California Consumer Privacy Act

Last updated:

May 30, 2024

Privacy Policy

This CCPA Privacy Notice for California Residents (this “CCPA Privacy Notice”) supplements the information contained in Outro Heath USA and Outro Medical Group West’s (“Outro, “we”, “us” or “our”) General Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California ("Consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 and the California Consumer Privacy Rights Act of 2020 (collectively, the “CCPA”). Any terms defined in the CCPA have the same meaning when used in this CCPA Privacy Notice.

Information We Collect

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer, household, or device ("Personal Information").

Please note that Personal Information does not include publicly available information from government records, deidentified, or aggregated consumer information, or other information excluded from the CCPA's scope, such as information covered by certain sector-specific privacy laws, including the:

  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which generally applies to health or medical information;
  • Fair Credit Reporting Act (“FCRA”), which generally applies to information relating to credit history or credit worthiness; or the
  • Gramm-Leach-Bliley Act (“GLBA”), which generally applies to information obtained in connection with financial products or services that are used primarily for personal, family, or household purposes.

In particular, Outro has collected the following categories of Personal Information from Consumers within the last twelve (12) months (the information indicated under the “Examples” column is illustrative only, and not necessarily the specific information Outro actually collects):

1. Personal Information We Collect About You. We may collect and use the following personal information, including sensitive personal information, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:

Categories of Personal Information

Examples

Collected?

Identifiers 

  • Legal name
  • Preferred name
  • Email address
  • Phone number
  • Mailing address
  • IP address

YES

Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (“California Consumer Records Personal Information Categories”)

A name, signature, address, telephone number, bank account number, credit or debit card number, or any other similar information.

Some Personal Information included in this category may overlap with other categories.

 

YES

Protected classification characteristics under California or federal law (“Protected Classification Characteristics”)

Age (40 years or older), marital status, national origin, citizenship, gender or gender identity.

YES

Commercial information (“Commercial Information”)

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

Biometric information (“Biometric Information”)

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data

NO

Internet or other similar network activity (“Internet or Other Similar Network Activity”)

Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.

YES

Geolocation data (“Geolocation Data”)

Physical location or movements.

YES

Sensory data (“Sensory Data”)

Audio, visual, or similar information.

NO

Professional or employment-related information (“Professional or Employment-Related Information”)

Current or past job history or performance evaluations.

YES

Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)) (“Non-public Education Information”)

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

NO

Inferences drawn from other Personal Information (“Inferences”)

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

YES

“Sensitive Personal Information,” as defined by the CCPA ( Cal. Civ. Code § 1798.140(v)(1)(L) (“Sensitive Personal Information”)

Personal Information that reveals a Consumer’s account log-in information in combination with credentials allowing access to an account.

NO

 

If you do not provide personal information required to provide Outro products and/or services to you, it may delay or prevent us from providing Outro products and/or services to you.

2. How Your Personal Information is Collected. We collect the personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete
  • Indirectly from you. For example, from observing your actions on our website or our mobile applications (collectively, our “Website”)
  • From other organizations with which we work

3. How and Why We Use Your Personal Information. Under data protection laws, we can only your personal information if we have a proper reason for doing so, for example:

  • To comply with our legal and regulatory obligations
  • For the performance of our contract with you or to take steps at your request before entering into a contract
  • For our legitimate interests or those of a third party
  • Where you have given consent

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your personal information for and our reasons for doing so:

 

What we use your personal information for

Our reasons

To provide Outro products and/or services to you

For the performance of our contract with you or to take steps at your request before entering into a contract

To prevent and detect fraud against you or Outro

For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you

Conducting checks to identify our customers and verify their identity

Screening for financial and other sanctions or embargoes

Other processing necessary to comply with professional, legal, and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator

To comply with our legal and regulatory obligations

Gathering and providing information required by or relating to audits, inquiries or investigations by regulatory bodies

To comply with our legal and regulatory obligations

Ensuring business policies are adhered to, e.g., policies covering security and internet use

For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you

Operational reasons, such as improving efficiency, training, and quality control

For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price

Ensuring the confidentiality of commercially sensitive information

For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information

To comply with our legal and regulatory obligations

Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures

For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price

Preventing unauthorized access and modifications to systems

For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you

To comply with our legal and regulatory obligations

Updating and enhancing customer records

For the performance of our contract with you or to take steps at your request before entering into a contract

To comply with our legal and regulatory obligations

For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our customers about existing orders and new products

Statutory returns

To comply with our legal and regulatory obligations

Ensuring safe working practices, staff administration and assessments

To comply with our legal and regulatory obligations

For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

Marketing our services and those of selected third parties to:

  • Existing and former customers
  • Third parties who have previously expressed an interest in our services
  • Third parties with whom we have had no previous dealings

For our legitimate interests or those of a third party, i.e., to promote our business to existing and former customers

External audits and quality checks

For our legitimate interests or a those of a third party, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards

To comply with our legal and regulatory obligations

4. Promotional Communications. We may use your personal information to send you updates by email, text message, telephone, or post about our products and/or services, including exclusive offers, promotions or new products and/or services.

