Effective Date: April 4, 2023
1. OVERVIEW
Headlamp helps mental health providers (our “Providers”) learn more about their patients, while helping patients learn more about themselves. Together, we're bringing more precision to mental health care.
This Privacy Policy explains how Headlamp Health, Inc. (“Headlamp Health", “we” or “us”) processes personal information through our websites, applications, tools, services, and platform (collectively, the “Services”) when you set up an account to access the Services (your “Account”) and through other interactions you may have with Headlamp Health.
By accessing or using the Services, you are agreeing to this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Services.
You should read our full Privacy Policy to understand what data we collect, how we use it, and the circumstances where we may share it. Our Services are directed to those that reside in the United States. Please note that if you reside outside the US, information collected through our Services will be transferred to and processed in the US. By using our Services, you consent to any transfer and processing in accordance with this Privacy Policy. If you have any questions, please contact us at privacyrequest@headlamp.com.
This Privacy Policy may change over time. If we make changes to it, we will post the modified Privacy Policy on our website, www.headlamp.com/privacy. We encourage you to visit this page periodically to learn of any updates.
2. INFORMATION WE COLLECT AND HOW WE USE IT
We collect personal information (or personal data) from you and/or your computer or device when you use our Services or otherwise interact with us. As further described in this section, we may receive personal information about you that you submit through the Services or that is provided to us by a third party; we also may receive personal information about you automatically as you use the Services.
HIPAA and PHI
Certain demographic, health and/or health-related information that Headlamp obtains about you as part of providing the Services to our Providers may be “protected health information” or “PHI” and governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). Specifically, when (i) Headlamp is providing administrative, operational, and other services to a mental health Provider and this Provider is a “Covered Entity” (as such term is defined in HIPAA); and (ii) in order to provide those Services, Headlamp receives certain information about you on behalf of the Provider, Headlamp is acting as a “Business Associate” (as such term is defined in HIPAA) of the Provider, and this identifiable information is regulated as PHI.
HIPAA provides specific protections for the privacy and security of PHI and restricts how PHI is used and disclosed. Please read the Notice of Privacy Practices of your Provider to understand how your PHI can be used and disclosed. Model notices of privacy practices and other helpful information may be found here.
Personal data that you provide to Headlamp when Headlamp is not acting as a Business Associate is not PHI. To provide just a few examples, when you (i) create an Account, (ii) search for Providers or available appointments with Providers, (iii) respond to wellness surveys provided by Headlamp that are not required by nor created by a Provider, (iv) post reviews, or (v) provide device/IP Information or web analytics information by browsing our Website (see below). Regardless, Headlamp does not sell or share this or any other information we collect except in de-identified or aggregate form that does not allow you to be identified.
Information You Submit
We receive personal information that you choose to provide to us such as your name, email, telephone number or postal address, including when you:
Create or register an Account; or administer your Account.
Input, post, or upload information, data, or other content through the Services.
Submit questions, requests, or other communications to us via various communication channels.
Contact us for customer support or technical support.
Visit our Website or download any of our mobile applications.
Participate in any surveys we provide or other marketing events we may facilitate.
Communicate through the Services.
Integrate third-party products and services with your Headlamp Health Account.
Information from Others with whom You Interact in your Use of the Services.
If you interact with others in your use of the Services, we may receive personal information about you from others.
Information from Third Party Services You Interact with in your Use of the Services
If you create an Account on Headlamp Health using a third-party service such as a single-sign-on service, we may collect personal information about you from the third-party service (such as your username or user ID associated with that third-party service). If you create your Account using such a third-party service, or if you give us permission by changing the settings on your Headlamp Health Account, we may also collect, and you authorize us to collect, information about your personal contacts (e.g., email, phone, password) as may be stored within that third-party service, which we may use to facilitate your invitation of Providers to Headlamp Health. By choosing to create an Account using a third-party service, you also authorize us to collect personal information necessary to authenticate your Account with the third-party service provider.
