Privacy Policy - Luma Health

Effective Augst 2, 2024

At Luma Health your privacy is important to us. Our Privacy Policy describes the information we collect, how we collect information, and the reasons we collect information. This Privacy Policy also describes the choices you have with the information we collect, including how you can manage, update, or request to delete information.

Please take a moment to review this Privacy Policy. By using our Platform, you are agreeing to the terms of this Privacy Policy. If you have any questions or concerns about this Privacy Policy, you may Contact Us at any time.

Table of Contents

I.Who is Luma Health?

II.Key Terms & Definitions and Our Privacy Policy

When does our Privacy Policy apply?

When does our Privacy Policy not apply

Our Privacy Policy and Terms of Use.

III.Personal Information

What is Personal Information

What types of Personal Information do we collect?

How do we collect your Personal Information?

How do we use your Personal Information?

How do we share your Personal Information?

Your choices about how we share your Personal Information.

Rights under Applicable Law.

IV.Children’s Privacy

V.Does Luma Health respond to Do Not Track signals?

VI.Data Security

VII.California’s Shine the Light Law and other Applicable Laws.

VIII.Changes to our Privacy Policy

IX.International

X.Contact Us

I. Who is Luma Health?

Luma Health is a technology company that assists healthcare providers to communicate and engage with their patients.

Luma Health is not a health care provider, nor does it provide medical advice. Please contact your health care provider

II. Key Terms & Definitions and Our Privacy Policy

It is helpful to start by explaining some of our key terms and definitions used in this Privacy Policy.

Key Term	Definition
our “App(s)”	Our mobile applications
“Personal Information”	Any information relating to an identified or identifiable individual and any information listed below.
“Platform”	Our Website and/or App
“Privacy Policy”	This privacy policy.
“Products”	Any products available for purchase on our Platform.
“Terms of Use”	Our terms of use located here.
our “Website(s)”	Our websites, including: www.lumahealth.io
“Luma Health,” “we,” “us,” or “our”	Luma Health, Inc.

When does our Privacy Policy apply?

This Privacy Policy describes the types of information we may collect from you when:

You visit or use our Platform;
We communicate in e-mail, text message, and other electronic messages between you and us; and
We communicate in person.

When does our Privacy Policy not apply?

This Privacy Policy does not apply to information collected by any other website operated either by us, unless listed above, or by a third party.

This Privacy Policy does not apply to information collected from patients who interact with their health care providers (“Provider Platform”). Do not send PHI directly to us; only to your health care provider. Your health care provider is obligated to provide you with a notice of privacy practices describing their collection and use of your health information. The Provider Platform allows patients to communicate with their health care providers, such as texting them or enabling a telehealth visit. All information collected and stored by us or added by patients or their health care providers into the Provider Platforms is considered Protected Health Information (“PHI”) and/or medical information and is governed by applicable state and federal laws that apply to that information, for example the Health Insurance Portability and Accountability Act (“HIPAA”).

Our Privacy Policy and Terms of Use.

This Privacy Policy is incorporated into our Terms of Use, which also apply when you use our Platform.

III. Personal Information

What is Personal Information?

Personal information is information from and about you that may be able to personally identify you. We treat any information that may identify you as personal information. For example, your name and e-mail address are personal information.

What types of Personal Information do we collect?

We may collect and use the following personal information (hereinafter, collectively referred to as “Personal Information”):

Categories of Personal Information	Specific Types of Personal Information Collected
Personal Identifiers	A real name, birth date, e-mail address, home, billing, shipping address, or telephone number.
Information that identifies, relates to, describes, or is capable of being associated with a particular individual	Physical characteristics or description, credit card number, debit card number, or any other financial information, health or medical information, photo, video or voice of an individual.
Characteristics of protected classifications under California or federal law.	Race, Color, Age, National origin, sexual orientation or preference or Disability
Internet or other electronic network activity information	IP address, device mode, device ID, advertising ID, OS version, device language, operating system, browser type, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
User Generated Content	Information you provide to be published or displayed (hereinafter, “Posted”) on public areas of our Website or transmitted to other users of the Website or other third parties.

How do we collect your Personal Information?

In part we collect Personal Information directly from you. For example, when we speak to you by phone, text message, and e-mail. Additionally, we will collect information from you when you visit our Platform and fill out forms, or otherwise purchase services from us.

