Privacy Policy
1. Joining Ciitizen
The Ciitizen Platform enables individuals to collect, maintain, and share all of their health information as they choose via our website located at www.ciitizen.com and other technologies (collectively, the “Ciitizen Services”). The Ciitizen Services may also include providing individuals with insights based on their health information and the health information of others like them. Please see Ciitizen’s Terms of Service for more details. We’re empowering the world’s citizens to conquer disease – by making it possible for all of us to gather, use, and share health information to improve lives.
2. Information Ciitizen Collects
Your Health Records and Self-Reported Information
Ciitizen is a technology service that allows you to upload and/or enable us to request access to copies of your health information and medical records (“Health Records”) through the “right of access” granted to you under HIPAA or the laws applicable to where you are located, as well as through online portal accounts that may be made available to you by some health care providers or health plans.
As part of the Ciitizen Service, you may choose to provide us with: (i) other information about your health, such as information about how you’re feeling or pain management; (ii) other information you’ve shared with third parties, including caregivers, medical professionals and researchers; and (iii) data from wearables or home diagnostic equipment (collectively, “Self-Reported Information”).
Ciitizen consolidates and standardizes Health Records and Self-Reported Information and transforms them into digital data.
Account Information for Ciitizen Account Creation & Maintenance
When you sign up for and use the Ciitizen Service, we collect personal information from you for account creation and maintenance (“Account Information”). Such Account Information includes, as applicable or permitted under law, items such as your name, address, e-mail address, telephone number, your contact preferences, device identifiers, IP address, prior names, addresses, phone numbers, birth date, gender, race or ethnicity, medical or health plan record numbers, and information about your doctors, medical providers and health plans. We will let you know at the time of collection when it is optional for you to provide certain information, and when it is necessary to use certain Ciitizen Services.
Before we can collect your Health Records on your behalf, we ask that you provide us with additional information to confirm your identity: a copy of your driver’s license or other official government photo ID, and/or identifiers associated with your cell phone (e.g., country, device ID and Operating System) (collectively, the (“Identification Information”). Ciitizen contracts with vendors to perform these identity proofing actions. All such vendors are contractually obligated to use your or your Personal Representative’s Identification Information solely for the purpose of identifying you or your Personal Representative. If someone other than you, such as a family member opens an account for you or on your behalf (your “Personal Representative”), we may need to collect additional documentation to verify the identity of that person and verify that person’s authority to act on your behalf, such as your birth certificate, death certificate (in the event of a deceased individual), a health care proxy, or power of attorney to demonstrate familial relationship and legal authorization to obtain Health Records. Ciitizen will review such additional documentation when necessary and use such information solely for the purposes of collecting records the Personal Representative is authorized to access.
In order to verify your identity, we use a third-party identity verification provider that collects a copy of your official government photo ID and images of your face, which are anallyzed and compared to your official ID. The third-party identity verification provider uses your official ID and images solely for purposes of identity verification for Ciitizen. Ciitizen does not collect, nor does it possess, the biometric information that is collected by this third party. For information on this third-party’s privacy practices, you can visit https://withpersona.com/legal/privacy-policy
If you decide you want to enable friends or family members or others to have access to your Ciitizen account, we will collect personal information about those individuals to fulfill your request: name, email, telephone and other information to be used to confirm their identity.
From time to time, Ciitizen will send you emails that communicate information about your account or about products, Ciitizen Services, or offers that may be of interest to you. When you open one of these emails or click on links within the email, we may collect and retain information about your interaction with the email to provide you with future communications that may be more interesting to you. You will have the option of opting out of email communications, except emails that Ciitizen reasonably deems are required by law or necessary to prevent or mitigate a security or fraud risk, or to continue to provide you with the Services.
Health Records Collection and Sources.