We have a legitimate interest in processing your personal information for promotional purposes (see above “How and why we use your personal information”). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

You have the right to opt out of receiving promotional communications at any time by:

  • Contacting us at hello@outro.com 
  • Using the “unsubscribe” link in emails or by replying “STOP” in text

We may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.

5. With Whom We Share Your Personal Information. We routinely share personal information with:

  • Our affiliates, including companies within the Outro group
  • Service providers we use to help deliver our products and/or services to you, such as payment service providers, warehouses, and delivery companies
  • Other third parties we use to help us run our business, such as marketing agencies or website hosts
  • Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers
  • Our insurers and brokers
  • Our banks

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to accreditation and the audit of our accounts.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a restructuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

6. Personal Information We Sold or Shared. We may “share” your Personal Information. The     CCPA defines “share” as the disclosure of Personal Information to a third party for cross-context     behavioral advertising (otherwise known as “targeted advertising”).

We may “sell” your personal information. The CCPA defines “sell” as the disclosure of Personal Information to a third party for monetary or other valuable consideration.

We do not sell or share the Personal Information of Consumers we actually know are less than 16 years old. For more on your Personal Information sale and sharing rights, see Right to Opt-Out of Sales or Sharing below.

In the past 12 months, Outro disclosed for a business purpose, “shared,” or “sold” the following categories of Personal Information to the categories of third parties indicated in the chart below:

Personal Information Category

Business Purpose Disclosure

Categories of Third Parties With Which Outro “Shares” or “Sells” This Information

Identifiers

Government agencies as required by laws and regulations.

Online payment processing and/or other trusted service providers and contractors

Medical Services

Online payment processing and/or other trusted service providers and contractors

Medical Services

Advertising and marketing networks, social networks, and other businesses we work with on marketing activities

California Consumer Records Personal Information Categories

Government agencies as required by laws and regulations.

Online payment processing and/or other trusted service providers and contractors

Medical Services

Online payment processing and/or other trusted service providers and contractors

Medical Services

Protected Classification Characteristics

Government agencies as required by laws and regulations.

Online payment processing and/or other trusted service providers and contractors

Medical Services

Online payment processing and/or other trusted service providers and contractors

Medical Services

Commercial Information

Government agencies as required by laws and regulations.

Online payment processing and/or other trusted service providers and contractors

Medical Services

Online payment processing and/or other trusted service providers and contractors

Medical Services

Advertising and marketing networks, social networks, and other businesses we work with on marketing activities

Biometric Information

None

None

Internet or Other Similar Network Activity

Government agencies as required by laws and regulations.

Online payment processing and/or other trusted service providers and contractors

Medical Services

Online payment processing and/or other trusted service providers and contractors

Medical Services

Advertising and marketing networks, social networks, and other businesses we work with on marketing activities

Geolocation Data

Government agencies as required by laws and regulations.

Online payment processing and/or other trusted service providers and contractors

Medical Services

Advertising and marketing networks, social networks, and other businesses we work with on marketing activities

Sensory Data

None

None

Professional or Employment-Related Information

None

None

Non-public Education Information

None

None

Inferences

Government agencies as required by laws and regulations.

Online payment processing and/or other trusted service providers and contractors

Medical Services

None

Sensitive Personal Information

None

None

8. How Long Your Personal Information Will Be Kept. We will keep your personal information while you have an account with us or while we are providing products and/or services to you. Thereafter, we will keep your personal information for as long as is necessary:

  • To respond to any questions, complaints or claims made by you or on your behalf
  • To show that we treated you fairly
  • To keep records required by law

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information. 