Certain aspects of the Services may allow you to link or integrate third-party products and services to enable certain features and functionalities with the Services. If you choose to use these features or functionalities, you may be asked to create an account with a third-party service provider or link your existing account with that service provider (and, by doing so, agree to the privacy policy and/or terms and conditions of that third party). You may also be asked to authorize Headlamp Health to collect information from the third-party service provider on your behalf. We will then collect information (such as your username or user ID associated with that third-party service) from you and/or that third-party service provider as necessary to enable the Services to access your data and content stored with that third-party service provider. Once the authentication is complete, we have the ability to access information you provided to us or was otherwise collected by the third-party service in accordance with the privacy practices of that third-party service. We will store the information and data we collect and associate it with your Headlamp Health account, and we will use that information and data to enable the integration of the Services with the third-party service provider and to perform actions requested or initiated by you, or that are reasonably necessary to carry out instructions provided by you.
Information We Automatically Collect.
We and our third-party service providers (including any third-party content or site analytics providers) automatically collect certain information from your device or web browser when you interact with the Services. For example, when you interact with the Services, we may log and store your IP address and technical information about your usage like your device ID, browser type, and how you progressed through the Services, where you abandoned it, etc. We can use your IP address to determine your general location. Additionally, if you use a mobile application of ours, we may collect analytic information about your device, such as IP address, OS version, and clickstream. This information is used to help us provide the specific information or service you’ve requested and to help keep our Service safe and secure. We may transfer this information to third-party vendors subject to written agreements that require such vendors to only use that information as directed by us as described below. In addition, we use technologies, such as cookies and pixel tags as described further below.
Information We Collect from Providers
We ask that mental Health Providers execute separate agreements with us which govern our relationship with them and their use of the Services. These Provider agreements include a HIPAA business associate agreement to address the use of PHI by Headlamp. When Providers register for an account (the “Provider Account”) we collect the following information from the Provider which may be in addition to all of the information listed above under “information you submit” and “information we collect automatically” sections: (a) Provider name and/or practice (i.e., company) name, (b) postal address, (c) email address, (d) telephone number, (e) National Provider Identifier (NPI), and (f) information about the provider’s field of expertise.
We use this information to help us authenticate Provider Accounts and to provide Services to Providers. We give some of this information to patients so that they can locate a Provider via the Services.
Cookies
Cookies may be set and accessed on your computer or device. Upon your first visit to the Websites and/or use of Services, a cookie may be placed onto your computer or device that uniquely identifies your browser. “Cookies” and local storage are small files containing a string of characters that is sent to your computer’s browser and stored on your device when you visit a website. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent; however, if you reject cookies, you may not be able to sign into the Services or take full advantage of our Services.
Our Services use the following types of cookies for the purposes set out below:
Type of cookie
Purpose
Analytics Cookies
These cookies are used to collect information about traffic to our Services and how users use our Services. The information gathered does not alone enable us to identify any individual visitor. The information includes the number of visitors to our Services, the websites that referred them to our Services, the pages that they visited on our Services, what time of day they visited our Services, whether they have visited our Services before, and other similar information. We use this information to help operate our Services more efficiently, to gather broad demographic information and to monitor the level of activity on our Services. Our analytics providers are instructed to only use data collected via the Headlamp Services to help those same Services.
Essential Cookies
These cookies are essential to provide you with services available through our Services and to enable you to use its features. For example, they allow you to log in to secure areas of our Services and help the content of the pages you request load quickly. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.
Functionality Cookies
These cookies allow our Services to remember choices you make when you use our Services, such as remembering your language preferences, remembering your login details, remembering which polls you have voted in and in some cases, to show you poll results, and remembering the changes you make to other parts of our Services which you can customize. Where these cookies store your login preferences, they also enable us to identify you across various screens and devices as you login and use our Services. as well as enable us to work with partners to resolve your digital identities and personalize your experiences across our Services, our partners and customers, and across channels. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you visit our Services.
Data that is Not Personal Data
We may create aggregated and/or de-identified data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular data subject. In the case of aggregated data, we mean data that is summarized into aggregate statistics. In the case of de-identified data, we mean a data set that has been processed in such a way that we have no reasonable basis to believe it can be used to identify an individual. We may use such aggregated, de-identified, or anonymized data and share it with third parties for our lawful business purposes, including to analyze, build, and improve the Services and promote our business, provided that we will not share such data in a manner that could identify you. We will not attempt to re-identify this data back to a specific individual and we don’t sell, share or otherwise provide data for marketing or advertising use.