We collect personal information about you, including Health Records, using one or more of the following processes:
- Asking you to identify the doctors, medical providers and institutions where you have received care;
- If applicable, asking you to identify your health insurance information;
- If applicable, having you connect Ciitizen to the online portal hosted by your healthcare provider(s) or health plan(s) to obtain any medical or health plan records that can be accessed to populate your Ciitizen account (you will need to enter your specific portal credentials; for example, portal username and password) for the relevant healthcare provider or health plan;
- If applicable, sending a request for your Health Records to healthcare data networks and other medical and health information databases;
- Sending a request for your Health Records to another medical provider that is identified in your Health Records (for example, sending a request for a copy of a lab test result from the laboratory identified in the doctor’s medical record);
- Other instances where you either choose to provide us with certain information or have us collect certain information on your behalf; and
- From time to time we may collect new Health Records on your behalf.
You can also choose to obtain your own Health Records and upload them into your Ciitizen account.
When you sign up for an opportunity offered jointly by Ciitizen and one of our partners, additional personal information may be collected and received by both Ciitizen and our partner that is offering the opportunity. We will let you know at the time of collection when it is optional for you to provide certain information, and when it is necessary to take advantage of the offering. For these jointly offered opportunities, you should also review the partner’s privacy policy, which may include practices that are different from the practices described in this Privacy Policy.
Any information we receive from outside sources will be treated in accordance with this Privacy Policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and are not responsible for any third party’s policies or practices.
Other Types of Information Ciitizen Collects
User Generated Content. Our Service may allow you to engage in blog discussions, message boards, chat rooms, and other forms of social networking and to post reviews and post content, such as messages relating to healthcare experiences, and interact with other users (“User Generated Content” or “UGC”).
Product Interaction and Feedback. We may collect responses to surveys that we invite you to complete, search queries within the Ciitizen Services, and transactions you make regarding the Ciitizen Services. We collect product interaction and feedback that you provide to us through our Service to provide you with the Ciitizen Services, improve and enhance the Ciitizen Services, and conduct research and analytics.
Other Information. We collect any other information you choose to include in communications with us, for example, when sending a message or submitting information through a webform.
3. How Ciitizen Uses Your Information
Ciitizen will use your information to create and manage your Ciitizen account, and also for the following purposes:
- To keep you posted on available clinical trials, products, Ciitizen Services, software updates, and upcoming events. You can opt out of these communications in the manner designated in the specific communication, within your account, or otherwise in the manner provided to you.
- To understand how our users are using the Services.
- To help us create, develop, operate, deliver and improve the Ciitizen Services, including tailoring features and content and development of new products and services.
- When necessary, for loss prevention and anti-fraud purposes and account and network security purposes.
- To create aggregate data regarding use of the Ciitizen services (for example, number of individuals using the platform).
- To send important notices regarding Ciitizen products, including changes to our terms, conditions, and policies. It is not possible to opt out of receiving this information as long as you continue to have a Ciitizen account.
- If applicable, locate your Health Records and help the providers and health plans accurately match and send the correct information to us for your Ciitizen account.
- We analyze Health Records via machine learning and artificial intelligence to identify patterns; this allows us to provide insights to individuals using Ciitizen Services based on aggregated data from their records and to create dynamic patient groups who may be interested in select opportunities to share data (for example, with caregivers, with your medical professionals, to find treatment, or to power research).
- When you ask us to delete your account, your Account Information, Self-Reported Information, and Health Records will be deleted, and further access to your account and the Ciitizen Services will not be possible, in accordance with applicable law.
Ciitizen does not make decisions based solely on automated processing, including profiling, which have legal consequences for, or significantly affect, our users.
Ciitizen may access information about your use of our website or Services in order to create aggregate usage data, for both internal use and in some cases public dissemination. Such statistics will not contain any personal information about you or any Ciitizen users.
Text Messages.
You may opt-in to receive occasional text messages from Ciitizen to receive updates on our Services. Message frequency will vary. You agree that by providing your mobile phone number and opting in to receive text messages, you expressly consent to receive automated text messages from us to the mobile phone number you provide. Consent to receiving text messages is not required in order to be a Ciitizen user. Message and data rates may apply, and you should check the rates of your mobile carrier. Your mobile carrier is not liable for delayed or undelivered messages. You can opt out of receiving text messages by texting STOP in response to any text message. You can also text HELP and we will respond with instructions on how to opt-out of or sign up for text messages from Ciitizen. As we are located in the United States, international rates may apply depending on your location. We share your mobile phone number with service providers with whom we contract in order to send you automated text messages, but we will not share your mobile phone number with third parties for their own marketing purposes without your express consent. Contact us at support@ciitizen.com if you have any questions about our text message program.
