Privacy Policy

Your privacy is important to us. This privacy statement explains our collection, use, and disclosure of personal information. This privacy statement applies to prolaio, Inc. and to our controlled affiliates and subsidiaries (“prolaio”). References to our “Services” in this statement include our websites, web-based applications, mobile applications, care management services, clinical artifacts, and other products and services in the United States and internationally.

This privacy statement does not apply to any Services that link to a different privacy statement. This privacy statement also does not apply to Services that are subject to state medical privacy laws or otherwise exceed the scope of this privacy statement. Additionally, in some circumstances prolaio provides services to hospitals and medical providers. In those instances, prolaio may be a Business Associate and processing your protected health information under the direction of a HIPAA Covered Entity. This privacy statement does not apply to protected health information when prolaio is a Business Associate. For more information about how your protected health information is handled in such situations, please refer to your medical provider’s Medical Notice of Privacy Practices.

Personal Information We Collect

The personal information we collect depends on how you interact with us, the Services you use, and the choices you make.

We collect information about you from different sources and in various ways when you use our Services, including information you provide directly, information collected automatically, information from third-party data sources, and information we infer or generate from other information.

Information you provide directly. We collect personal information you provide to us. For example:

• Name and contact information. We collect name, username or alias, and contact details such as email address, postal address, and phone number.
• Demographic information. In some cases, such as when you register with us or participate in a care program or complete a survey, we collect age, date of birth, gender, marital status, and similar demographic details.
• Provider information. If you register with us as a health care provider, we collect your practice affiliation, company or employer organization, medical specialty, National Provider Identifier, and other professional or employment information.
• Employment-related information. If you apply for employment through our Services, we collect information such as your resume and job application information, which may include educational information such as your degrees and transcripts, that you submit when applying for a job.
• Financial information. If you make a purchase or other financial transaction, we collect credit card numbers, financial account information, and other payment details.
• User-generated content and files. We collect audio and video recordings, photos, documents, and other files you upload to our Services.
• Content of prolaio communications. We collect recordings or transcripts of audio and video communications you have with us, as well as the contents of your communications with us via our Services, such as through our website, forms, applications, surveys, chat features, and other channels.
• Sensitive Personal Information.
  • Government ID. We collect government-issued identifiers such as driver’s license, passport number, and social security numbers.
  • Account access information. We collect information such as a username or account number in combination with a password, security or access code, or other credential that allows access to an account.
  • Sensitive demographic information. We collect information about racial or ethnic origin.
  • Static Health information. We collect certain information concerning your health, including your weight, blood pressure, diagnosis and cardiovascular health history.
  • Dynamic (real-time) health information. We collect vital signs and other streaming data sets from on-body sensors.

Information we collect automatically. When you use our Services, we collect some information automatically. For example:

• Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the “Cookies, Mobile IDs, and Similar Technologies” section below, our websites and online Services store and retrieve cookie identifiers, mobile IDs, and other information.
• Geolocation information. Depending on your device and app settings, we collect geolocation information when you use our apps or online Services, for example to determine the state you are located in. This information may include precise geolocation information, meaning information derived from a device and that is used to locate you within a circle with a radius of 1,850 feet or less, which is considered a type of sensitive personal information.
• Internet and network activity. We collect browsing history and information regarding your interaction with our Services. We also use tools on certain pages of our Services to record and analyze your interaction with our Services to help us improve your experience.
• Usage information. We automatically log your activity on our Services and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website.

Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:

• Third-party partners. Third-party applications and services, including social networks you choose to connect with or interact with through our Services.
• Co-branding/marketing partners. Partners with which we offer co-branded Services or engage in joint marketing activities.
  Service providers. Third parties that collect or provide information in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.
• Data brokers. Data brokers and aggregators from which we obtain information to supplement the information we collect.
• Publicly available sources. Public sources of information such as open government databases.

Information we create or generate. We may generate new information or make inferences from other information we collect, including about your health condition, demographic categories, or other characteristics (“inferences”). For example, we infer use information you provide to make inferences about your current health condition.

When you are asked to provide personal information, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain Services or features, those Services or features may not be available or fully functional. Additionally, you may not be eligible for Services or care programs prolaio provides.

Legal Basis For Collecting and Using Information

If you are a user of the Osano website or platform located in the EEA, we rely on several processing purposes, such as legitimate interest, as the legal basis for processing the personal data we collect via the website and platform. For instance, we may collect, process or disclose your personal information based on the following bases:

• As necessary to provide a Service or perform a transaction (such as when we respond to your requests);
• Consent (where you have provided consent as appropriate under applicable law, such as for direct marketing or certain cookies);
  As necessary for legitimate interests (such as when we act to maintain our global business generally, including maintaining the safety and security of the website); and
• Compliance with legal obligations, particularly in the area of labor and employment law, social security and protection law, data protection law, tax law, and corporate compliance laws.

