Datavant Privacy Policy

Last Updated: June, 2023

Datavant’s Privacy Policy describes how Datavant (“Datavant,” “we,” and “us”) collects, uses, and discloses the Personal Information we collect from you when you use our website or otherwise interact with us (the “Services”). Please carefully review this Privacy Policy prior to using our Services or sharing your Personal Information with us.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) & State Law

Our use and disclosure of certain of your information may be subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) and similar state laws regulating the healthcare industry. Any information that you submit to us that constitutes “Protected Health Information,” as defined by HIPAA, is subject to HIPAA and applicable state law, and such laws control to the extent of any conflict with this Privacy Policy. The term “Protected Health Information” or “PHI” refers to individually identifiable health information about your past, present or future physical or mental health or condition, the provision of health care to you or the past, present or future payment for such care.

Note that PHI is generally exempt from the requirements of the California Consumer Privacy Act and similar U.S. state consumer privacy laws.

Datavant as a Service Provider

We are primarily a service provider for other businesses. In the course of providing services for other businesses, we may collect your Personal Information from our business customers. Generally, the businesses that we serve are responsible for determining how we may use and share your Personal Information. If you have questions about how your Personal Information is collected and used, we may direct you to the business who is responsible for your Personal Information. To the extent of any conflict between this Privacy Policy and our agreements (including HIPAA business associate agreements) with a business customer, the agreement will generally control.

Personal Information We Collect and How We Use It

“Personal Information” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household. Datavant collects Personal Information from you when you send us emails or otherwise voluntarily submit your information to us. We also collect your Personal Information through our use of data collection technologies and from marketing partners, recruiting partners, and background check or Disclosure and Barring Service providers.

Depending on how you use the Services, we may collect the following categories of Personal Information about you:

Identifiers, such as your name, mailing address, email address, phone number, and account numbers. Typically, we collect this information directly from you to contact you regarding administrative notices, your use of the Services, or in connection with your interactions with us, such as through an employment application.
Internet and other Electronic Activity Information, such as your browsing history and browser preferences. Typically, we collect this information through cookies and other data collection technologies to under how you use our website.
Commercial Information, such as your financial and payment information, including credit card and payment card information. Typically, we collect this information directly from you to process payments you request or otherwise adjust your account.

If you are a job applicant, we may also collect the following Personal Information about you:

Records about you, such as your signature and identity verification information.
Protected class and demographic information, such as your age, military or veteran status, gender, and background check information relating to your criminal history, if any.
Professional or employment-related information, such as the contents of your resume, employment history, and references.

In addition to the purpose of collection described above, we may also collect Personal Information generally for the following reasons:

For the purpose for which you provided it.
To maintain and service your account.
To administer and improve our website.
To evaluate your job application and ensure equal opportunities in our application process (if you’ve applied for a job).
To aggregate with other users’ Personal Information to better understand the services being provided, how to improve these services and how to improve the Services
To communicate with you and respond to inquiries you send to us.
To promote our products and services to you.
To comply with legal, regulatory and risk management obligations.

Some of the information we collect may be considered Sensitive Personal Information, such as your and financial account information. We use and disclose your Sensitive Personal Information only for the following limited business purposes: (i) performing services an average person would expect; (ii) detecting security incidents; (iii) addressing malicious, deceptive, or illegal actions; (iv) ensuring the physical safety of individuals; (v) for short-term, transient use; (vi) performing or providing internal business services; and (vii) verifying or maintaining the quality or safety of a service or device.

