Platform Privacy Policy

Effective Date: December 2024

Introduction

Cedar Cares, Inc. (“Cedar”, “we”, “our”, or “us”) is a software platform available through our website or mobile app, designed to help patients make timely payments to their health care providers (“Platform”). If your health care provider has a contract with Cedar, you will be able to receive reminders about payments and pay through the Platform, which for some patients may include participating in a recurring payment plan.

This Platform Privacy Policy tells you how Cedar handles your personal information that it collects through the Platform. Please note that we collect much of this information from or about you in order to provide you with payment services that Cedar provides on behalf of your health care provider.

This Platform Privacy Policy is distinct from Cedar’s Privacy Policy that describes Cedar’s other data collection practices, including information that Cedar collects on its website, https://www.cedar.com/. This Platform Privacy Policy is also distinct from your health care provider’s HIPAA Notice of Privacy Practices, which describes how your health care provider uses and discloses your protected health information (“PHI”). As your health care provider’s business associate, Cedar has agreed that its collection, use, and disclosure of your PHI on behalf of your health care provider will be done in accordance with your health care provider’s HIPAA Notice of Privacy Practices.

By using the Platform, you agree to accept the practices described in this Platform Privacy Policy. If you do not agree to all the terms of this Platform Privacy Policy, please do not use the Platform.

Information we collect and receive

1. How we collect information

Your health care provider will provide us with information so that we can provide our services to you on behalf of your health care provider, including informing you of the payments you need to make. This information may include a description of services you have received from your health care provider and the associated dates and charges, insurance information, and contact information as further described below. For more information about the data that your health care provider discloses to us, please refer to their HIPAA Notice of Privacy Practices.

We also receive information you provide when you use the Platform, create an account, submit a payment, or contact us with a request or question. In addition, we collect some other information from your computer or mobile device automatically, including various technical information.

2. Categories of Information

We may collect the below categories of information. Please keep in mind that, depending on our relationship with your health care provider, some categories of information may include PHI. Your health care provider ultimately determines the PHI that we collect and process on their behalf and may change the categories at their discretion.

Account information. When you create an account, you provide us with information such as a username and password.
Contact information. You and your health care provider may provide us with your telephone number, including mobile device number, email address, and/or mailing address.
Health services information. Your health care provider may provide us with information about the services you have received, your insurance information, and the payments due. You or your health care provider may also provide us with accompanying demographic data, such as your age and sex.
Billing and other information. We or our third party payment processors may collect and store billing information such as billing address, credit card or debit card number, bank account information or other payment account information (e.g., Paypal or similar payment services as applicable) in accordance with the Payment Card Industry Data Security Standard (PCI DSS).
Website Activity and Device Information. Our servers automatically record some information about your interactions with the Platform, such as number of log-ins, time and date of payments and visits to the Platform, the type of device you are using, your operating system, your IP address, sites or apps visited before and after coming to our Platform, and data from online cookies and similar technologies, which may be collected over time and across different websites and apps.
Communications and other information you provide to us. We collect the content of your messages that you send to us (including via call, text, email, or chat) in addition to metadata associated with that message, such as the timing and method of communication.
Location Information. We may collect the approximate location of your device from your IP address.
Other information that we may infer based on the above.

How we use your information

We use your information in accordance with applicable laws for the general purpose of providing the Platform and other services on behalf of your health care provider. Consistent with our agreements with your health care provider, we also use your information:

To provide and maintain the Platform.
To contact you. Please note that we may communicate with you by email, telephone call, text message or mail. We also may contact you by telephone or text message at your wireless device number using autodialer technology.
To respond to your requests. If you contact us with a concern or question, we will use your information to respond to you.
To protect the security, availability, and integrity of the Platform.
To protect us, our users, and the public, and comply with applicable law, regulation, or legal process, including to investigate, prevent, and respond to fraud and abuse, resolve disputes and protect the rights of users and third parties, respond to claims and legal process (such as subpoenas and court orders), fulfill our reporting obligations, monitor and enforce compliance with our contracts, and otherwise detect, prevent, or stop any activity that may be illegal, unethical, or legally actionable.
To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our customers is among the assets transferred.

