Version: 3.0
Effective: February 3, 2022

INTRODUCTION

Ceras Health, Inc. (“Ceras Health”) is committed to protecting the privacy of individuals who use our smart health devices, online and/or mobile software as a service application and related applications including I’M HOME!® and other Ceras Apps (“Company Engagement Tools”) and services (collectively, the “Service(s)”), and from whom we collect personal information through other means. We are committed to responding to your questions or concerns regarding the privacy of your personal information as it relates to our Services in a timely manner. Please read this Policy carefully to understand the Ceras Health policies and practices.

When you use the Services or provide personal information to us through other means, you consent to the use of your information as described in this Policy. If you do not agree to the terms of this Policy, please do not use the Services. Your continued use of the Services following the posting of changes to these terms will mean that you accept those changes.

1. WHAT THIS POLICY COVERS

This Privacy Policy (the “Policy”) is designed to inform users of the Service about how we gather, collect, use, maintain, protect, or share your personal information in connection with the use of the Service. This Policy covers how Ceras Health treats your Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) (collectively hereafter “Personal Information”) that Ceras Health collects, receives, maintains, stores, or transmits, including information you transmit or submit to the Services. Your Personal Information is information recorded in any format that identifies you personally, by itself or together with other information that is available to us. It may also include, but is not limited to your name, address, email address, phone number, and information about your health and/or other types of protected health information. Ceras Health gathers Personal Information from you in two capacities: (1) when you independently choose to use the Services, and/or (2) when you use the Services in connection with a Ceras Health customer (a “Customer”).

This Policy does not apply to the practices of business, content, applications or websites Ceras Health does not own or control. In addition, this Policy does not apply to the people Ceras Health does not employ or manage. The Services may display, include or make available content, communications, messages, information, website links, applications or materials from third parties (“Third-Party Content”). This Privacy Policy does not apply to Third-Party Content, and Ceras Health recommends reviewing those Third-Party Content privacy policies individually. Third-Party Content is not under Ceras Health’s control, therefore, Ceras Health assumes no responsibility for any Third-Party Content.

2. INFORMATION WE MAY COLLECT

Ceras Health may collect the following Personal Information.

• Registration: During registration for the Service, we may collect your information as part of the registration process, including but not limited to your name, email address, and date of birth.
• Self-Reported Personal Information: We may collect the information that you transmit automatically from the Company’s smart health devices or manually enter during the course of using the Service, such as but not limited to, information regarding your health and/or medical condition and related behaviors.
• Provider-Reported Personal Information: We may collect the information about you that is submitted with your permission by your healthcare provider, which may include healthcare staff and administrators and/or a health plan, (“Provider”) during the course of using the Service, such as information regarding your health and/or medical condition, including information that may be considered PHI, under the HIPAA privacy and security regulations.
• Caregiver-Reported Personal Information: We may collect the information about you that is submitted with your permission by your Caregiver, which may include a family member, home health aide, primary care physician, and/or caregiver (“Caregiver”) during the course of using the Service, such as information regarding your health and/or medical condition, including information that is considered PHI, under the HIPAA privacy and security regulations.
• Social Information: We may collect information that you provide to us pertaining to the people with whom you consent to share your Personal Information (such as your Caregiver, Provider, or other users) as well as communications between you and such individuals.
• Communications with Provider(s) and Caregiver(s): We may collect communications that take place through the Services between you and your Provider(s) and Caregiver(s).
• Email: If you communicated with us via email, then we may collect your email address, name, and contents of the email, in whole or in part.
• Device Information: In your use of the Service through our mobile site(s) or application(s), we may collect the unique identifier of your device, the operating system, and applicable version.

3. USE OF PERSONAL INFORMATION

Ceras Health may use Personal Information:

• To address your requests for information, products, or services;
• To administer your account;
• To provide you with access to particular tools and services;
• To respond to your inquiries and send you administrative communications;
• To personalize your experience when you use our Services and applications;
• For security and fraud prevention purposes;
• To improve our Services;
• To better understand our Service users and how they use the Service; or

Use “de-identified” information in compliance with HIPAA (defined below) and other applicable privacy and security laws.

