Privacy Policy

1. Information We Collect

We collect personal information from you when you request a demo, participate in one of our events or conferences, contact us, visit the Site, our branded social media pages, or our offices, use the Service, apply for jobs, send communications to or receive communications from us, or otherwise provide personal information to us. The personal information we collect varies depending on what you choose to share, but it may include your name, phone number, mailing address, email address, job title, company name, and billing address.

We also have pages on social media sites such as YouTube, LinkedIn, and other third party platforms ("Social Media Pages"). When you interact with those Social Media Pages, the platform provider's privacy policy will apply to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with personal information through the platform, and we will treat the personal information we receive in accordance with this Privacy Policy.

Internet Activity Data

When you visit, use, and interact with the Services, we may receive certain personal information about your visit, use, or interactions. For example, we may monitor the number of people that visit the Services, peak hours of visits, which page(s) are visited, the domains our visitors come from, and which browsers people use to access the Services, broad geographical information, and navigation pattern. In particular, the following information is created and automatically logged in our systems:

• Log Data: Information that your browser automatically sends whenever you visit the Site, including your Internet Protocol address, browser type and settings, the date and time of your request, and how you interacted with the Site.
• Cookies Data: Please see the "Cookies" section below to learn more about how we use cookies.
• Device Data: Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.
• Usage Data: We collect information about how you use our Services, such as the types of content that you view or engage with, the features you use, the actions you take, and the time, frequency, and duration of your activities.
• Location Data: We derive a rough estimate of your location from your IP address.

Personal Information We Process on Behalf of Our Health Care Provider Customers

Health Data: In order to provide the Services, our health care provider customers share patient information with us through commonly-used forms in the health care industry. These forms include EMR charts, patient intake forms, referral forms, insurance forms, and other related health care documentation, which we process on their behalf for the purposes of automating administrative processes so that they can serve their patients' health care needs better. We process health data that we are provided pursuant to our agreements with our health care provider customers and we apply HIPAA privacy and security standards to all health data that we collect.

De-Identified Data: De-identified data is non-personal information that is aggregated or de-identified so that it cannot reasonably be used to identify an individual. We use de-identified data for research and development of new products or tools, to refine our algorithms and machine learning applications, and to improve the Services. We may disclose such information publicly and to third parties, for example, in public reports about health, to partners under agreement with us, or in benchmarking information we provide to our health care provider customers.

If you are a patient of one of our health care provider customers and have questions about the processing of your health data, please contact us by following the instructions set forth in "Privacy Rights" below.

2. HIPAA and Business Associate Relationship

Scope of This Privacy Policy vs. HIPAA Obligations. This Privacy Policy primarily governs the personal information we collect directly from visitors to our Site, prospective customers, event attendees, job applicants, and other individuals who interact with us outside of our role as a HIPAA Business Associate. This includes information such as names, email addresses, browsing data, and other non-PHI personal information described in Section 1 above.

Protected Health Information (PHI). When we process Protected Health Information on behalf of our health care provider customers ("Covered Entities"), we do so in our capacity as a HIPAA Business Associate. Our use, disclosure, and protection of PHI is governed by: (a) the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"); (b) the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule; and (c) the Business Associate Agreement ("BAA") executed between Seneca Shield and each Covered Entity customer.

Our Commitments as a Business Associate. In our role as a Business Associate, we: (i) use and disclose PHI only as permitted or required by our BAAs and applicable law; (ii) implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI; (iii) report any Security Incident or Breach of Unsecured PHI in accordance with HIPAA and the terms of our BAAs; (iv) ensure that any subcontractors who access PHI agree to substantially similar restrictions and conditions; and (v) make PHI available to Covered Entities as required to satisfy their obligations under the HIPAA Privacy Rule.

Patient Inquiries. If you are a patient whose health information has been processed by Seneca Shield on behalf of your health care provider, please direct privacy-related inquiries to your health care provider in the first instance. You may also contact us at hello@senecashield.com, and we will coordinate with the applicable Covered Entity to address your request.