9. California Consumers: Your Rights Under the CCPA/CPRA. You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge your:

  1. Right to Know

You have the right to request that we disclose certain Personal Information to you about our collection and use of your Personal Information over the past 12 months (your "Right to Know"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know, Correct, or Delete), we will disclose to you:

  1. The specific pieces of Personal Information we collected about you (also known as a “Data Portability Right”).
  2. The categories of Personal Information we collected about you.
  3. The categories of sources from which we collected your Personal Information.
  4. The categories of your Personal Information we sold or shared, if any, and the categories of third parties purchasing or receiving that information.
  5. The categories of your Personal Information disclosed for a business purpose, if any, and the categories of persons or entities that received your Personal Information.
  6. The business or commercial purpose for collecting, selling, or sharing your Personal Information.
  1. Right to Correct
    You have the right to request that we correct any inaccuracies regarding your Personal Information that we hold (your “Right to Correct”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know, Correct, or Delete), we will correct (and direct our Service Providers and/or Third Parties to correct) the Personal Information that we maintain about you.
  2. Right to Delete
    You have the right to request that we delete any of the Personal Information that we collected from you and retained, subject to certain exceptions (your "Right to Delete"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know, Correct, or Delete), we will delete (and direct our Service Providers and/or Third Parties to delete) your Personal Information from our records, unless an exception applies.
    We may deny your deletion request if retaining your Personal Information is necessary for us (or our Service Providers and/or Third Parties) to:some text
    1. Complete the transaction for which we collected your Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
    2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
    3. Debug products to identify and repair errors that impair existing intended functionality.
    4. Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by law.
    5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
    6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
    7. Enable solely internal uses that are reasonably aligned with Consumer expectations based on your relationship with us.
    8. Comply with a legal obligation.
    9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
  3. Right to Opt-Out of Sales or Sharing of Personal Informationsome text
    1. Your Right to Opt-Out
      You have the right to opt-out of Personal Information sales or sharing for cross-context behavioral advertising purposes (your “Right to Opt-Out”).
      The CCPA defines “sell” as the disclosure of Personal Information to a third party for monetary or other valuable consideration. The CCPA defines “share” as the disclosure of Personal Information to a third party for cross-context behavioral advertising (otherwise known as “targeted advertising”).
    2. Our Practices
      We may “sell” and “share” your Personal Information to a third party, such as our Customers, to provide you with relevant and personalized advertising experiences. Outro does not sell or share for cross-context behavioral advertising purposes the Personal Information of Consumers we actually know are less than 16 years old.
      To opt-out of sales or sharing of your Personal Information for these purposes, you may submit an opt-out request by:some text
    3. Your opt-out request must include the following information, at a minimum, to allow us to properly understand, evaluate, and honor your request:some text
      • Your first and last name;
      • Your email address;
      • Your postal address; and
      • Your phone number.
    4. We will only use Personal Information you provide in an opt-out request to review and comply with your request.
      Unlike requests to know, correct, or delete, you do not need to verify your identity with us to make an opt-out request. However, if an authorized agent is placing the opt-out request on your behalf, we will require you or your agent to provide Proof of Authorization on an authorization form (PDF) signed by you (the Consumer who is the subject of the opt-out request).
      You do not need to create an account with us to exercise your opt-out rights.
      Once you make an opt-out request, we will:some text
      • Honor your request as soon as possible, within a maximum of fifteen (15) days; and
      • Inform any third parties that received Personal Information after you placed your request, but before Outro effectuated it, about your request and direct such third parties to honor your request.
    5. Please note that opting-out of the sale or sharing of your Personal Information for cross-context behavioral advertising does not mean you will no longer receive advertisements. You may still receive generic advertisements that are not based on your interests or activities.
    6. Third Party Opt-Outs
      Outro also works with a third party advertising partner, Google Analytics, to provide you with relevant and personalized advertising experiences. Upon receiving your opt-out request, we will notify Google Analytics to comply with your opt-out request and forward your request to their own downstream recipients, if applicable.
      Additionally, Google Analytics has its own mechanisms for opting-out of their services. To prevent your data from being used by Google Analytics, you may locate Google Analytics’ currently available mechanisms for opting-out of Google’s services, here: https://tools.google.com/dlpage/gaoptout/. To learn more about how Google uses data when you visit websites or applications that use Google’s services, please visit Google’s privacy policy: https://policies.google.com/technologies/partner-sites.
    7. Browser Do Not Track Signals
      You also have the option to set up a “Do Not Track” signal in your browser, which can indicate your preference to websites not to track your activities for the purpose of cross-context behavioral advertising. You may enable the Do Not Track feature in popular browsers, such as Google Chrome, Mozilla Firefox, and Safari, by adjusting the “Privacy” or “Privacy & Security” options within your browser settings.
      Please note that enabling the Do Not Track feature in your browser does not guarantee that all websites will honor the signal.
  4. Right to Limit the Use of Sensitive Personal Information
    You have the right to limit the use of “Sensitive Personal Information,” as defined by the CCPA. Certain Personal Information collected by us, including your Mojo account username and password, may constitute “Sensitive Personal Information” under the CCPA. However, we only use such information to provide our services and products or as otherwise permitted under California privacy law.