4. SHARING OF PERSONAL INFORMATION

Ceras Health will not sell, rent, license, or trade your personal information with third parties for their own direct marketing use unless we receive your express consent to do so. Ceras Health may share your Personal Information in the following ways:

Information Shared with Affiliates: We may share your Personal Information with Ceras Health affiliates, partners, service providers, or other authorized third parties to provide the information, products, and Services that you or the Customer have requested, or to personalize your experience. These affiliates, partners, service providers, or authorized third parties are restricted to use the Personal Information we share with them only for the limited purposes for which we provide it to them, and to take reasonable measures to protect your Personal Information. We do not knowingly allow third parties to use your Personal Information for purposes other than as set forth in this policy.

Information Shared with Third Parties: We may share aggregated, de-identified information with third parties for market analysis, demographic profiling, statistical research, or other similar purposes.

Business Transfers: We may share and/or transfer your personal information with other business entities, in connection with the sale, assignment, merger or other transfer of all or a portion of Ceras Health’s business to such business entity. We will require any such successor business entity to honor the terms of this Policy.

Consent: With your consent, we may share your Personal Information with other companies, individuals, or organizations outside of Ceras Health and not covered in this Policy.

Polls and Surveys: From time to time, Ceras Health may send you poll and/or survey questions to provide us with feedback on our Service. We may collect any responses and information that you provide in the polls and/or surveys.

Testimonials and Endorsements: Ceras Health may use personal testimonials and endorsement of users on our websites, marketing materials, advertising materials, or other reasonable business uses, which may contain such information as the user’s name and location. We will obtain consent of the applicable user prior to using such information. If you provided a testimonial and/or endorsement and wish to update or delete your testimonial and/or endorsement, please contact compliance@cerashealth.com.

Special Circumstances: There are other limited circumstances in which we may share or transfer your Personal Information to unrelated third parties; including, for example, when we believe disclosure is appropriate to comply with a law, regulatory requirement, court order, or a subpoena; to cooperate with law enforcement or other governmental investigations; to prevent or investigate a possible crime, such as fraud or identity theft; to protect legal rights, property, or safety of you, the Customer, Ceras Health, or its affiliates, subsidiaries, employees, agents, or the public in general; to investigate, prevent or take action regarding violations of our End User License Agreement; or to verify or enforce compliance with the policies governing our Services and with applicable laws, or as otherwise required or permitted by law or consistent with legal requirements.

Text Message/ SMS

• No information collected through our text messaging service, including phone numbers, will be shared or sold to/with third parties or affiliates for marketing or promotional purposes.
• Text message content, phone numbers, and any associated health information are considered protected health information (PHI) and will be handled in accordance with HIPAA regulations.
• Opt-in data and consent information for text messaging will be securely stored and not shared with any third parties.
• Text messages and associated data will only be used for appointment reminders, program engagement, and other directly related program/service communications.
• Patients have the right to opt out of text messaging services at any time.
• Text message data will be retained in accordance with applicable healthcare record retention laws and regulations.

5. TECHNOLOGIES USED TO COLLECT INFORMATION

Ceras Health uses cookies and other technologies to ensure everyone who uses the Services has the best possible experience. Cookies also help us keep your account safe. By continuing to use our Services, you are agreeing to the use of cookies and similar technologies for the purposes we describe herein.

Cookies

A “cookie” is a small software file stored temporarily (“Session Cookie”) or permanently (“Persistent Cookie”) on your system(s). The main purpose of a cookie is to allow a web server to identify a user’s computer and web browser, and tailor web pages and/or login information to the user’s preferences. Many websites use cookies as a standard practice to provide useful features when a user visits the website and most web browsers are set up to accept cookies. Cookies don’t give us access to users computers.

Ceras Health may use Session Cookies and/or Persistent Cookies. Ceras Health may use cookies for, including but not limited to the following purposes: authentication purposes, support our security features, or help us understand and improve the Services.

You can set your browser to refuse cookies, but some portions of the Services may not work properly if you refuse cookies. To visit without cookies, you can configure your browser to reject all cookies or to notify you when a cookie is set. Please note that each browser is different, so check the help menu of your browser to learn how to change your cookie preferences.

Web Beacons

A web beacon is an electronic image (also referred to as an “action tag,” “single-pixel,” “clear-pixel,” or “clear GIF”) that is commonly used to track the traffic patterns of users from one web page to another in order to maximize web traffic flow and to otherwise analyze the effectiveness of websites. Some of the Service’s web pages may use web beacons in conjunction with cookies to compile aggregate statistics about website usage. Some web beacons may be unusable if you elect to reject their associated cookies.