Cookies

We use cookies to operate and administer our Site, gather usage data on our Site, and improve your experience on it. A "cookie" is a piece of information sent to your browser by a website you visit. Cookies can be stored on your computer for different periods of time. Some cookies expire after a certain amount of time, or upon logging out (session cookies), others survive after your browser is closed until a defined expiration date set in the cookie (persistent cookies).

On most web browsers, you will find a "help" section on the toolbar. Please refer to that section of your web browser for information on how to receive a notification when you are receiving a new cookie, as well as how you can turn cookies off.

Please note that if you limit the ability of websites to set cookies, you may be unable to access certain parts of the Site and you may not be able to benefit from all features of the Site.

Advertising networks may use cookies to collect personal information. Most advertising networks offer you a way to opt out of targeted advertising. If you would like to find out more information, please visit the Network Advertising Initiative's online resources at networkadvertising.org and follow the opt-out instructions there.

If you access the Site on your mobile device, you may not be able to control tracking technologies through the settings.

Analytics: We use Google Analytics, a web analytics service provided by Google, Inc. ("Google") and Amplitude, a cloud-based product-analytics platform by Amplitude, Inc. Both Google Analytics and Amplitude use cookies to help us analyze how users use the Site and enhance your experience when you use the Site.

Online Tracking and Do Not Track Signals: We and our third party service providers may use cookies, pixels, or other tracking technologies to collect information about your browsing activities over time and across different websites following your use of the Site and use that information to send targeted advertisements. Our Site currently does not respond to "Do Not Track" ("DNT") signals and operates as described in this Privacy Policy whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will update this Privacy Policy to describe how we do so.

3. Use of Information

We use personal information for the following purposes:

• To provide the Services and conduct our business;
• To perform market research;
• To respond to your inquiries, comments, feedback, or questions;
• To send administrative information to you, for example, information regarding the Services and changes to our terms, conditions, and policies;
• To analyze how you interact with our Services;
• To maintain and improve the Services;
• To develop new products and services;
• To prevent fraud, illegal or criminal activity, or misuses of our Services, and to ensure the security of our IT systems, architecture, and networks;
• To comply with legal obligations and legal process and to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties;
• To create de-identified data by removing information that makes the data personally identifiable; and
• For any other manner of use you agree to by providing your consent.

Marketing. We may use your personal information to contact you to tell you about products or services we believe may be of interest to you. For instance, if you elect to provide your email, we may use that information to send you special offers. You may opt out of receiving emails by following the instructions contained in each marketing email we send you. In addition, if at any time you do not wish to receive future marketing communications, you may contact us. If you unsubscribe from our marketing lists, you will no longer receive marketing communications but we will continue to contact you regarding other administrative matters and to respond to your requests. We may also use your personal information to analyze and improve our marketing campaigns.

4. Sharing and Disclosing Personal Information

We never sell personal data. We only share it with your consent or when required or permitted by law. In certain circumstances we may share the categories of personal information described above with the following categories of third parties:

Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions, we may share personal information with vendors and service providers, including providers of hosting services, cloud services, and other information technology services providers, email communication software and email newsletter services, advertising and marketing services, payment processors, customer relationship management and customer support services, and analytics services. Pursuant to our instructions and in compliance with this Privacy Policy and other confidentiality and security measures enforced by contract, these parties will access, process, or store personal information in the course of performing their duties to us.

Professional Advisers: We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us. Our professional advisors are subject to confidentiality obligations to protect your personal information.

Affiliates: Although we currently do not have a corporate parent, subsidiaries, affiliates, or other companies under a common control (collectively, "Affiliates"), we may in the future. We may share your personal information with these Affiliates for purposes consistent with this Privacy Policy.

Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider (collectively a "Transaction"), your personal information may be shared in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.

Compliance, Fraud Prevention, Safety: We may share your personal information for the compliance, fraud prevention and safety purposes described above under Section 3.

Legal Requirements: If required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, including to meet national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect the personal safety of users of the Service, or the public, or (v) protect against legal liability.