We may also collect Personal Information in the following ways:

When you make payments through the Platform. We do not collect or store financial account information, though we may receive transaction identifiers and summary information that does not include credit card or bank account numbers.
When You Contact Us. When you contact Luma Health directly, such as when you contact our customer support team, we will receive the contents of your message or any attachments you may send to us, as well as any additional information you choose to provide.

We will also collect information automatically as you navigate through our Platform.

We, as well as third parties that provide advertising and analytics services to us, may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through the Services. Technologies are essentially small data files placed on your computer, tablet, mobile phone, or other devices that allow us and our partners to record certain pieces of information whenever you visit or interact with our Services.

Cookies. Cookies are small text files placed in visitors’ computer browsers to store their preferences. Most browsers allow you to block and delete cookies. However, if you do that, the Services may not work properly.
Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about users’ engagement on that web page. The use of a pixel allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may use Facebook Pixel and Instagram
Analytics. We may also use Google Analytics, Marketo, LinkedIn Analytics, Gigya, Site Improve, Facebook Analytics, and Twitter Analytics and other service providers to collect information regarding visit, or behavior and visitor demographics on our Services. For more information about Google Analytics see: google.com/policies/privacy/partners/. You can opt out of Google’s collection and processing of data generated by your use of the Services by going to: http://tools.google.com/dlpage/gaoptout. Google Ads (AdWords) remarketing service is provided by Google Inc. You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads. Facebook’s Data Policy can be found at: https://www.facebook.com/about/privacy/ and withdraw your consent for use of your data with Facebook Pixel at: https://www.facebook.com/settings/?tab=ads#_=_
Other third party tools. We use other third party tools which allow us to track the performance of our Platform. These tools provide us with information about errors, app and website performance, and other technical details we may use to improve our Platform and/or the Services.

How do we use your Personal Information?

We may use your Personal Information for the following purposes:
Operate, maintain, supervise, administer, and enhance our Platform or the Services, including monitoring and analyzing the effectiveness of content on the Platform, aggregate site usage data, and other usage of the Platform and/or the Services such as assisting you in completing the registration process.
Provide our Products and Services to you, in a custom and user-friendly way.
Provide you with information, Products, or Services that you request from us or that may be of interest to you.
Promote and market our Platform and/or the Services to you. For example, we may use your Personal Information, such as your e-mail address, to send you news and newsletters, special offers, and promotions, or to otherwise contact you about Products or information we think may interest you. We also may use the information that we learn about you to assist us in advertising our services on third party websites. You can opt-out of receiving these e-mails at any time as described below.
To provide you notices or about your account.
Contact you in response to a request.
To notify you about changes to our Platform and/or the Services or any Products we offer or provide through them.
Fulfill any other purpose for which you provide it.
To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
Anonymize and aggregate information for analytics and reporting.
To respond to law enforcement requests, court orders, and subpoenas and to carry out our legal and contractual obligations.
Authenticate use, detect fraudulent use, and otherwise maintain the security of our Platform and the safety of others.
To administer surveys and questionnaires.
To provide you information about goods and services that may be of interest to you, including through newsletters.
Any other purpose with your consent.

How do we share your Personal Information?

We may share Personal Information with third parties in certain circumstances or for certain purposes, including:

Our business purposes. We may share your Personal Information with our affiliates, vendors, service providers, and business partners, including our data hosting and data storage partners, analytics and advertising providers, technology services and support, and data security advisors. We may also share your Personal Information with professional advisors, such as auditors, law firms, and accounting firms.

Your healthcare providers or family. With your consent, we may share your information, including information collected from your use of our Platform, with your health care providers.

With your consent. We may share your Personal Information if you request or direct us to do so.

Compliance with law. We may share your Personal Information to comply with applicable law or any obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries.

Business Transfer. We may share your Personal Information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our users are among the assets transferred.

To enforce our rights. We may share your Personal Information to enforce any applicable terms and conditions and Terms of Use, and to ensure the safety and security of our Services and our users.

De-identified information. We may also disclose de-identified information, so that it cannot be reasonably used to identify any individual, with third parties for marketing, advertising, research, or similar purposes.

To market our products and services. We may share your Personal Information with affiliates and third parties to market our products and services.

Third Party Analytics. We use Google Analytics and other third-party analytics services to understand and evaluate how visitors interact with our Platform and/or the Services. These tools help us improve our Platform and/or the Services, performance, and your experience.

Our affiliated companies

International Data Transfers. Information processed by us may be transferred, processed, and stored anywhere in the world, including but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. Where required by applicable law, we will ensure that appropriate safeguards are in place to protect your Personal Information. If we engage a third party to process Personal Information on our behalf, we will also contractually require them to handle your Personal Information appropriately. Further details can be provided upon request.

