies to all users of the Buoy Services in the United States:
Email Subscriptions. You can always unsubscribe from our commercial or promotional emails by clicking the “unsubscribe” button in those messages. We will still send you transactional and relational emails about your use of the Buoy Services.
Text Messages. The Buoy Services may include sending you text messages with regard to your health and symptoms, if you opt-in through our website to receiving text messages. You can opt out of receiving text messages from Buoy by texting the word STOP to us at any time from the mobile device receiving the messages. To re-enable text messages you can text the word UNSTOP to us in response to an unsubscribe confirmation text message.
Account Information. You can review and edit certain account information you have chosen to add to your profile by logging in to your Account and navigating to your account settings.
Location Information. You can prevent your device from sharing location information through your device’s system settings. By doing this, you may impact our ability to provide you our full range of features and services.
Enterprise Programs. If you use our Services through an Enterprise Program, access, control, or deletion of your Personal Information may be subject to Supplemental Terms, including the discretion of the entity that sponsors your access to the Buoy Services. In some cases, Buoy may not be able to respond to your access, control, or deletion request. For more information, please contact the entity that sponsors your access to the Buoy Services.
Deleting Your Account. If you would like to delete your Buoy Account, please contact email@example.com. In your request, please provide your full name, email address, the name of the entity that sponsors your access to the Buoy Services if applicable (such as your employer's name), and the reason you are contacting us, so that we can verify your identity and process your request in an efficient manner. Without the aforementioned information, we will not be able to verify your identity and process your request. In some cases, we will be unable to delete your Account, such as if there is an issue with your Account related to trust, safety, or fraud. If you use our Services through an Enterprise Program, access, control, or deletion of your Personal Information may be subject to Supplemental Terms, including the discretion of the entity that sponsors your access to the Buoy Services to ultimately instruct us to process or deny your request. When we delete your Account, we may retain certain information for legitimate business purposes or to comply with legal or regulatory obligations. For example, we may be obligated to retain your information as part of an open legal claim. When we retain such information, we do so in ways designed to prevent its use for other purposes and in compliance with applicable law.
B. California Residents
The California Consumer Privacy Act and the California Online Privacy Practices Act provide some California residents with rights in addition to the rights above. To exercise any of these rights, please follow the instructions listed in this section. In those cases where Buoy provides Services as part of an Enterprise Program, Buoy shall be deemed a “Service Provider” under the CCPA, and, as a result, Buoy will work with the entity that sponsors the Enterprise Program to respond to a request made under this section. In cases where the Services are subject to a Business Associate Agreement under HIPAA, CCPA shall not apply.
Right to Know. You have the right to know and see what Personal Information we have collected about you over the past 12 months, including:
- The categories of Personal Information we have collected about you;
- The categories of sources from which the Personal Information is collected;
- The business or commercial purpose for collecting your Personal Information;
- The categories of third parties with whom we have shared your Personal Information; and
- The specific pieces of Personal Information we have collected about you.
Right to Delete. You have the right to request that we delete the Personal Information we have collected from you (and direct our service providers to do the same). There are a number of exceptions, however, that include, but are not limited to, when the information is necessary for us or a third party to do any of the following:
- Complete your transaction;
- Provide you with the Services;
- Perform a contract between us and you;
- Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and prosecute those responsible for such activities;
- Fix our system in the case of a bug;
- Protect the free speech rights, including such rights belonging to you or other users, or exercise another right provided by law;
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.);
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interests that adheres to all other applicable ethics and privacy laws;
- Comply with a legal obligation; or
- Make other internal and lawful uses of the information that are compatible with the context in which you provided it.
Other Rights. You can request certain information about our disclosure of Personal Information to third parties for their own direct marketing purposes during the preceding calendar year. This request is free and may be made once per year. However, as noted above, Buoy does not disclose your Personal Information to third parties other than for the purposes listed in this Privacy Notice. You also have the right not to be discriminated against for exercising any of the rights listed above.
Exercising these Rights. To request access to or deletion of your Personal Information under California Law, or to exercise any other data rights under California law, please contact firstname.lastname@example.org. In your request, please provide your full name, email address, the name of the entity that sponsors your access to the Buoy Services if applicable (such as your employer’s name), and the reason you are contacting us, so that we can verify your identity and process your request in an efficient manner. Without the aforementioned information, we will not be able to verify your identity and process your request. In some cases, we will be unable to delete your Account, such as if there is an issue with your Account related to trust, safety, or fraud. If you use our Services through an Enterprise Program, access, control, or deletion of your Personal Information may be subject to Supplemental Terms, including the discretion of the entity that sponsors your access to the Buoy Services to ultimately instruct us to process or deny your request. When we delete your Account, we may retain certain information for legitimate business purposes or to comply with legal or regulatory obligations. For example, we may be obligated to retain your information as part of an open legal claim. When we retain such information, we do so in ways designed to prevent its use for other purposes and in compliance with applicable law
Response Time. We aim to respond to a request for access or deletion within 45 days of receiving a verifiable request. If we require more time, we will inform you of the reason and extension period in writing.
Do Not Track. Your web browser may offer you a “Do Not Track” option, which allows you to signal to website operators and web applications and services that you do not want them to track your online activities. The Buoy Services do not support Do Not Track requests at this time.
