Skip to main content

PRIVACYPOLICY

Last modified: 26 February 2025

CONTENTS

Introduction… 2

Children Under the Age of 18… 3

Information We Collect About You and How We Collect It… 3

Information You Provide to Us… 4

User Contributions… 4

Information We Collect Through Automatic Data Collection Technologies… 5

Third-Party Use of Cookies and Other Tracking Technologies… 6

How We Use Your Information… 6

Disclosure of Your Information… 7

Choices About How We Use and Disclose Your Information… 8

Accessing and Correcting Your Information… 9

Your State Privacy Rights… 9

Data Security… 10

International Data Transfers and Storage… 11

Data Retention… 12

Service Providers and Subcontractors… 12

Incident Response and Breach Notification… 13

Special Categories of Data… 13

Mobile Application Privacy… 14

Machine Learning and Analytics… 14

Business Transitions… 14

Employee Training and Awareness… 14

Changes to Our Privacy Policy… 15

1

Contact Information… 15

INTRODUCTION

Plan Path, Inc. (“Company” or “We”) respects your privacy and are committed to protecting it through our compliance with this policy. As a provider of healthcare analytics software and services, we understand the critical importance of maintaining the confidentiality and security of Protected Health Information (PHI) and other sensitive data.

This policy describes the types of information we may collect from you or that you may provide when you visit the website www.plan-path.com (our “Website”) and our practices for collecting, using, maintaining, protecting, and disclosing that information. This policy applies to both our website visitors and our healthcare provider clients who use our services.

This policy applies to information we collect:

 On this Website.

 Through our software-as-a-service platform accessed via this Website.

 In email, text, and other electronic messages between you and this Website.

 Through mobile and desktop applications you download from this Website, which

provide dedicated non-browser-based interaction between you and this Website.

 When you interact with our advertising and applications on third-party websites and

services, if those applications or advertising include links to this policy.

 Through our APIs and integrations with healthcare provider systems.

 Through any data uploaded or transmitted through our services.

It does not apply to information collected by:

 Us offline or through any other means, including on any other website operated by

Company or any third party (including our affiliates and subsidiaries); or

 Any third party (including our affiliates and subsidiaries), including through any

application or content (including advertising) that may link to or be accessible from or

through the Website.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your

2

continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

CHILDREN UNDER THE AGE OF 18

Our Website and services are not intended for children under 18 years of age, though our services may process healthcare data about patients of all ages when provided by authorized healthcare providers in compliance with HIPAA and other applicable regulations. No one under age 18 may provide any personal information to or on the Website. We do not knowingly collect personal information from children under 18. If you are under 18, do not use or provide any information on this Website or through any of its features, register on the Website, make any purchases through the Website, use any of the interactive or public comment features of this Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 18, please contact us at [email protected].

INFORMATION WE COLLECT ABOUT YOU AND HOW WE COLLECT IT

We collect several types of information from and about users of our Website and services, including information:

 By which you may be personally identified, such as name, postal address, email

address, telephone number, medical license numbers, NPI numbers, or any other

identifier by which you may be contacted online or offline (“personal information”);

 Protected Health Information (PHI) as defined by HIPAA, which includes demographic

information, medical histories, test and laboratory results, mental health conditions,

insurance information, and other data that healthcare professionals collect to identify

and treat their patients;

 That is about you but individually does not identify you, such as technical usage data,

browser type, and device information; and/or

 About your internet connection, the equipment you use to access our Website, and

usage details.

We collect this information:

 Directly from you when you provide it to us.

3

 Automatically as you navigate through the site. Information collected automatically

may include usage details, IP addresses, and information collected through cookies, web

beacons, and other tracking technologies.

 From third parties, for example, our business partners.

Information You Provide to Us

The information we collect on or through our Website may include:

 Information that you provide by filling in forms on our Website. This includes

information provided at the time of registering to use our Website, subscribing to our

service, posting material, or requesting further services. We may also ask you for

information when you report a problem with our Website.