We may also use all of the above information to comply with any applicable legal obligations, to enforce any applicable terms of service, and to protect or defend the Services, our rights, the rights of our users, or others. Also, if you stop using our Services, we may continue to store information about your usage but without that information being connected to you or your identity.
4. When Ciitizen Shares Your Information
Ciitizen may share data related to your usage of the Ciitizen Platform – including Account Information – as follows:
- To comply with valid legal process including subpoenas, court orders or search warrants, and as otherwise authorized by law.
- To professional advisors, such as auditors, law firms and accounting firms.
- To protect against fraudulent, malicious, abusive, unauthorized or unlawful use of or subscription to our products and Services and users from such use.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by the Company is among the assets transferred.
- In connection with a bankruptcy, merger, acquisition or sale or other business transaction, involving all or a portion of our assets or business, user information will also be transferred as part of or in connection with the transaction.
- To enforce any applicable terms of service.
- When you request us to share certain information with third parties.
- With service providers/third party contractors who need your information in order to perform Services or functions that enable Ciitizen to function as a company, including:
- Third-party verification companies. If we permit you to create an account, we will provide your Account Information (see above) to a third-party to verify your identity.
- Data analytics service providers. We also may from time to time share information about your website use with third party contractors who are assisting us in analyzing or operating the site
- Email marketing service vendors
- Cloud storage providers
- Payment processors
- Security vendors
- With your consent, with our research partners, such as academic researchers, clinical research organizations and sponsors that facilitate and/or provide clinical trials, real world evidence studies or similar research engagements.
When you make a decision to share your data outside of Ciitizen–including Health Records–the data practices under this Privacy Policy will no longer apply to the information held by that outside entity. We recommend that you review and determine you are comfortable with that entity’s privacy policy prior to sharing your data (including Account Information and Health Records) outside of Ciitizen.
In any circumstance where your consent is sought prior to Ciitizen sharing personal information about you, you will be able to withdraw that consent at any time, provided we can individually identify you in such data. Such withdrawal of consent will apply only to new uses or disclosures of personal information about you within a reasonable amount of time after Ciitizen has received the withdrawal or at such other time as required by applicable law.
5. Retention of Ciitizen Health Records and Self-Reported Data
Because Ciitizen accounts are voluntarily created by individuals, Ciitizen will retain Health Records and Self-Reported Data for so long as an individual maintains an account with Ciitizen.
6. Third-Party Websites
7. Jurisdiction-Specific Provisions
A. California
The California Consumer Privacy Act. Terms used in this section and not otherwise defined have the meaning given to them under the California Consumer Privacy Act of 2018 (“CCPA”). We do not sell personal information collected about you. This Section only applies to users of our Services that reside in the State of California. For purposes of this Section, the term “personal information” does not include publicly available information that is made available from federal, state, or local government records or patient information collected and maintained by us in compliance with the California Confidentiality of Medical Information Act.