The provision of your personal data is partly a statutory requirement and partly a contractual obligation.

Cookies, Mobile IDs, and Similar Technologies

We use cookies, web beacons, mobile analytics and advertising IDs, and similar technologies to operate our websites and online Services and to help collect information, including usage information, identifiers, and device information.

What are cookies and similar technologies?

Cookies are small text files placed by a website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. The text in a cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognize your browser over time, each time it connects to that web server.

Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own cookies. In the same way, third-party content on our websites (such as embedded videos, plug-ins, or ads) results in your browser connecting to the third-party web server that hosts that content. We also include web beacons in our email messages or newsletters to tell us if you open and act on them.

Mobile analytics and advertising IDs are generated by operating systems for mobile devices (iOS and Android) and can be accessed and used by apps in much the same way that websites access and use cookies. Our apps contain software that enables us and our third-party analytics and advertising partners to access these mobile IDs.

How do we and our partners use cookies and similar technologies?

We, and our analytics and advertising partners, use these technologies in our websites, apps, and online Services to collect personal information (such as the pages you visit, the links you click on, and similar usage information, identifiers, and device information) when you use our Services, including personal information about your online activities over time and across different websites or online services. This information is used to store your preferences and settings, enable you to sign-in, analyze how our websites and apps perform, track your interaction with the site or app, develop inferences, deliver and tailor interest-based advertising, combat fraud, and fulfill other legitimate purposes. We and/or our partners also share the information we collect or infer with third parties for these purposes. For more information about the third-party analytics and advertising partners that collect personal information on our Services, please see the “Our Disclosure of Personal Information” section of this statement.

What controls are available?

There are a range of cookie and related controls available through browsers, mobile operating systems, and elsewhere. See the “Choice and Control of Personal Information” section below for details.

Our Use of Personal Information

We use the personal information we collect for purposes described in this privacy statement or as otherwise disclosed to you. For example, we use personal information for the following purposes:

We combine information we collect from different sources for these purposes, and to give you a more seamless, consistent, and personalized experience.

Our Disclosure of Personal Information

We disclose personal information with your consent or as we determine necessary to complete your transactions or provide the Services you have requested or authorized. In addition, we disclose each of the categories of personal information described above, to the types of third parties described below, for the following business purposes:

• Service providers. We provide personal information to vendors or agents working on our behalf for the purposes described in this statement. For example, we use service providers for cloud hosting, security, and bug detection.
• Financial services & payment processing. When you provide financial information, for example to make a purchase, we will disclose financial information to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics, or other related financial services.
• Affiliates. We enable access to personal information across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access helps us to provide our Services and operate our business.
• Corporate transactions. We may disclose personal information as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
• Legal and law enforcement. We will access, disclose, and preserve personal information when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement, national security, or other government agencies.
• Security, safety, and protecting rights. We will disclose personal information if we believe it is necessary to:
  • protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
  • operate and maintain the security of our Services, including to prevent or stop an attack on our computer systems or networks; or
  • protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Third party analytics and advertising companies, acting on our behalf as our service providers, also collect personal information through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation information, usage information, and inferences based on and associated with that information, as described in the “Cookies” section of this statement. These third-party vendors may combine this information across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.

To learn about other third-party analytics and advertising providers we may use on our websites, please click “Manage cookies” in the footer of websites referencing this privacy statement.

Please note that some of our Services also include integrations, references, or links to Services provided by third parties whose privacy practices differ from ours. If you provide personal information to any of those third parties, or allow us to share personal information with them, that information is governed by their privacy statements.

Finally, we may disclose de-identified information in accordance with applicable law.

Choice and Control of Personal Information

We provide a variety of ways for you to control the personal information we hold about you, including choices about how we use that information. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.

Access, portability, correction, and deletion. If you wish to access, correct, or delete personal information about you that we hold, you may access your account by using contact methods described at the bottom of this privacy statement.

If you are unable to access, correct, or delete certain personal information we have via the means described above, you can send us a request by using contact methods described at the bottom of this privacy statement.

Communications preferences. You can choose whether to receive promotional communications from us by email, SMS, and telephone. If you receive promotional email or SMS messages from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the “How to Contact Us” section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.

Targeted advertising. To opt-out from or otherwise control targeted advertising, you have several options. First, you can use the controls available through our website cookie banner to decline advertising-related cookies. Second, you can use the Global Privacy Control setting in a web browser or browser extension as described below. Third, you can use the opt-out controls offered by the organizations our advertising partners may participate in, which you can access at:

• NAI (https://optout.networkadvertising.org)
• DAA (http://optout.aboutads.info)

Fourth, you can use the other cookie or mobile ID controls described below.