 Protected Health Information that our healthcare provider clients input or upload to

our service platform as part of their use of our services. This information is governed by

our Business Associate Agreement with each healthcare provider client and is handled

in accordance with HIPAA requirements.

 Records and copies of your correspondence (including email addresses), if you contact

us.

 Your responses to surveys that we might ask you to complete for research purposes.

 Details of transactions you carry out through our Website and of the fulfillment of your

orders. You may be required to provide financial information before placing an order

through our Website.

 Your search queries on the Website.

User Contributions

You also may provide information to be published or displayed (hereinafter, “posted”) on public areas of the Website, or transmitted to other users of the Website or third parties (collectively, “User Contributions”). Your User Contributions are posted on and transmitted to others at your own risk. Although we limit access to certain pages and you may set certain privacy settings for such information by logging into your account profile, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

4

Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

 Details of your visits to our Website, including traffic data, access logs, location data,

and other communication data and the resources that you access and use on the

Website.

 Information about your computer and internet connection, including your IP address,

operating system, and browser type.

We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). We provide detailed information on how you can opt out of behavioral tracking on this website and how we respond to web browser signals and other mechanisms that enable consumers to exercise choice about behavioral tracking at the bottom of this page.

The information we collect automatically may include personal information, and we may maintain it or associate it with personal information we collect in other ways or receive from third parties. This helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

 Estimate our audience size and usage patterns.

 Store information about your preferences, allowing us to customize our Website

according to your individual interests.

 Speed up your searches.

 Recognize you when you return to our Website.

 Ensure compliance with HIPAA security requirements.

The technologies we use for this automatic data collection may include:

Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your

computer. You may refuse to accept browser cookies by activating the appropriate

setting on your browser. However, if you select this setting you may be unable to access

certain parts of our Website. Unless you have adjusted your browser setting so that it

will refuse cookies, our system will issue cookies when you direct your browser to our

Website.

Flash Cookies. Certain features of our Website may use local stored objects (or Flash

cookies) to collect and store information about your preferences and navigation to, from,

5

and on our Website. Flash cookies are not managed by the same browser settings as are

used for browser cookies. For information about managing your privacy and security

settings for Flash cookies, see Choices About How We Use and Disclose Your

Information.

Web Beacons. Pages of our Website and our emails may contain small electronic files

known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs)

that permit the Company to count users who have visited those pages or opened an

email and for other related website statistics.

THIRD-PARTY USE OF COOKIES AND OTHER TRACKING TECHNOLOGIES

Some content or applications, including advertisements, on the Website are served by thirdparties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information.

HOW WE USE YOUR INFORMATION

We use information that we collect about you or that you provide to us, including any personal information and PHI:

 To present our Website and its contents to you in a secure, HIPAA-compliant manner.

 To provide you with information, products, or services that you request from us,

including healthcare analytics and insights based on Medicare data.

 To fulfill our obligations under our Business Associate Agreements with healthcare

providers and comply with all applicable privacy and security regulations.

 To carry out our obligations and enforce our rights arising from any contracts entered

into between you and us, including for billing and collection.

 To notify you about changes to our Website or any products or services we offer or

provide through it.

6

 To analyze and improve the accuracy and effectiveness of our healthcare analytics

services.

 To allow you to participate in interactive features on our Website.

 To maintain the security and integrity of our systems and protect against unauthorized

access to PHI.

We may also use your information to contact you about our own and third-parties’ goods and services that may be of interest to you, in compliance with applicable laws and regulations. If you do not want us to use your information in this way, please adjust your user preferences in your account profile or contact us at [email protected].

We may use the information we have collected from you to enable us to display advertisements to our advertisers’ target audiences. Even though we do not disclose your personal information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

DISCLOSURE OF YOUR INFORMATION

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose personal information that we collect or you provide as described in this privacy policy:

 To our subsidiaries and affiliates.