Except as provided in this Privacy Policy, we do not disclose or sell your personal information.

Your choices about how we share your Personal Information.

This section of our Privacy Policy provides details and explains how to exercise your choices. We offer you choices on how you can opt out of our use of tracking technology, disclosure of your Personal Information for our advertising to you, and other targeted advertising. We do not control the collection and use of your information collected by third parties. These third parties may aggregate the information they collect with information from their other customers for their own purposes. You can opt out of third parties collecting your Personal Information for targeted advertising purposes in the United States by visiting the National Advertising Initiative’s (NAI) opt-out page and the Digital Advertising Alliance’s (DAA) opt-out page.

Each type of web browser provides ways to restrict and delete cookies. Browser manufacturers provide resources to help you with managing cookies.

If you do not wish to have your e-mail address used by Luma Health to promote our own products and services, you can opt-out at any time by clicking the unsubscribe link at the bottom of any e-mail or other marketing communications you receive from us. This opt-out does not apply to information provided to Luma Health as a result of a product purchase, or your use of our Platform and/or the Services. You may have other options with respect to marketing and communication preferences through our Platform.

Rights Under Applicable Law

In accordance with applicable law, you may have the right to:

Access Personal Information about you consistent with legal requirements. In addition, you may have the right in some cases to receive or have your electronic personal information transferred to another party.
Request correction of your Personal Information where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your Personal Information or we may refer you to the controller of your Personal Information who is able to make the correction.
Request deletion of your Personal Information, subject to certain exceptions prescribed by law.
Request restriction of or object to processing of your Personal Information, including the right to opt in or opt out of the sale of your Personal Information to third parties, if applicable, where such requests are permitted by law.
Obtain categories of Personal Information we have either disclosed or sold about consumers in California for a business purpose in the past 12 months.

IV. Children’s Privacy

Our Services are not intended for children under 18 years of age. We do not knowingly collect or sell Personal Information from children under the age of 18. If you are under the age of 18, do not use or provide any information on or to the Platform or through any of its features. If we learn we have collected or received Personal Information from a child under the age of 18 without verification of parental consent, we will delete it. If you are the parent or guardian of a child under 18 years of age whom you believe might have provided use with their Personal Information, you may Contact Us to request the Personal Information be deleted.

V. Does Luma Health respond to Do Not Track signals?

Some web browsers have a “Do Not Track” feature. This feature lets you tell websites you visit that you do not want to have your online activity tracked. These features are not yet uniform across browsers. Our Platform is not set up to respond to those signals.

VI. Data Security

We have taken steps and implemented administrative, technical, and physical safeguards designed to protect against the risk of accidental, intentional, unlawful, or unauthorized access, alteration, destruction, disclosure, or use. The Internet is not 100% secure and we cannot guarantee the security of information transmitted through the Internet. Where you have been given or you have chosen a password, it is your responsibility to keep this password confidential.

The sharing and disclosing of information via the internet is not completely secure. We strive to use best practices and industry standard security measures and tools to protect your data. However, we cannot guarantee the security of Personal Information transmitted to, on, or through our Services. Any transmission of Personal Information is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on our Platform, in your operating system, or mobile device.

VII. California’s Shine the Light Law.

California Civil Code Section 1798.83 (California’s “Shine the Light” law) permits users of our Platform and/or the Services that are California residents and who provide Personal Information in obtaining products and services for personal, family, or household use to request certain information regarding our disclosure of Personal Information to third parties for their own direct marketing purposes. If applicable, this information would include the categories of Personal Information and the names and addresses of those businesses with which we shared your Personal Information with for the immediately prior calendar year (e.g. requests made in 2021 will receive information regarding such activities in 2020). You may request this information once per calendar year. To make such a request, please Contact Us using the information below.

VIII. Changes to our Privacy Policy

We may update our Privacy Policy periodically to reflect changes in our privacy practices, laws, and best practices. We will post any changes we make to our Privacy Policy on this page with a notice that the Privacy Policy has been updated on our Website’s homepage or our App’s home screen. If we make material changes to our practices with regards to the Personal Information we collect from you, we will notify you by e-mail to the e-mail address specified in your account and/or through a notice on the Website’s home page or the App’s home screen. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable e-mail address for you, and for periodically accessing the App or visiting our Website and reviewing this Privacy Policy to check for any changes.