In the preceding 12 months, we collected and disclosed for a business purpose the following categories of personal information about California consumers:
Categories of Personal Information | Data Types | Collected? | Categories of Recipients |
---|---|---|---|
Identifiers | Name, e-mail address, IP address, telephone number | Yes | Service providers who process data on our behalf Research partners (only with your consent) |
Personal information categories listed in the California Customer Records statute | Name, social security number, physical characteristics or description, telephone number, driver’s license or state identification card number, etc. | Yes | Service providers who process data on our behalf Research partners (only with your consent) |
Protected classification characteristics under California or federal law | Race, gender | Yes | Service providers who process data on our behalf Research partners (only with your consent) |
Commercial information | Records of products or Services purchased, obtained, or considered, including prescriptions | Yes | Service providers who process data on our behalf Research partners (only with your consent) |
Internet or other similar network activity | Information on a user’s interaction with the website | Yes | Service providers who process data on our behalf |
Geolocation data | IP address data | Yes | Service providers who process data on our behalf |
Professional or employment-related information | Title of profession, employer, etc. | Yes | Service providers who process data on our behalf |
Inferences drawn from other personal information | Profile reflecting a person’s preferences | Yes | Service providers who process data on our behalf |
In addition, to the extent they are contained within your Health Records, which are not subject to the CCPA since they are collected and maintained by us in compliance with the California Confidentiality of Medical Information Act, we may collect:
Categories of Personal Information | Data Types | Collected? | Categories of Recipients |
---|---|---|---|
Biometric information | Imagery of retinas, fingerprints, hands, face, and behavioral characteristics | Yes | Service providers who process data on our behalf Research partners, and other third parties only with your consent |
Sensory data | Audio, electronic, visual, thermal, olfactory information | Yes | Service providers who process data on our behalf Research partners, and other third parties only with your consent |
Professional or employment-related information | Title of profession, employer, etc. | Yes | Service providers who process data on our behalf Research partners, and other third parties only with your consent |
De-identified Patient Information.
We do sell and disclose de-identified patient information exempt from the CCPA to third parties but only with patient/user consent. To de-identify the patient information, we comply with HIPAA de-identification standards.
Sources of Information.
In the preceding 12 months, we received personal information from the sources described above in this Privacy Policy.
Purposes for Collection, Use, and Sharing.
We use and disclose the personal information we collect for our commercial purposes, as further described in this Privacy Policy, including for our business purposes:
- Auditing related to our interactions with you;
- Legal compliance;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and necessary prosecution;
- Debugging;
- Performing Services (for us or our service provider);
- Internal research for technological improvement;
- Internal operations;
- Activities to maintain and improve our Services; and
- Other one-time or short-term uses.
Your Rights.
Where applicable, if you are a California resident you may have the following rights under CCPA in relation to “personal information” we have collected about you as defined in the CCPA; these rights are, to the extent required by the CCPA and subject to verification and any applicable exceptions:
- Right to Know/Access: You have the right to request that we disclose certain information to you about our collection and use of certain personal information about you as described below:
- The specific pieces of personal information collected;
- The categories of personal information collected;
- The categories of sources from whom the personal information is collected;
- The purpose for collecting the personal information; and
- The categories of third parties with whom we have shared the personal information.
- Right to Delete: You have the right to request that we delete the personal information.
- Freedom from Discrimination: You have the right to be free from unlawful discrimination for exercising any of the rights above.
Only you, or someone legally authorized to act on your behalf, may make a request related to personal information collected about you. To designate an authorized agent, the authorized agent must provide sufficient information that allows us to reasonably verify that they have been authorized by you to act on their behalf.
You may also make a request to know or delete on behalf of your child by contacting us using the information provided above.
You may only submit a request to know twice within a 12-month period. Your request to know or delete must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
To fulfill your request, we may ask you for additional information and documents, which may include information previously provided. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.
Non-Discrimination.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.
“Shine the Light” – California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@ciitizen.com or write us at: 158 Grand View Avenue, San Francisco, CA 94114.
B. Notice to Residents of Nevada
If you are a Nevada resident, you have the right to opt out of the sale of certain personal information, including your name and mailing address, to third parties. As of the date of this privacy policy, we do not sell any personal information to any third party. If that were to change in the future, we will update this privacy policy.C. Australia
If you are in Australia, the disclosures set out below apply to you in addition to the disclosures set out in the general sections of this Privacy Policy and the Product Specific Policies for Ciitizen Services above.
We will only collect your Health Records from third parties if you give us your consent (for example, by requesting us to seek your Health Records from a third party) and the Health Records are reasonably necessary for one or more of the Ciitizen Services, functions or activities, or as otherwise permitted to do so by law.
How we hold personal information about you. We use Amazon Web Services located predominantly in the United States.
We may disclose personal information about you to recipients outside of Australia, including within the United States.
Complaints. Please get in touch if you have any questions or complaints about how we collect, use or manage personal information about you. You can contact us using the contact information located in the Contacting Us section of this Policy. If you make a complaint, we will endeavor to respond within a reasonable period after the request is made, you have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC). Please note the OAIC requires any complaint to be made to us before you make a complaint to the OAIC. Further details about how to lodge a complaint with the OAIC can be found at https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us.