 To contractors, service providers, and other third parties we use to support our

business.

 To a buyer or other successor in the event of a merger, divestiture, restructuring,

reorganization, dissolution, or other sale or transfer of some or all of Plan Path’s assets,

whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding,

in which personal information held by Plan Path about our Website users is among the

assets transferred.

 To third parties to market their products or services to you if you have not opted out of

these disclosures. For more information, see Choices About How We Use and Disclose

Your Information.

 To fulfill the purpose for which you provide it.

 For any other purpose disclosed by us when you provide the information.

7

 With your consent.

We may also disclose your personal information:

 To comply with any court order, law, or legal process, including to respond to any

government or regulatory request.

 To enforce or apply our Terms of Use, or Terms of Service and other agreements,

including for billing and collection purposes.

 If we believe disclosure is necessary or appropriate to protect the rights, property, or

safety of Plan Path, our customers, or others. This includes exchanging information

with other companies and organizations for the purposes of fraud protection and credit

risk reduction.

CHOICES ABOUT HOW WE USE AND DISCLOSE YOUR INFORMATION

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:

Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.

Disclosure of Your Information for Third-Party Advertising. If you do not want us to share your personal information with unaffiliated or non-agent third parties for promotional purposes, you can opt-out by checking the relevant box located on the form on which we collect your data or by sending us an email stating your request to [email protected].

Promotional Offers from the Company. If you do not wish to have your contact information used by the Company to promote our own or third parties’ products or services, you can opt-out by checking the relevant box located on the form on which we collect your data or by sending us an email stating your request to [email protected]. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions.

Targeted Advertising. If you do not want us to use information that we collect or that you provide to us to deliver advertisements according to our advertisers’ target-audience preferences, you can opt-out by visiting our preference center or contacting us at [email protected].

8

We do not control third parties’ collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI’s website.

Residents of certain states, such as California, Nevada, Colorado, Connecticut, Virginia, and Utah may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

ACCESSING AND CORRECTING YOUR INFORMATION

You can review and change your personal information by logging into the Website and visiting your account profile page.

You may also send us an email at [email protected] to request access to, correct or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

If you delete your User Contributions from the Website, copies of your User Contributions may remain viewable in cached and archived pages, or might have been copied or stored by other Website users. Proper access and use of information provided on the Website, including User Contributions, is governed by our terms of use.

Residents of certain states, such as California, Nevada, Colorado, Connecticut, Virginia, and Utah may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

YOUR STATE PRIVACY RIGHTS

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.

California residents have specific rights regarding their personal information under both the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and California’s “Shine the Light” law:

 Under the CCPA/CPRA, California residents have the right to:

 Know what personal information we collect and how we use and disclose it;

 Delete their personal information (subject to certain exceptions)

9

 Correct inaccurate personal information;

 Opt-out of the sale or sharing of their personal information;

 Limit the use and disclosure of their sensitive personal information;

 Not be discriminated against for exercising these rights.

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected].

Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:

 Confirm whether we process their personal information.

 Access and delete certain personal information.

 Data portability.

 Opt-out of personal data processing for targeted advertising and sales.

Colorado, Connecticut, and Virginia also provide their state residents with rights to:

 Correct inaccuracies in their personal information, taking into account the

information’s nature processing purpose.

 Opt-out of profiling in furtherance of decisions that produce legal or similarly significant

effects.

To exercise any of these rights please email [email protected]. To appeal a decision regarding a consumer rights request, please contact our Privacy Officer at [email protected].

Nevada provides its residents with a limited right to opt-out of certain personal information sales. Residents who wish to exercise this sale opt-out rights may submit a request to [email protected]. However, please know we do not currently sell data triggering that statute’s opt-out requirements.

DATA SECURITY

We have implemented measures designed to secure your personal information and PHI from accidental loss and from unauthorized access, use, alteration, and disclosure in accordance with HIPAA Security Rule requirements. These measures include:

 All PHI is encrypted at rest and in transit using industry-standard encryption

technologies.