These choices are specific to the device or browser you are using. If you access our Services from other devices or browsers, take these actions from those systems to ensure your choices apply to the information collected when you use those systems.

Data sales. Some privacy laws define “sale” broadly to include some of the disclosures described in the “Our Disclosure of Personal information ” section above. To opt-out from such data “sales”, send your request to the contact methods at the bottom of the privacy policy.

Browser or platform controls.

• Cookie controls. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or Services of our website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated.
• Global Privacy Control. Some browsers and browser extensions support the “Global Privacy Control” (GPC) or similar controls that can send a signal to the websites you visit indicating your choice to opt-out from certain types of information processing, including data sales and/or targeted advertising, as specified by applicable law. When we detect such a signal, we will make reasonable efforts to respect your choices indicated by a GPC setting or similar control that is recognized by regulation or otherwise widely acknowledged as a valid opt-out preference signal.
• Do Not Track. Some browsers include a "Do Not Track" (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. Unlike the GPC described above, there is not a common understanding of how to interpret the DNT signal; therefore, our websites do not respond to browser DNT signals. Instead, you can use the range of other tools to control information collection and use, including the GPC, cookie controls, and advertising controls described above.
• Mobile advertising ID controls. iOS and Android operating systems provide options to limit tracking and/or reset the advertising IDs.

Email web beacons. Most email clients have settings that allow you to prevent the automatic downloading of images, including web beacons, and the automatic connection to the web servers that host those images.

Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may charge a fee or decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or business obligation that requires retention or use of the information. Further, we may decline a request where we are unable to authenticate you as the person to whom the information relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal using the contact methods described at the bottom of this privacy statement.

California Privacy Rights

If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (CCPA), you have certain rights with respect to that information.

Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal information and sensitive personal information to be collected, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this statement.

Right to Know. You have a right to request that we disclose to you the personal information we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such personal information. Note that we have provided much of this information in this privacy statement. You may make such a “request to know” by using the contact methods described at the bottom of this privacy statement.

Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate personal information and that we delete personal information under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, use the contact methods described at the bottom of this privacy statement.

Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of personal information as those terms are defined by the CCPA.

Note that the CCPA defines “sell,” “share,” and “personal information” very broadly, and some of our information disclosures described in this privacy statement may be considered a “sale” or “sharing” under those definitions. In particular, we let advertising and analytics providers collect identifiers (IP addresses, cookie IDs, and mobile IDs), activity information (browsing, clicks, app usage), device information, and geolocation information through our sites and apps when you use our online Services, but do not “sell” or “share” any other types of personal information. If you do not wish for us or our partners to “sell” or “share” personal information relating to your visits to our sites for advertising purposes, you can make your request by visiting our contact methods or using a Global Privacy Control. If you opt-out using these choices, we will not disclose or make available such personal information in ways that are considered a “sale” or “sharing” under the CCPA. However, we will continue to make available to our partners (acting as our service providers) some personal information to help us perform advertising-related functions. Further, using these choices will not opt you out of the use of previously “sold” or “shared” personal information or stop all interest-based advertising.

We do not knowingly sell or share the personal information of minors under 16 years of age.

Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive personal information for any purposes other than to provide the Services or goods you request or as otherwise permitted by law.

Note that we do not use sensitive personal information for any such additional purposes.

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.

Further, to provide, correct, or delete specific pieces of personal information we will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. For some types of personal information we may have, such as some browsing activity, there is no reasonable method by which we can verify your identity as the person to whom that information relates.

Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.

Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided personal information to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes.

Please be aware that we do not disclose personal information to any third parties for their direct marketing purposes as defined by this law.

California Customers may request further information about our compliance with this law by emailing privacy@prolaio.com. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated email address.

Retention of Personal Information

We retain personal information for as long as necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and for other legitimate and lawful business purposes. Because these needs can vary for different information types in the context of different Services, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the information, the availability of automated controls that enable users to delete information, and our legal or contractual obligations.

Security of Personal Information

We take reasonable and appropriate steps to help protect personal information from unauthorized access, use, disclosure, alteration, and destruction.

To help us protect personal information, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.

Additionally, no personal information crosses international boundaries at this time and is fully stored and processed in the United States. Should this change prolaio shall make informational updates to the privacy policy.

Changes To This Privacy Statement

We will update this privacy statement when necessary to reflect changes in our Services, how we use personal information, or the applicable law. When we post changes to the statement, we will revise the “Last Updated” date at the top of the statement. If we make material changes to the statement, we will provide notice or obtain consent regarding such changes as may be required by law.

How To Contact Us

If you have a privacy concern, complaint, or a question for prolaio, please contact us at privacy@prolaio.com. You may also write to us at:

Attention: Chief Privacy Officer
prolaio, Inc.
230 West Monroe, Suite 2560
Chicago, IL 60606

www.prolaio.com