IX. International

We are based in the U.S. and the information we collect is governed by U.S. law. If you are accessing the Sites from outside of the U.S., please be aware that information collected through the Sites may be transferred to, processed, stored, and used in the U.S. and other jurisdictions. Data protection laws in the U.S. and other jurisdictions may be different from those of your country of residence. Your use of the Sites or provision of any information therefore constitutes your consent to the transfer to and from, processing, usage, sharing, and storage of information about you in the U.S. and other jurisdictions as set out in this Privacy Policy.

Luma Health as a Data Controller: For purposes of data protection laws, Luma Health Inc., a company duly incorporated and organized under the laws of United States of America, having its registered address as detailed herein, is the “data controller” of personal information collected and/or processed through your use of our service. This Privacy Policy applies only to instances where Luma Health acts as a data controller. In regards to the purposes of personal data processing, third parties who may receive personal data, and rights to access, limit use and limit disclosure of personal data, please review this privacy policy.

Luma Health as a Data Processor: Wherever our customers use our services to submit, manage, or otherwise use content relating to our customers’ end users during the provision of our services, we act as a “data processor” and only process such information on behalf and under the instruction of the respective customer, who is the data controller. As such, this Privacy Policy does not apply to such processing.

Please note that we may not have obligations under international data protection laws based on the size and scope of our business.

EEA, Switzerland, and UK Individuals

Legal Bases for Use of Your Information. Our legal grounds for processing your information are as follows:

To honor our contractual commitments to you: Much of our processing of personal data is to meet our contractual obligations to our users, or to take steps at users’ requests in anticipation of entering into a contract with them. For example, we handle personal data on this basis to allow you to sign up for our Platform.
Consent: Where required by law, and in some other cases, we handle personal data on the basis of your implied or express consent.
Legitimate interests: In many cases, we handle personal data on the ground that it furthers our legitimate interests in commercial activities in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals. This includes: operating our business and the Platform; providing security for our websites, products, software, or applications; marketing; receiving payments; preventing fraud; and knowing the customer to whom we are providing the Platform.
Legal compliance: We need to use and disclose personal data in certain ways to comply with our legal obligations (such as our obligation to disclose data to tax authorities).

Data Subject Rights. Residents of the European Economic Area (“EEA”), Switzerland, and the UK can exercise certain data subject rights available to them under applicable data protection laws. Where such rights apply, we will comply with requests to exercise these rights in accordance with applicable law. Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation. If these rights apply to you, they may permit you to request that we:

Right of access: You have the right to request access to your personal information and to ascertain the nature of the data being processed.
Right of rectification: You have the right to request the rectification or amendment of incorrect personal information we hold about you.
Right to erasure: You have the right to request the deletion or removal of your personal data in certain circumstances, such as when it is no longer necessary for the purpose for which it was originally collected.
Right to restriction of processing: You have the right to limit the way in which we process your personal information under specific circumstances.
Right to object to processing: You have the right to object to the processing of your personal data in certain circumstances, including opposition to direct marketing.
Right to data portability: You have the right to obtain and reuse your personal data in a structured, commonly used, machine-readable format that supports re-use for your own purposes across different services, thereby enabling you to move, copy or transfer your data easily.

If applicable, you may make a complaint to the data protection supervisory authority in the country where you are based. Alternatively, you may seek a remedy through local courts if you believe your rights have been breached.

In instances where we process personal information on behalf of our customer, rights requests should be directed to the relevant customer.

Data Privacy Framework

Luma Health complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Luma Health has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Luma Health has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Data Privacy Framework Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Inquiries and Dispute Resolution

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Luma Health commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Luma Health at support@lumahealth.io In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Luma Health commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

If neither Luma Health nor our dispute resolution provider resolves your complaint, you may have the possibility to engage in binding arbitration through the Data Privacy Framework Panel. For more information on this option, please see Annex I of the EU-U.S.Data Privacy Framework Principles.

Luma Health may share personal information with third party services providers that perform services on behalf of Luma Health. Luma Health may be liable if these third parties fail to meet their obligations, and Luma Health is responsible for the event giving rise to the damage.

U.S. Federal Trade Commission Enforcement

The Federal Trade Commission has jurisdiction over Luma Health’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Compelled Disclosure

Luma Health may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

X. Contact Us

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us at the contact information below or through the “Contact Us” page on the Platform.

How to Contact Us:

Luma Health, Inc.

support@lumahealth.io

3 East 3rd Ave, Suite 401
San Mateo, CA 94401