 Access to PHI is strictly controlled through role-based access controls and multi-factor

authentication.

 All system activities are logged and regularly audited for security purposes.

 Regular security assessments and penetration testing of our systems.

 Comprehensive disaster recovery and business continuity plans.

 Regular employee training on privacy and security procedures.

 All information you provide to us is stored on our secure servers behind firewalls. Any

payment transactions and Protected Health Information will be encrypted using SSL

technology.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of the Website. The information you share in public areas may be viewed by any user of the Website.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information and implement reasonable security measures to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

INTERNATIONAL DATA TRANSFERS AND STORAGE

As a healthcare technology company operating primarily in the United States, we generally process and store all protected health information (PHI) on servers located within the United States. However, we may transfer, process and store other non-PHI personal information in other countries where we or our service providers maintain facilities or business operations. By using our Website and services, you acknowledge that your personal information may be transferred to countries outside your country of residence, which may have different data protection rules than your country.

When we transfer personal information across borders, we implement appropriate safeguards including:

 Standard contractual clauses approved by relevant data protection authorities.

 Data processing agreements with strict privacy and security requirements.

 Verification of recipient countries’ data protection adequacy status.

 Technical measures such as encryption and access controls.

DATA RETENTION

We retain different categories of data for different periods based on legal requirements, operational needs, and industry best practices:

 Protected Health Information (PHI): Retained in accordance with HIPAA requirements

and applicable state laws, typically for a minimum of six years from the date of creation

or last use.

 Account Information: Maintained as long as your account is active and for a reasonable

period afterward to comply with legal obligations.

 Usage Data: Retained for up to 24 months to support service improvement and security

monitoring.

 Backup Data: Maintained according to our disaster recovery protocols, typically no

longer than 30 days.

 Marketing Communications Data: Kept until you opt-out plus a reasonable period to

implement your request.

Upon contract termination, we follow specific data destruction protocols in accordance with HIPAA requirements and industry standards.

SERVICE PROVIDERS AND SUBCONTRACTORS

We work with carefully selected service providers and subcontractors who help us deliver our healthcare technology services. To ensure privacy and security, we maintain a current list of all third parties who may access personal information or Protected Health Information (PHI). Our cloud infrastructure providers form the backbone of our service, providing secure platform hosting and data storage capabilities that meet healthcare compliance requirements.

We enhance our security through specialized monitoring services that continuously protect against unauthorized access and emerging threats. To improve our services while maintaining privacy, we partner with analytics providers who work only with de-identified data, ensuring that personal information remains protected during analysis. Our customer support infrastructure includes specialized tools that help us assist users efficiently while maintaining strict privacy controls. We also engage professional service providers, including auditors, legal counsel, and consultants, who bring specialized expertise to our operations.

Every service provider must meet rigorous privacy and security standards before accessing any data. Where PHI access is necessary, providers must sign Business Associate Agreements that establish their obligations under HIPAA. We require comprehensive Data Processing Agreements that specify exactly how providers may handle personal information. All providers must also agree to strict confidentiality obligations and meet our security requirements. We regularly assess our providers’ security controls and compliance through detailed audits and reviews.

INCIDENT RESPONSE AND BREACH NOTIFICATION

Our incident response program combines continuous monitoring with rapid response capabilities to protect sensitive healthcare information. We operate a 24/7 security monitoring system that uses advanced automated threat detection to identify potential security issues in real-time. When our systems detect a potential threat, our incident classification protocols help us quickly determine the severity and appropriate response level. We maintain a clearly defined response team structure with specific responsibilities and communication procedures to ensure efficient incident handling. Throughout any incident, we follow strict documentation requirements to track our response actions and support post-incident analysis.