D. Canada
If you are in Canada, the disclosures set out below apply to you in addition to the disclosures set out in the general sections of this Privacy Policy and the Product Specific Policies for Ciitizen Services above.
Personal information is maintained on our servers or those of our service providers and will be accessible by authorized employees, agents and representatives who require access for the purposes described in this Privacy Policy.
Your Rights.
You may request access to or correction of personal information about you in our control as detailed in the Contacting Us section of the Privacy Policy. These rights are subject to certain exceptions and we may take steps to verify your identity before responding to your request.
We, our service providers and other parties with whom personal information about you may be shared as described in this Privacy Policy may process and store personal information about you outside of Canada, including in the United States and in other countries. While outside of Canada, personal information about you will be subject to applicable local laws, which may not afford the same level of protection to personal information about you as the laws in Canada.
E. European Union, United KingdomIf you are in the European Economic Area (“EEA”) or the United Kingdom (“UK”), the disclosures set out below apply to you in addition to the disclosures set out in the general sections of this Privacy Policy above.
For the purpose of applicable data protection laws, we are the data controller.
Your information will be processed on the basis of the following legal bases:
Purpose | Categories of Data | Legal Basis (Article 6) | Legal Basis (Article 9) |
---|---|---|---|
To keep you posted on available clinical trials, products, Services, software updates, and upcoming events. You can opt out of these communications in the manner designated in the specific communication or within your account. | Account Information Health Records Self-Reported Information |
Consent | Explicit consent |
For loss prevention and anti-fraud purposes and account and network security purposes | Account Information | Our legitimate interests in maintaining the security and integrity of our systems and networks. | N/A |
To send important notices regarding Ciitizen products and Services, including changes to our terms, conditions, and policies | Account Information – name, address, e-mail address, telephone number. | Our legitimate interests in keeping you up to date regarding the Services. | N/A |
To locate your Health Records and help the providers and health plans accurately match and send the correct information to us for your Ciitizen account. | Account Information – name, address, e-mail address, telephone number, prior names, addresses, phone numbers, birth date, gender, race or ethnicity, medical or health plan record numbers, and information about your doctors, medical providers and health plans. | Consent | Explicit consent |
To analyze Health Records to offer you opportunities to share data (for example, with caregivers, with your medical professionals, to find treatment, or to power research ). | Health Records Self-Reported Information |
Consent | Explicit consent |
To allow you to engage in blog discussions, message boards, chat rooms, and other forms of social networking and to post reviews and post content, such as messages relating to healthcare experiences, and interact with other users. | User Generated Content | Consent | Explicit consent |
Your rights.
If you are located in the EEA or the UK, you have certain rights, listed below, in relation to personal information about you.
- Access: You have the right to access information we hold about you, how we use it, and who we share it with.
- Portability: You have the right to receive a copy of the information we hold about you, in a structured, commonly machine-readable form, and to request that we transfer it to a third party, in certain circumstances, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. and with certain exceptions.
- Rectification/Correction: You have the right to correct any personal information about you we hold that is inaccurate.
- Erasure: In certain circumstances, you have the right to delete the information we hold about you.
- Restriction of processing to storage only: You have the right to require us to stop processing the information we hold about you, other than for storage purposes, in certain circumstances.
- Objection: You have the right to object to our processing of personal information about you.
- Objection to marketing: You can object to marketing at any time by opting-out using the unsubscribe/ opt-out function displayed in our communications to you.
- Withdrawal of consent: You have the right to withdraw your consent at any time.
- Submit a complaint: If you believe we have infringed or violated your privacy rights, please contact us at privacy@ciitizen.com so that we can work to resolve your concerns. You also have a right to lodge a complaint with a competent supervisory authority situated in an EEA Member State of your habitual residence, place of work, or place of alleged infringement.
When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other’s privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law please contact us at privacy@ciitizen.com.
Please note that a number of these rights only apply in certain circumstances, and all of these rights may be limited by law. For example, where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain personal information about you.