Exercising Your Rights to Know, Correct, or Delete

  1. How To Submit a Request to Know, Correct, or Delete
    To exercise your Rights to Know, Correct, or Delete described above, please submit a request by:
  • Submitting a Consumer Request here
  • Sending an email to privacy@outro.com

Only you, or someone legally authorized to act on your behalf, may make a request to know, correct, or delete related to your Personal Information. When a request to know, correct, or delete is submitted by an authorized agent, the Consumer who is the subject of the request must still do the following (unless the Consumer has provided the authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130):

  • Verify their own identity directly with Outro; and
  • Provide proof of authorization on an authorization form (PDF) signed by the Consumer who is the subject of the request (“Proof of Authorization”).

You may only submit a request to know twice within a twelve (12) month period.
Your request to know, correct, or delete must describe your request with sufficient detail to allow Outro to properly evaluate, understand, and respond.
Upon receiving your request, Outro will verify the identity of the Consumer who is the subject of the request to either a reasonable degree of certainty, or a reasonably high degree of certainty, depending upon the nature of the request and sensitivity of Personal Information involved. This may require:

  • Matching three pieces of Personal Information you provide with the Personal Information Outro holds about you;
  • A determination by Outro that the Personal Information matched is reliable for verification purposes; and
  • Receiving a signed declaration under penalty of perjury from you stating that the Personal Information requested is about you.

Outro cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.
You do not need to create an account with us to submit a request to know, correct, or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account, but any indication or suspicion of fraudulent or malicious activity on your password-protected account requires Outro to suspend reliance on this verification method and use other procedures to confirm that the request is authentic.
We will only use the Personal Information provided in connection with the request to verify the requestor's identity or authority to make it.
For instructions on exercising your sale opt-out rights, see Right to Opt-Out of Sales or Sharing of Personal Information.

  1. Response Timing and Format
    We will confirm receipt of your request to know, correct, or delete within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please send an e-mail to privacy@outro.com.
    We endeavor to substantively respond to a verifiable consumer request within forty-five (45) calendar days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.
    If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
    Any disclosures we provide will only cover the twelve (12) month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For Data Portability Right requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.
    We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
  • Retaliate against an employee, applicant, or independent contractor.

Changes to this CCPA Privacy Notice

We reserve the right to amend this CCPA Privacy Notice at our discretion and at any time. When we make changes to this CCPA Privacy Notice, we will post the updated notice on our Website and provide the date the notice was last updated. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this CCPA Privacy Notice, the ways in which Outro collects and uses your information described here and in our General Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Email: privacy@outro.com

If you need to access this CCPA Privacy Notice in an alternative format due to having a disability, please contact privacy@outro.com.

 

PRIVACY DISCLOSURE FOR MOBILE APPLICATIONS

This Privacy Disclosure applies to the Outro mobile application (the “App”), owned and operated by Outro Health USA Inc. (“Outro,” “we,” “us,” or “our”). We have created this Privacy Disclosure to tell you what information the App collects and who we will share that information with, if at all. Please see our Privacy Policy above for a full disclosure of how we collect and use the personal information you or your mobile device provides through or on the App. We encourage you to read the Privacy Policy, and to use the information it contains to help you make informed decisions.

  1. We only receive or collect information that identifies you personally if you choose to provide such personally identifiable information to us through the App or other means. In the course of operating the App, however, we will collect and/or receive information about:
  • Your contacts (such as names, phone numbers, email and text addresses, and social media connections);
  • The websites you’ve visited through your mobile browser;
  • The phone calls or texts you’ve made or received on your mobile device;
  • Your bank and credit card information, as well as any financial information related to transactions conducted on your mobile device;
  • Your health and wellness, including claims and measurements gathered or received on your mobile device;
  • Your location (both past and current);
  • Your fingerprints, signatures, voice, facial recognition, or any other biometrics collected or received by your mobile device; and 
  • Your files, including images, videos, calendar files, notes and other text.
  1. Once we have collected the information described above, we may share some or all of it with third parties for various reasons. For example, sharing your information in this way might help us improve our application or services to you, or might allow you to receive additional offers, promotions or services that you might find interesting. Specifically, we may share your information with:
  • Your mobile carrier;
  • Ad networks who display advertisements through our applications;
  • Companies that share, license, rent or sell information to other companies who want to send you offers or information about other services;
  • Companies that analyze your data for various purposes;
  • Government entities;
  • Companies that provide the software, app stores, or other tools for your mobile device;
  • Other mobile applications (including those you do not currently have); and
  • Social media networks
  1. If you have any questions or suggestions regarding this notice or our Privacy Policy, please email us at privacy@outro.com

Outro Representative and Data Protection Officer

Meran Liu, privacy@outro.com 

Personalized tapering support that’s ready when you are