How We Disclose the Information We Collect

We disclose your Personal Information in the following ways:

Service Providers. We may share your Personal Information with third parties that provide services to us. We may use third party service providers to host the Services, process job application, perform website analytics, and gather and use on our behalf your Personal Information as contemplated by this Privacy Policy and applicable law. It is our policy to require such third parties to process your Personal Information only on our behalf in an attempt to protect your information as much as is commercially reasonable.
In Connection with a Legal Right or Obligation. We may investigate and disclose information from or about you if we have a good faith belief that such investigation or disclosure is (a) reasonably necessary to comply with legal process and law enforcement instructions and orders, such as a search warrant, subpoena, statute, judicial proceeding, or other legal process served on us; (b) helpful to prevent, investigate, or identify possible wrongdoing in connection with the Services; or (c) protect our rights, reputation, property, or that of our users, affiliates, or the public.
In a Transaction. If we, or any of our businesses, are sold or disposed of as a going concern, whether by merger, reorganization, sale of assets or otherwise, or in the event of an insolvency, bankruptcy or receivership, any and all Personal Information, including your account information, may be one of the assets sold or merged in connection with that transaction. Information about you may also need to be disclosed in connection with a commercial transaction where we or any one of our businesses are seeking financing, investment, support or funding. In such transactions, Personal Information will be subject to the promises made in any pre-existing Privacy Policy in effect when the information was obtained.
With individuals to whom you direct us, such as your employer, colleagues, or references (such as in the case of a job application).

Datavant may use or disclose deidentified information so long as the entities to who Datavant discloses deidentified data are prohibited from re-identifying or attempting to re-identify data.

Except as stated in this Privacy Policy, we do not sell your Personal Information with third parties in exchange for monetary or other valuable consideration, nor do we share your Personal Information with third parties for cross-context behavioral advertising.

Cookies and Data Collection Technologies

Our online Services use cookies (small text files stored either temporarily or permanently on a user’s computer hard disk, which allow the website to recognize the user and track usage of the site, preferences, IP addresses, and pages visited, and to gather data and marketing information). Cookies may improve and/or simplify the use of Datavant’s online services. Of note:

Third Party Analytics. We use third parties, such as Google Analytics, to evaluate usage of our website. We may also use other analytic means to evaluate and improve our website and your experience. These entities may use cookies and other tracking technologies to perform their services. You can learn more about how Google uses this information here: https://www.google.com/policies/privacy/partners/.
How We Respond to Do Not Track Signals. Some web browsers incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many digital service operators, including Datavant, do not recognize or respond to DNT signals.

Most web browsers can be set to inform you when a cookie has been sent to you and provide you with the opportunity to refuse that cookie. Refusing a cookie will generally not interfere with your use of our online Services. However, refusal of a cookie may, in some cases, preclude you from using or negatively impact the display, feature, or function of our online Services.

Our Data Retention Practices

We retain your Personal Information for only as long as we need it to provide our products and services, operate our business, and comply with our legal obligations. When we decide how long to keep your Personal Information, we keep in mind the nature and sensitivity of the information, the potential harm from unauthorized use, the reasons we collected the Personal Information, and our legal obligations.

How We Protect Your Information

Communications between your browser and portions of the online Services containing Personal Information are protected with Secure Socket Layer (“SSL”) encryption. This encryption is to help protect your information while it is being transmitted. Once we receive your information, we strive to maintain the physical and electronic security of your Personal Information using commercially reasonable efforts.

NO DATA TRANSMISSION OVER THE INTERNET OR ANY WIRELESS NETWORK CAN BE GUARANTEED TO BE PERFECTLY SECURED. AS A RESULT, WHILE WE STRIVE TO PROTECT YOUR PERSONAL INFORMATION USING COMMERCIALLY AVAILABLE AND INDUSTRY STANDARD ENCRYPTION TECHNOLOGY, WE CANNOT ENSURE OR GUARANTEE THE SECURITY OF ANY INFORMATION YOU TRANSMIT TO US, AND YOU DO SO AT YOUR OWN RISK.

In the Event of a Security Breach of Your Personal Information

If we determine that your Personal Information has or may reasonably have been disclosed due to a security breach of our systems, we will notify you in accordance with and to the extent required by applicable state and federal law using the information that we have on file.