To exercise any of these rights, you can contact us at privacy@ciitizen.com. We will respond to requests to exercise these rights without undue delay and at least within one month (though this may be extended by a further two months in certain circumstances).
Storage and transfer of personal information about you.
The information that we collect from you will be transferred to and stored at/processed in countries outside the EEA and UK. Your information is also processed by staff operating outside the EEA and the UK who work for us or one of our third-party service providers or partners. We will take all steps reasonably necessary to ensure that personal information about you is treated securely and in accordance with this Privacy Policy.
For any transfers of data outside the EEA or the UK, the data transfer will be on the basis of your explicit consent.
We will retain personal information about you as follows:
- Your Health Records and Self-Reported Information for as long as you keep your account open or as needed to provide you with our Services;
- Your Account Information for as long as you keep your account open or as needed to provide you with our Services;
- If you contact us, we will keep your data for as long as you keep your account open or as needed to provide you with our Services;
- Your Usage Information for as long as you keep your account open and as long as its needed to provide our Services and usage metrics; and
- Your UGC, for as long as you keep your account open or as needed to provide you with our Services.
We will also retain and use your information to the extent necessary to comply with our legal obligations, resolve disputes and enforce our terms and conditions, other applicable terms of service, and our policies.
F. India
If you are in India, the disclosures set out below apply to you in addition to the disclosures set out in the general sections of this Privacy Policy and the Product Specific Policies for Ciitizen Services above.
Sensitive Personal Information.
Under local law, Sensitive Personal Information means passwords, financial information such as bank account, credit card, debit card or other payment instrument details, biometric data, physical or mental health details, sex life or sexual orientation, and/or medical records or history, biometric, genetic and gender related information, caste or ethnicity, religious or political affiliations and similar information, excluding information available in the public domain, or accessible by exercise of statutory rights under Indian laws.
Your Rights.
To the extent provided by applicable laws and regulations, you may withdraw any consent you previously provided to us for certain processing activities, and correct or update personal information about you by contacting us as detailed in the Contacting Us section of the Privacy Policy. Where consent is required to process personal information, and you do not consent to the processing or if you withdraw your consent, we may not be able to deliver the expected Ciitizen Services. Your request to withdraw your consent shall not (i) apply retrospectively; or (ii) require deletion of records required for statutory purposes.
G. Singapore
If you are in Singapore, the disclosures set out below apply to you in addition to the disclosures set out in the general sections of this Privacy Policy and the Product Specific Policies for Ciitizen Services above.
Access.
You have the right to access personal information about you, how we use it, and who we share it with. You can access the personal information you have made available as part of your account by logging into your account. If you believe we hold any other personal information about you, please contact us as detailed in the Contacting Us section of the Privacy Policy.
Correction.
You have the right to correct any personal information about you that is inaccurate. You can access the personal information we hold about you by logging into your account. If you believe we hold any other personal information about you and that information is inaccurate, please contact us.
Our designated privacy officer for the purposes of compliance with the Personal Data Protection Act 2012 can be contacted at privacy@ciitizen.com.
H. New Zealand
If you are in New Zealand, the disclosures set out below apply to you in addition to the disclosures set out in the general sections of this Privacy Policy and the Product Specific Policies for Ciitizen Services above.
The New Zealand Privacy Act 2020 and Health Information Privacy Code 2020.
Terms used in this section and not otherwise defined have the meaning given to them in the Privacy Act 2020 (“NZPA”), and the Health Information Privacy Code 2020 (“NZHIPC”).
If you are located in New Zealand, we will collect, store, use, retain, and disclose personal information about you (including your Health Records) in accordance with the requirements of the NZPA and NZHIPC, as applicable.
Storage of personal information.
We store personal information that we collect using Amazon Web Services predominantly located in the United States. You acknowledge and agree that:
- we may store, use, transfer and otherwise process personal information about you in countries other than New Zealand, including in the United States of America;
- agencies to whom we may disclose personal information as set out in this Privacy Policy may store, use, transfer and otherwise process personal information about you in countries other than New Zealand, including in the United States; and
- the laws of such countries may have different privacy and information protection requirements to those set out in the NZPA and NZHIPC.