5. Protecting Your Personal Data

We use a combination of technical, administrative, and physical controls to secure your data. No internet or other digital transmission is ever fully secure or error-free, but we always handle your data using industry best-practices for data storage, transmission, and processing. Your data is encrypted in transit and at rest using the industry best-practice encryption standards and we use HIPAA-compliant products and services for health data storage and processing. We also have internal access-control policies to prevent privacy violations.

While we aim to protect your data, you use the Services at your own risk and we are not responsible for circumvention by an unauthorized third party of any of our privacy settings or security measures, or for the privacy and security practices of third-party services or websites.

6. Data Breach Notification

PHI Breach Notification. In the event of a breach of unsecured Protected Health Information, we will notify the applicable Covered Entity in accordance with the timeframes and requirements set forth in the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and the terms of our Business Associate Agreement. The Covered Entity is responsible for notifying affected individuals and the U.S. Department of Health and Human Services as required by law.

Non-PHI Breach Notification. In the event of a security breach involving non-PHI personal information that we collect directly (as described in Section 1), we will notify affected individuals in accordance with applicable state breach notification laws, including but not limited to the Florida Information Protection Act of 2014 (Fla. Stat. § 501.171) and the California Civil Code § 1798.82. Such notification will be provided without unreasonable delay and will include: (a) a description of the incident; (b) the types of information involved; (c) the steps we are taking in response; and (d) contact information for further inquiries.

Mitigation. Following any data breach, we will take reasonable steps to mitigate the effects of the breach, investigate its cause, and implement measures to prevent recurrence.

7. Data Retention

We will retain your data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

Unless a longer retention period is required by law or contract, we generally observe the following retention periods:

• Protected Health Information: Retained for the period specified in our Business Associate Agreement with the applicable Covered Entity, or as required by HIPAA and applicable state law (typically a minimum of six (6) years from the date of creation or the date when the information was last in effect, whichever is later).
• Customer Account and Billing Data: Retained for the duration of the customer relationship and for seven (7) years thereafter to comply with tax and accounting obligations.
• Marketing and Prospect Data: Retained for three (3) years from the date of last interaction, unless you opt out or request deletion sooner.
• Job Applicant Data: Retained for two (2) years from the date of application, unless a longer period is required by law or you provide consent for longer retention.
• Usage and Analytics Data: Generally retained for twenty-four (24) months for internal analysis purposes, except when this data is used to strengthen security or improve functionality.
• Cookies and Tracking Data: Retained for the period described in the applicable cookie's expiration setting; session cookies are deleted when you close your browser.

Upon expiration of the applicable retention period, we will securely delete or de-identify your personal information in accordance with our data disposal procedures. You may request earlier deletion of your personal information by contacting us as described in Section 8 below, subject to any legal or contractual obligations requiring continued retention.

8. Your Privacy Rights

Where provided for by law and subject to any applicable exceptions, you may have the right:

• To know the categories of personal information that the Company has collected about you, the business purpose for collecting your personal information, and the categories of sources from which the personal information was collected;
• To access the specific pieces of personal information that the Company has collected about you;
• To know whether the Company has disclosed your personal information for business purposes, the categories of personal information so disclosed, and the categories of third parties to whom we have disclosed your personal information;
• To have the Company, under certain circumstances, delete your personal information;
• To instruct businesses that sell personal information to stop doing so — but note that we do not sell personal information; and
• To be free from discrimination related to the exercise of these rights.

If you would like to exercise any or all of these rights, you may do so by contacting us. After we receive your request, we may request additional information from you to verify your identity. Your authorized agent may submit requests in the same manner, although we may require the agent to present signed written permission to act on your behalf, and you may also be required to independently verify your identity with us and confirm that you have provided the agent permission to submit the request.

Please email hello@senecashield.com with questions or to request access to an alternative format of this Privacy Policy.

Managing Cookies: You can manage cookies through your browser settings. Please note that disabling cookies may affect the functionality of our Website.