8. CHILDREN UNDER AGE 13
Our Services are not directed to children, and we do not knowingly collect Personal Information from children under age 13. If we find out that a child under age 13 has given us Personal Information without parental consent, we will take steps to delete that information. Where deletion is not possible, we will take steps to de-identify that information. If you believe that a child under age 13 has given us Personal Information, please contact us in accordance with the “Contact Us” section in this Privacy Notice.
9. NON-PERSONAL INFORMATION
We may de-identify and/or aggregate your Personal Information such that it no longer may be associated with you or identify you individually, consistent with applicable law (this de-identified and/or aggregated information, “Non-Personal Information”). We may use this Non-Personal Information for our business purposes, including but not limited to service improvements, product development and analytics, machine learning, predictive analytics, business operations, and auditing purposes. We also may share this Non-Personal Information with third parties. For example, we may share the total number of times people engaged with the Buoy Services in a particular month or the most common symptoms that are experienced by users who reside in a particular city.
Buoy is controlled and offered by us from the United States; accordingly, this Privacy Notice, and our collection, use and disclosure of your Personal Information, is governed by U.S. law, and not by the laws of any country, territory or jurisdiction other than the United States. We do not represent or warrant that the Buoy Services or any functionality or feature thereof is appropriate or available for use in any particular jurisdiction. If you choose to access or use the Buoy Services, you do so on your own initiative and at your own risk, and you are responsible for complying with all applicable laws, rules and regulations.
11. LINKS TO THIRD PARTY CONTENT AND WEBSITES
The Buoy Services may contain links to content, information, or other practices provided by third parties. Those third parties may have privacy policies that differ from ours. We are not responsible for the content, information, or other practices provided therein. The inclusion of a link or other reference within our Services does not imply any endorsement by us or our affiliates of any linked content, information, or other practices of those third parties. We recommend that you review the policies of those third parties. Please contact those third parties directly if you have any questions about their privacy policies.
12. CHANGES TO THIS PRIVACY NOTICE
We may change this Privacy Notice from time to time. When changes are made, we will make the new Privacy Notice available on the Buoy website and update the date upon which the related terms and conditions are effective (the “Effective Date”). Any time we make material changes to the Privacy Notice, we will provide you with notice via email (if you have provided your email address to us). If you do not agree to the changes after receiving notice of such changes, you should stop using our Services. Otherwise, your continued usage of the Services will mean you accept those changes, to the extent permitted by law. Please regularly check the Buoy website to review the then-current Privacy Notice.
13. CONTACT US
If you have any questions about this Privacy Notice, please visit the Buoy Help Center. There you will find answers to frequently asked questions and a way to chat with our user support team directly. Please note that email communications are not always secure. When communicating with our user support team, please do not include health information or other sensitive information.
14. JOB APPLICANTS
Are you interested in joining the Buoy crew? If so, visit our Careers page for our current job openings.
When you apply for a job at Buoy, we will ask you to provide us with certain information about yourself so we can evaluate your qualifications for the job (“Application Information”) or other purposes, as described below. In this section, a “Candidate” means any individual who applies for a job at Buoy, and “Application” means any of the materials a Candidate submits to us related to a job opening. Candidates choose how much Application Information to provide Buoy. All Application Information provided is on a voluntary basis.
Types of Application Information. We may collect any of the Application Information below. Candidates may provide us with additional information that we have not specifically requested (such as information about hobbies or other interests).
- Contact details, such as the Candidate’s name, address, email address, and other contact information provided on a resume or CV;
- Background information, such as work history and education history; and
- Previous work materials, such as a writing sample.
We may collect additional information from the Candidate depending on the job, such as the Candidate’s response to a prompt or other materials used to evaluate skills relevant to the job. Later in the hiring process we will collect additional information from the Candidate, so that we may contact references or perform a background check.
From time to time, we may obtain information about a Candidate from public sources or third parties. For example, we may review information about a Candidate obtained from social media sites, such as LinkedIn.
How We Use Application Information. We use Application Information for the following purposes:
- Recruitment, evaluation, and hiring for the job that the Candidate has applied for or other opportunities at Buoy (unless the Candidate has told us they do not want to be considered for other opportunities);
- Communications with the Candidate about their application status;
- Application analysis, such as a background check or reference check;
- General HR administration and management, in case you become a Buoy employee;
- Verification, such as a background check or reference check. Buoy uses a third-party service provider for all background checks; and
- Compliance with corporate governance and legal requirements.
Buoy does not use any automated decision making systems in connection with the Applications that we receive.
How Long We Retain Application Information. Buoy retains all Application Information in our system indefinitely, unless the Candidate tells us not to or applicable law prevents us from doing so. If you want us to remove your Application Information from our system, please contact email@example.com. In your request, please provide your full name, email address, and the job to which you applied so that we can verify your identity and process your request in an efficient manner. Without the aforementioned information, we will not be able to verify your identity and process your request.
How We Share Application Information. We may share Application Information with third-party service providers that help us collect, store, and manage Application Information as part of our recruitment process or that help us to conduct background checks. In addition, we may share Application Information as necessary to comply with our legal obligations (such as responding to a lawful government request), to establish, exercise or defend or legal rights, or where we have otherwise obtained your consent. We will always seek to ensure that any third parties who handle your Application Information will do so in a manner consistent with this Privacy Notice and in accordance with applicable law.
In addition to this section, the “Jurisdiction,” “Changes to this Privacy Notice,” and “Contact Us” sections of this Privacy Notice apply to Candidates.