3. HOW WE MAY SHARE YOUR PERSONAL INFORMATION
We will only share your personal information with third parties under the following circumstances:
When you ask us to share, with your consent, or if you choose to share such information.
With our trusted agents and vendors that are contractually engaged to provide us with services, such as email management and cloud-based hosting. We provide a list of the services these companies provide for us below and update it regularly. These companies are obligated by contract to safeguard any personal information they receive from us and have agreed to only use the personal information for the specific purpose it was provided. The services include: a) cloud computer, data storage and file storage providers, b) email marketing providers, c) website and b2b analytics providers, d) customer relationship management, contact database vendors, data hygiene vendors, survey vendors and project management software providers, e) customer billing systems vendors, f) login authentication providers to ensure that the logins to our systems are working efficiently, g) auditing, debugging and security vendors.
With any of our affiliated companies, including a parent company, subsidiaries, joint ventures, or other companies under common control with us (in which case we will require such entities only use such data as directed by us and in compliance with the promises we made in this privacy policy).
If we believe that disclosure is reasonably necessary to comply with a law, regulation, valid legal process (e.g., subpoenas or warrants served on us), or governmental or regulatory request; to protect the security or integrity of the Services; and/or to protect the rights, property, or safety of Headlamp Health, its employees, customers, users, or others. If we are going to release your data, we will do our best to provide you with notice in advance by email, unless we are prohibited by law from doing so.
In the event we go through a business transition (such as a merger, acquisition by another company, bankruptcy, or sale of all or a portion of our assets, including, without limitation, during the course of any due diligence process), your personal information will likely be among the assets transferred. By providing your personal information, you agree that we can transfer such information in those circumstances without your further consent. Should such a business transition occur, we will make reasonable efforts to request that the new owner or combined entity (as applicable) follow this Privacy Policy with respect to your personal information. If your personal information would be used contrary to this privacy policy, we will request that you receive prior notice.
4. HOW TO OPT-OUT OF EMAIL COMMUNICATIONS
To stop receiving email notifications or promotions, please click the unsubscribe link found at the bottom of each email or update your preferences within your Account. You may also make this request via email at privacyrequest@headlamp.com.
5. STORAGE & SECURITY
We use industry standard technical, administrative and physical controls to protect your data. While we take reasonable precautions against possible security breaches, no website or internet transmission is completely secure and we cannot guarantee that unauthorized access, hacking, data loss or other breach will never occur.
We will process and store your personal information only for the period necessary to achieve the purpose of the storage, or as permitted by law. The criteria used to determine the period of storage of information is the respective statutory retention period. After expiration of that period, the corresponding information is routinely deleted, as long as it is no longer necessary for the fulfillment of a contract or the initiation of a contract.
6. THIRD PARTY LINKS
The Services may contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies.
7. ADDITIONAL PRIVACY RIGHTS
This section, which supplements the rest of this Privacy Policy, is designed to address the privacy laws of California and a number of other states under applicable law. While these rights only apply to the “personal information” of those located in certain U.S. states, Headlamp applies them to all those located in the United States.
Headlamp Health does not sell personal information and has not sold or shared any personal information to third parties in the preceding 12 months. We don’t sell, share or otherwise provide data for marketing or advertising use. As disclosed in this privacy policy, we may share information with trusted vendors and our affiliates that are subject to written agreements specifying that they may only use data as directed by Headlamp. We may de-identify the data we process and commit to ensuring that such de-identified data may not be used to identifiable form.
Personal Information We Collect and Disclose for a Business Purpose. Without limiting the description of the information we collect, we collect the categories of personal information about U.S. data subjects identified in the chart below. More information regarding the personal information we collect can be found above in the section titled “What Information We Collect.”
Categories of Personal Information
Examples
Collected in Prior 12 Months
A. Personal and online identifiers.
A real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, or other similar identifiers.