When authorized by your health care provider, we may de-identify your information in accordance with applicable laws and use that de-identified data for any purpose, including:

To understand and improve the Platform. We use this data to understand how users are using the Platform and to improve the Platform and develop new products or services.
To perform analytics. We use this data to analyze how different types of consumers use and interact with our services, including user trends.

Your privacy choices

You may update billing information, including settings for recurring payments, by logging in to your account. If your contact information changes, please both inform your health care provider and update the information in your account. If you no longer wish to receive communications from Cedar, please inform your health care provider. You also have the rights set forth in your health care provider’s Notice of Privacy Practices.

Disclosing your information

We generally disclose information in order to provide the Platform and other services on behalf of your health care provider, including for purposes of facilitating treatment, payment, and health care operations as it relates to your relationship with your health care provider. Consistent with our agreements with your health care provider, we also disclose your information in the following contexts:

Service providers. We engage vendors to perform certain functions on our behalf such as: auditing and accounting firms, professional services consultants, providers of data hosting, storage, and analytics services, and IT and security vendors.
Corporate affiliates. We may disclose personal information within our corporate family of companies.
Business partners. We may work with other companies to provide you with certain product or service offerings.
Law enforcement, government agencies, or parties in a legal proceeding. We may share personal information with these entities to comply with the law or assist law enforcement. We may also provide your personal information to third parties in the context of a subpoena or similar legal process.
In the context of a merger or similar transaction. We may buy or our business or a portion of our business or assets may be bought by other businesses or entities. In any such event, we may transfer or assign the information we have collected as part of such merger, acquisition, sale change of control or other disposition of assets. In such transactions, your information may be included in the transferred business assets. Also, in the unlikely event of our bankruptcy, insolvency, reorganization, receivership, or assignment for the benefit of creditors, or the application of laws or equitable principles affecting creditors’ rights generally, we may not be able to control how your information is treated, transferred, or used, and your personal information may be included in the transferred assets.
As otherwise described to you and with your consent in accordance with applicable law.

We may share aggregate or de-identified information, such as statistical information, with third parties.

Security

We maintain certain administrative, technical, and physical safeguards designed to protect the privacy and security of the information we collect through the Platform and directly from your health care provider. However, no information system can be 100% secure, so we cannot guarantee the absolute security of your information. Moreover, we are not responsible for the security of information you transmit to the Platform over networks that we do not control, including the Internet and wireless networks.

Of course, we appreciate your help in safeguarding the integrity of your own privacy. Please keep your username and password confidential and safe from discovery by others, and close your browser or mobile app after you are done. Just as important, we encourage you to let us know immediately if you suspect that the information you share with us is being used by an unauthorized person or in an unauthorized manner. To contact us, see the contact information below.

Children’s information

Our Platform is not directed to children, and we do not knowingly collect online information from children under the age of 18 or minors. Accordingly, we do not have actual knowledge that we sell or share the personal information of consumers under the age of 16 years old. We do, however, collect the personal information that the health care provider, a parent, or legal guardian may submit to us about a minor. However, if we learn that we have received personal information directly from a child under the age of 18 without appropriate parental consent, we will delete that information from our database.

Most browsers can be set to inform you when a cookie has been sent to you and provide you with the opportunity to refuse that cookie. Additionally, your Flash player can be set to reject or delete Flash cookies. Refusing a cookie will generally not interfere with your use of the Platform. However, refusal of a cookie may, in some cases, preclude you from using or negatively impact the display or function of the website or certain areas or features of the Platform. Please note that our Platform does not currently recognize “Do Not Track” signals.

Retention

We retain personal information for as long as needed or permitted in light of the purposes for which it was obtained and consistent with applicable law and our agreement with your health care provider. The criteria used to determine our retention periods include:

The length of time we have an ongoing relationship with you and provide the Platform to you;
Whether there is a legal obligation to which we are subject (for example, we are required to keep certain business records for a certain period of time); or
Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).

Your privacy rights

You may have some or all of the rights listed below (“Data Subject Rights”) with respect to the personal information that we collect or process about you. These rights differ depending on your place of residency, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.

Please note that we reserve the right to honor your Data Subject Rights to the extent required by applicable law, including exemptions for PHI. For more information about the rights you have with respect to your PHI, please refer to your health care provider’s Notice of Privacy Practices. If you are a resident of Washington state, you may have additional rights. Please refer to our Consumer Health Data Privacy Policy for more information.