If a security incident involves PHI, we take immediate action to protect information and notify affected parties. We promptly inform affected healthcare providers about the incident, typically within hours of confirmation, and provide detailed information about potential impacts. Our team works closely with providers to support their HIPAA breach notification obligations and ensure appropriate communication with affected individuals. After addressing immediate security concerns, we conduct thorough post-incident analysis to identify necessary improvements and implement corrective measures. We maintain comprehensive incident logs and documentation to track our response efforts and demonstrate regulatory compliance.

SPECIAL CATEGORIES OF DATA

As a healthcare technology provider, we handle particularly sensitive health information that requires specialized protection under multiple regulatory frameworks. Protected Health Information forms the core of our data processing activities and receives comprehensive protection under both HIPAA and state-specific health privacy laws. When working with Medicare data, we follow strict Centers for Medicare & Medicaid Services requirements that govern how this information must be handled, stored, and protected. For substance use disorder information, we implement additional safeguards required by 42 CFR Part 2, which provides enhanced privacy protections beyond standard HIPAA requirements. Genetic information receives specialized protection under the Genetic Information Nondiscrimination Act and various state genetic privacy laws, requiring additional security measures and use limitations. We also maintain specific protections for mental health information, which often requires enhanced privacy controls under state-specific regulations. MOBILE APPLICATION PRIVACY

Our mobile applications incorporate multiple layers of privacy protection to secure sensitive healthcare information in the mobile environment. We carefully limit device permissions to only those absolutely necessary for app functionality, such as camera access for document scanning or location services for finding nearby providers. When tracking app usage for improvement purposes, our mobile analytics collect only essential information while maintaining user privacy. We give users complete control over push notifications, allowing them to choose which alerts they receive and how they receive them. All data stored on mobile devices is protected with strong encryption, ensuring security even when offline. Users can access additional privacy controls specifically designed for mobile use, providing granular control over their information.

MACHINE LEARNING AND ANALYTICS

Our approach to machine learning and analytics prioritizes privacy while advancing healthcare outcomes. We exclusively use de-identified data for training our machine learning models, ensuring that personal information remains protected. Our machine learning systems incorporate privacy-preserving techniques at every stage, from data preprocessing to model deployment. We maintain detailed documentation of our analytical methods to ensure transparency and enable review of our privacy protections. By following strict data minimization principles, we use only the minimum information necessary to achieve our analytical goals. We implement robust controls throughout our analytics pipeline to prevent any possibility of re-identifying individuals from analytical outputs.

BUSINESS TRANSITIONS

During organizational changes like mergers or acquisitions, we maintain uninterrupted privacy protection for all personal information. Our comprehensive transition protocols ensure that privacy safeguards remain fully effective throughout any organizational restructuring. We implement secure data transfer procedures that protect information during any necessary system migrations or organizational changes. All existing privacy commitments and contractual obligations continue without interruption, ensuring consistent protection regardless of organizational changes. We proactively communicate with users about any material changes that might affect their privacy rights and continue to honor all existing privacy choices and consent decisions.

EMPLOYEE TRAINING AND AWARENESS

We maintain a comprehensive privacy training program that begins with mandatory initial training for all employees. Our annual refresher courses keep staff updated on evolving privacy requirements and emerging threats. Employees receive specialized training based on their specific roles and access to sensitive information. Ongoing security awareness education helps staff recognize and respond to privacy risks. Regular compliance testing verifies that employees maintain current knowledge of privacy requirements and best practices.

CHANGES TO OUR PRIVACY POLICY

It is our policy to post any changes we make to our privacy policy on this page with a notice that the privacy policy has been updated on the Website home page. If we make material changes to how we treat our users’ personal information or PHI, we will notify you by email to the primary email address specified in your account and through a notice on the Website home page. The date the privacy policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.

CONTACT INFORMATION

To ask questions or comment about this privacy policy and our privacy practices, contact us at:

Privacy Officer Plan Path, Inc.

Email: [email protected]

For technical support or to report a potential security incident, please contact: [email protected]

To register a complaint or concern, please email [email protected]. We will investigate all complaints and respond within 30 business days.