Notifiable privacy breaches.
We will comply with our obligations in the NZPA relating to notifiable privacy breaches, including our obligation to notify affected individuals as soon as practicable after we become aware that a notifiable privacy breach has occurred.
Your Rights.
Where applicable, if you are located in New Zealand you have the following rights under the NZPA in relation to personal information we have collected about you; these rights are, to the extent required by the NZPA and subject to verification and any applicable exceptions:
- Right to Access: You have the right to access any personal information that we hold about you.
- Right to Correction: You have the right to request that we correct any personal information that we hold about you. We may be unable to change personal information that we hold that has been sourced directly from a third-party such as a medical provider. However, you are entitled to request the correction of any information you believe is incorrect, and request that we attach a statement of the correction sought to personal information about you.
To make a request in relation to the above rights, please contact us us as detailed in the Contacting Us section of this Policy. To fulfill your request, we will need to verify your identity and may ask for additional information and documents, which may include information previously provided. Only you, or someone legally authorized to act on your behalf, may make a request related to personal information collected about you. To designate an authorized agent, the authorized agent must provide sufficient information that allows us to reasonably verify that they have been authorized by you to act on their behalf.
I. Other locations around the world
If you live in another part of the world not specifically mentioned here, please contact us as detailed in the Contacting Us section of this Policy.
Keeping children safeWe do not knowingly market to or solicit personal information from children under the age of 18, without first obtaining parental or legal guardian consent. If we become aware that we have collected any personal information from children under 18 without the authorization of a responsible adult, we will promptly remove such information from our databases.
8. Blogs, Social Networking, and Education or Promotional Content
Ciitizen regularly publishes blog posts and invites any individual to sign up to receive these posts via email. Email addresses are collected from these individuals and used by Ciitizen or a contracted service provider solely to send these blog posts and other Ciitizen marketing or promotional material. Note that individuals who create an account for the Ciitizen Services will receive emails that contain newsletters, links to blog posts and other marketing or promotional content. Any individual – whether or not a Ciitizen account holder – may opt out of receiving any communications from us by following the unsubscribe link in the communications.
As noted above, the Ciitizen Service may from time to time allow you to store, display, reproduce, publish, or otherwise use UGC, and may or may not attribute it to you. These forums are accessible to others and UGC you post can be read, collected, shared, or otherwise used by anyone who accesses the forum. If you post UGC to information sharing forums, including any information about your health, you are doing so by choice and you are providing consent to the disclosure of this information; your UGC will be considered “public” and will be accessible by anyone, including Ciitizen. Please note that we do not control who will have access to the information that you choose to make available to others, and cannot ensure that parties who have access to such information will respect your privacy or keep it secure. We are not responsible for the privacy or security of any information that you make publicly available on the features permitting creation of UGC or what others do with information you share with them on such platforms. We are not responsible for the accuracy, use or misuse of any UGC that you disclose or receive from third parties through the forums or email lists.
9. Integrity of Information
You can keep your Account Information and Self-Reported Information accurate, complete and up to date. Information in your Ciitizen account, sourced directly from a third-party such as a medical provider, health plan, or other health data source (i.e., Health Records) cannot be changed by you or Ciitizen; however, you may upload or have us request on your behalf, updated information, including Health Records.
Changes to this policyWe reserve the right to make changes to this Privacy Policy, in which case we will update the “Last Updated” date at the top of this Privacy Policy. We will give you advance notice of any material changes so you can decide if you want to maintain your account with Ciitizen (except those that may need to be made immediately in order to comply with law or to deal with an urgent situation that threatens the security of information held by Ciitizen or severely impacts Ciitizen’s functionality). The updated Privacy Policy will be effective as of the time of posting, or such later date as may be specified in the updated Privacy Policy.
Contact usIf you have questions, concerns or suggestions related to our Privacy Policy or our privacy or security practices, or if you would like to exercise any of your rights outlined in this Privacy Policy, email our Privacy Officer at privacy@ciitizen.com, or write a letter to:
Privacy Officer
Citizen Health Inc.
158 Grand View Avenue
San Francisco, CA 94114