Right to Confirm Processing, Access, and/or Obtain a Copy: If you ask us, we will confirm whether we are processing your personal information. Additionally, upon request, we will provide you with a copy of all personal information you are lawfully entitled to receive, potentially including specific pieces of information, along with certain other details.
Right to Amend: If you believe your personal information is inaccurate or incomplete, you may request that we correct it.
Right to Delete: You may request that we delete personal information that we maintain about you.
Right of Portability: You may request that we move, copy, or transfer the personal information that we maintain about you to another organization.
Right to Revoke Consent and/or Opt Out of Certain Processing Activities: You may ask us to restrict or stop the processing of your personal information in certain contexts, such as if we process personal information that is considered “sensitive” under applicable law or engage in certain automated decision-making activities.
Right to Opt Out of Targeted Advertising: Targeted advertising is the practice of serving you tailored advertisements based your personal information gathered over time and across other businesses, websites, applications, or services. Some jurisdictions refer to this activity as “sharing.” We do not engage in this activity.
Right to Opt Out of Sales: You may request that we not “sell” your personal information. We do not engage in this activity.
Right to Non-Discrimination: We will not discriminate against you for exercising Data Subject Rights, but we may charge a reasonable fee as permitted by law in fulfilling these rights, such as if you request multiple copies of your personal information.
Right to Appeal: If we deny your request to exercise a Data Subject Right, you may have the right to appeal the decision with us. If you would like to appeal a prior decision, please be sure to include information about your prior request so that we may locate our earlier determination.
Right to Lodge a Complaint: You may submit a complaint to us and/or the competent supervisory authority in the place in which you live if you have any concerns about our processing of your personal information.

If you or your authorized agents would like to exercise a Data Subject Right, you may do so by following the instructions at the end of this Privacy Policy. In order to process your request to exercise a Data Subject Right, we will ask you to verify your identity by confirming your name, e-mail address, phone number, or other identifiable information that we have in our records, such as most recent interaction with us, if applicable. We will require the authorized agent to demonstrate authority to act on your behalf, such as by providing signed permission. We may also verify the authenticity of the request directly with you.

Additional disclosures for California residents

If you reside in California, please read this section for additional disclosures about how we collect, use, and disclose information about you under the California Consumer Privacy Act, as amended (or “CCPA”) (California Civil Code Section 1798.100 et seq.).

Categories of Personal Information Collected: In the previous 12 months, we have collected the personal information listed in the section “Information we collect and receive” above. This information falls into the following categories under the CCPA: identifiers; categories of personal information described in Cal. Civ. Code 1798.80(e); geolocation information; internet or electronic network activity information; inferences drawn from the above categories. Additionally, we collect the following “sensitive” personal information: account credentials, health information, characteristics of protected classifications, contents of messages that you send to our vendors about our services including customer service providers.
Sensitive Personal Information Uses or Disclosures: We do not use or disclose “sensitive” personal information for purposes other than those specified by the CCPA.
Business or Commercial Purpose for Collecting Information: We collect personal information for the business and commercial purposes described in “Information we collect and receive” and “How we use your information” above.
Categories of Sources of Personal Information: We collect personal information from and about you as described in “How we collect information” above.
Categories of Third Parties with Whom We Disclose Information: We may disclose your personal information with third parties as described in “Disclosing your information” above
Categories of Personal Information Disclosed: In the preceding 12 months, we have disclosed the categories of personal information listed in “Information we collect and receive” for the reasons described in “Disclosing your information” above.

We do not “sell” or “share” personal information as those terms are defined under the CCPA.

Changes to this Privacy Policy

We reserve the right to change this Platform Privacy Policy from time to time by posting a new Privacy Policy to this page. You are advised to check this Platform Privacy Policy regularly for any changes. By continuing to use the Platform after such changes have been made, you agree to those changes. If we make any material changes to this Platform Privacy Policy, we will either notify you or place a prominent notice on our Platform.

Contacting Us

Please feel free to contact us if you have any questions about this Platform Privacy Policy or wish to exercise your Data Subject Rights. You may contact us at:

Email: [email protected]
Postal Address:
Cedar Cares, Inc.
32 6th Avenue, 18th Floor
New York, NY 10013
Attn: Privacy Officer