Disclosures for California Residents

California residents are entitled to the following disclosures about our data processing:

In the preceding 12 months, Datavant has collected the categories of Personal Information detailed in the PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT section above. The purposes for which Datavant has collected Personal Information and the sources of that information are also described above.
During the past 12 months, we have generally disclosed your personal information as follows:

Category of Personal Information	To whom we’ve disclosed for a business purpose
Identifiers	Service providers
Records about you	Service providers
Commercial information	Service providers
Internet or other electronic network activity information	Service providers
Protected class and demographic information	Service providers
Professional or employment-related information	Service providers
Sensitive information	Service providers

We do not disclose your Personal Information to third parties for commercial purposes. We do not sell your Personal Information, and we do not share information with third parties for cross-context behavioral advertising (including the Personal Information of individuals under 16 years old).

Shine the Light – Third Party Marketing: This Privacy Policy describes how we may share your Personal Information, including for marketing purposes. California residents are entitled to request and obtain from Datavant once per calendar year information about any of your Personal Information shared with third parties for their own direct marketing purposes, including the categories of information and the names and addresses of those businesses with which we have shared such information. To request this information and for any other questions about our privacy practices and compliance with California law, please contact us at our C3 phone number at 844-882-3809 or visit our C3 website at www.cioxcomplianceconnection.com.

In addition to the disclosures above, you have additional rights as explained in more detail below.

Your Rights

Depending on where you live, you may be entitled to the following privacy rights:

The right to know. You have the right to request to know the categories and specific pieces of Personal Information we have collected about you; the categories of sources from which that Personal Information was collected; and how we have sold, shared, or otherwise disclosed your Personal Information.
Right to correct. You may have the right to request that we correct inaccurate personal information that we maintain about you.
The right to deletion. You have the right to request that we delete the Personal Information that we have collected or maintain about you. We may deny your request under certain circumstances, such as if we need to comply with our legal obligations or complete a transaction for which your Personal Information was collected. If we deny your request for deletion, we will let you know the reason why.
The right to opt out of the sale or sharing of your Personal Information. You have the right to opt out of the sale or sharing of your Personal Information. Datavant does not sell or share (for targeted advertising purposes) your Personal Information. If we change our business practices, we will update this Privacy Policy, notify you, and honor your right to opt out.

You may exercise your right to know, right to correct, and your right to deletion twice a year free of charge. To exercise your right to know or your right to deletion, contact us via our C3 phone number at 844-882-3809 or visit our C3 website at www.cioxcomplianceconnection.com. If you choose to exercise any of these rights, we will not discriminate against you in any way. If you exercise certain rights, understand that you may be unable to use or access certain features of our services.

Datavant will take steps to verify your identity before processing your request to know or request to delete. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Information. If you have an account with us, we will use our existing account authentication practices to verify your identity. If you do not have an account with us, we may request additional information about you to verify your identity. We will only use the Personal Information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose.

You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.

Certain laws may give you a right to appeal any denials of your request to exercise your rights. If we deny your request and you would like to submit an appeal, please contact us at 844-882-3809.

Third Party Practices

This Privacy Policy applies only to the Services provided by Datavant. The Services may contain links to other websites, which may be subject to a different privacy policy or are otherwise maintained or provided by a third party. We are not responsible for the privacy practices of any third-party website you access from our Services. You should review the privacy policy of every website before using the website or submitting any information to the website.

Changes to Our Policy

We reserve the right to modify or amend this Privacy Policy at any time. All changes to this Privacy Policy will be effective immediately upon their posting to the Services. We will notify you of material changes to this Privacy Policy by conspicuously posting the changes on the Services. Information collected before changes are made will be treated in accordance with the previous Privacy Policy. Continued use of the Services after the effective date of a modified privacy policy will indicate your agreement to any modified terms. Each version of our Privacy Policy will be prominently marked with an effective date.

Contact Information

You may submit any questions or concerns about this Privacy Policy or our privacy practices by contacting us through the following methods:

dpo@datavant.com

Datavant
44 Montgomery Street
3rd Floor
San Francisco, CA 94104

or visit our C3 website at www.cioxcomplianceconnection.com

We regularly review our compliance with this Privacy Policy. If you believe your privacy rights have been violated, you have the right to file a complaint. You may do so by contacting the Ciox Compliance Connection at 844-882-3809.