Server Logs and IP Addresses

An Internet Protocol (“IP”) address is a number that automatically identifies the computer/device you have used to access the Internet. The IP address enables our server to send you the web pages that you want to visit, and it may disclose the server owned by your Internet Service Provider. Ceras Health may use IP addresses and server logs to conduct website analyses and performance reviews and to administer the Website.

“Do Not Track” Signals

Some Internet browsers include the ability to transmit “Do Not Track” signals. Since uniform standards for “Do Not Track” signals have not yet been adopted, Ceras Health does not process or respond to “Do Not Track” signals.

6. SECURITY OF YOUR PERSONAL INFORMATION

Ceras Health is committed to ensuring the security of your personal information. Ceras Health implements industry standard physical, technical, and administrative security measures and safeguards to protect the confidentiality and security of your Personal Information. Please note, however, that while Ceras Health has endeavored to create a secure and reliable Service for users, we cannot guarantee, ensure or warrant the security or confidentiality of any information transmitted to/from the Services cannot be guaranteed. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or administrative safeguards. It is your responsibility to protect the security of your login information.

7. UPDATING AND RETENTION OF YOUR PERSONAL INFORMATION

You may update, delete or correct your information at any time through the Services or by contacting us. When contacting us, you may be asked to verify your identity. We may limit or deny your request if we are unable to verify your identity, if it involves disclosure of confidential or sensitive information, or is otherwise permitted under applicable law.

We will retain your information for as long as your account is active, as needed to provide you the Services, or as required under HIPAA and other applicable privacy and security laws. If you wish to request that we no longer use your information to provide you Services, contact us. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.

8. CHILDREN’S PRIVACY

USE OF THE SERVICES IS NOT PERMITTED FOR CHILDREN 12 YEARS OF AGE OR YOUNGER. The Services are not designed for, or intentionally targeted at, children 12 years of age or younger. It is not our policy to intentionally collect or maintain information about anyone under the age of 13. Use of the Services by minors aged 13-18 is by agreement of the minor’s parent or legal guardian. Any user age 13-18 must have his or her parent or legal guardian agree to the terms of this Policy. By accessing the Services you acknowledge that you are 18 years or older or, if not, that you are at least 13 years old and your parent or legal guardian have read and agreed to the terms of this Policy. If you believe we have collected personal information from a child under the age of 13, please contact us at: compliance@cerashealth.com.

9. HIPAA AND PHI

Ceras Health is committed to both safeguarding your Personal Information and complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Omnibus regulations promulgating Standards for Privacy of Individually Identifiable Health Information and Security Standards for the Protection of Electronic Protected Health Information promulgated thereto and other applicable privacy and security laws. If the Service contains your PHI, it will be maintained in accordance with applicable law unless and until it is no longer PHI, or until such time as you authorize otherwise.

Ceras Health Customer’s, who are health care providers, are obligated to protect the privacy and security of your medical information in accordance with HIPAA and other applicable laws. Ceras Health may be a “business associate” of its Customers (as such term is specifically defined under HIPAA) and has privacy and security obligations under HIPAA and the terms of its “business associate agreements” (“BAA(s)”) with such Customers. Ceras Health will not use or disclose your PHI, except as permitted by HIPAA and pursuant to the terms of our BAAs. We may use or disclose PHI to provide the Service to you or the Provider. We may also use PHI for our proper management and administration or to carry out our legal responsibilities. For more information about how your Provider may use and disclose your PHI under HIPAA, as assisted by Ceras Health, please review your Provider’s notice of privacy practices.

10. UPDATES AND MODIFICATIONS TO THIS POLICY

If we make any material changes to this Policy, we will notify you by email or by posting a prominent notice in the Services prior to the change becoming effective. Small changes or changes that do not significantly affect individual privacy interests may be made at any time and without prior notice. We display a version number and a date on the policy in the upper left corner of this Policy so that it will be easier for you to know when there has been a change. We encourage you to review this page periodically for the latest information on our privacy practices. Your continued use of the Service constitutes your agreement to be bound by such changes to this Policy. Your only remedy, if you do not accept the terms of this Policy, is to discontinue use of the Service.

11. CONTACT CERAS HEALTH WITH QUESTIONS OR CONCERNS

If you have any questions or concerns about our privacy practices, you may contact us by writing us at: Ceras Health, Inc. ATTN: Privacy 20 Park Plaza Suite 1450 Boston, Massachusetts 02116 Or you may email us at: compliance@cerashealth.com