9. State Privacy Law Rights

Florida Digital Bill of Rights (FDBR). If you are a Florida resident and meet the applicable thresholds under the Florida Digital Bill of Rights (Fla. Stat. §§ 501.701–722, effective July 1, 2024), you may have the following rights with respect to personal data we have collected: (a) the right to confirm whether we are processing your personal data; (b) the right to access your personal data; (c) the right to correct inaccuracies in your personal data; (d) the right to delete your personal data; (e) the right to obtain a copy of your personal data in a portable format; and (f) the right to opt out of the processing of your personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). If you are a California resident, you may have additional rights under the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100), as amended by the CPRA. These rights include: (a) the right to know what personal information we collect, use, disclose, and sell or share; (b) the right to delete personal information we have collected from you; (c) the right to correct inaccurate personal information; (d) the right to opt out of the sale or sharing of personal information — note that we do not sell personal information; (e) the right to limit the use and disclosure of sensitive personal information; and (f) the right to not be discriminated against for exercising your privacy rights.

Exercising State Privacy Rights. To exercise any of the rights described above, please contact us at hello@senecashield.com or by mail at the address listed in Section 15. We will respond to verified requests within the timeframes required by applicable law (generally 45 days for CCPA/CPRA and 45 days for FDBR, with extensions as permitted by law). We may need to verify your identity before processing your request.

Appeals. If we decline to take action on your request, you may appeal our decision by contacting us at hello@senecashield.com with the subject line "Privacy Rights Appeal." We will respond to appeals within the timeframes required by applicable law.

10. Children

The Services are not directed to children without parental consent and supervision. We do not knowingly collect personal information from children through the Site and do not aim to do so. If you have reason to believe that a child under the age of 13 has provided personal information to the Site without parental consent or supervision, please contact us immediately at hello@senecashield.com and we will promptly delete that information from our databases. This age threshold is consistent with the Children's Online Privacy Protection Act ("COPPA"). For individuals located in jurisdictions where a higher age threshold applies (such as 16 under the EU General Data Protection Regulation), we will comply with the applicable local requirement.

11. Links to Other Websites

The Site may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites, mobile applications and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites, mobile applications and online services you use.

12. Job Applicants

When you apply for a job at the Company, we collect the information that you provide to us in connection with your job application. This includes business and personal contact information, professional credentials and skills, educational and work history, and other information that may be included in a resume. This may also include diversity information that you voluntarily provide. We use this information to facilitate our recruitment activities and process employment applications, such as evaluating candidates and monitoring recruitment statistics. We may also use and disclose this information (a) to improve the administration of the Site, (b) as otherwise necessary to comply with relevant laws, (c) to respond to subpoenas or warrants served on the Company, and (d) to protect and defend the rights or property of the Company or others.

13. Changes to the Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will: (a) update the "Effective Date" at the top of this page; (b) post the revised Privacy Policy on our Site; and (c) where required by applicable law, provide you with notice of the changes (for example, by email or by displaying a prominent notice on the Site).

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Services after the posting of any revised Privacy Policy constitutes your acceptance of the revised Privacy Policy. If you do not agree with the revised Privacy Policy, you should stop using the Services and contact us to request deletion of your personal information.

14. International Data

Our Services are primarily operated from and provided within the United States. If you access the Services from outside the United States, please be aware that your personal information may be transferred to, stored, and processed in the United States, where our servers and central database are located.

The data protection and privacy laws of the United States may differ from those in your jurisdiction. By using the Services or providing your personal information to us, you consent to the transfer of your personal information to the United States and the processing of your personal information in accordance with this Privacy Policy.

We may use third-party service providers and sub-processors that operate in various jurisdictions. Where we transfer personal information to third parties located outside the United States, we require that such parties maintain adequate data protection safeguards consistent with this Privacy Policy and applicable law.

15. Contact Us

If you have any questions about our Privacy Policy or information practices, please feel free to contact us at our designated request address:

By using our Website, you agree to the collection and use of your information as described in this Privacy Policy.