Yes
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, address, telephone number, education, employment, employment history, or any other financial information. Some personal information included in this category may overlap with other categories.
Yes
C. Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, sex, veteran or military status.
No
D. Commercial or transactions information.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Yes
E. Biometric information.
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
Yes
F. Internet or other similar network activity.
Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
No
G. Geolocation data.
Physical location or movements.
No
H. Sensory data.
Audio, electronic, visual, thermal, olfactory, or similar information.
No
I. Professional or employment-related information.
Current or past job history.
Yes, but only as it pertains to Headlamp Health personnel, and is subject to a different privacy policy.
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
No
K. Inferences drawn from other personal information.
Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Yes
Categories of Sources. We collect personal information from, without limitation, consumers directly, our Services’ inferences, service providers, and public sources. More information regarding the sources from which we collect personal information can be found above in the section titled “What Information We Collect.”
Why We Collect, Use, and Share Information. We use and disclose the personal information identified as collected in the chart above for our commercial and business purposes, as further described in this Privacy Policy and in the section titled “How We Use Your Personal Information.” These commercial and business purposes include, without limitation:
Our commercial purposes, which include:
To provide, develop, improve and personalize our Services.
To provide you with information, products, or services that you have requested.
To receive and process job applications for jobs with us.
To process data with machine learning algorithms, which helps us build, personalize, and improve the Services.
For internal business purposes, such as to detect, investigate and prevent harmful, fraudulent, and illegal activity and security issues and protect the rights and property of Headlamp Health and others.
To enable communications through the Services.
To contact you about additional Headlamp Health services you might be interested in, unless you opt-out (see “How to Opt-Out of Email Communications”).
As required by applicable law, legal process or regulation.
Our business purposes as identified in the CCPA but applicable throughout the U.S., which include:
Providing the Services;
Auditing related to our interactions with you;
Legal compliance;
Detecting and protecting against security incidents, fraud, and illegal activity;
Debugging;
Performing services (for us or our service provider) such as account servicing, processing orders and payments, and analytics;
Internal research for technological improvement;
Internal operations;
Activities to maintain and improve our services; and
Other one-time uses.
Recipients of Personal Information. We disclose, and have disclosed in the last 12 months, the categories of personal information identified as collected in the chart above for business purposes to the following categories of third-party vendors and service providers under written agreement: More information regarding the categories of third parties with whom personal information is disclosed can be found in the section above titled “How We May Share Your Personal Information.”
Your Rights Regarding Personal Information. We provide certain rights with respect to the personal information collected by businesses. You may exercise the following rights regarding your personal information, subject to certain exceptions and limitations:
While we don’t sell personal information, we recognize that you have the right to know the categories and specific pieces of personal information we collect, use, disclose, and share about you, the categories of sources from which we collected your personal information, our purposes for collecting or share your personal information, the categories of your personal information that we have either sold or disclosed for a business purpose, and the categories of third parties with which we have shared personal information;
The right to request that we delete the personal information we have collected from you or maintain about you.
The right to edit or correct any inaccuracies in the personal information that we have about you;
The right not to receive discriminatory treatment for the exercise of the privacy rights conferred under applicable law.
To exercise any of the above rights, please login to your Account (if applicable) or contact us using the following information and submit the required verifying information, as further described below:
by email at privacyrequest@headlamp.com.
Verification Process and Required Information. We may need to request additional information from you to verify your identity or understand the scope of your request, although you will not be required to create an account with us to submit a request or have it fulfilled. We will then typically attempt to match the identifying information provided by you to the personal information already maintained by us to verify the request. If you have a password protected account on the Services, we may verify your identity through the existing authentication practices for your Account, in which case we will require you to re-authenticate yourself before we disclose or delete your personal information.
Authorized Agent. You may designate an authorized agent to make an access, deletion or similar request on your behalf by verifying your identity, as described above, and providing written permission for the authorized agent to act on your behalf.
Minors’ Right to Opt In. Headlamp Health does not sell the personal information of minors under 16 years of age.
Non-Discrimination. Headlamp Health will not discriminate against a user because the user exercised any of the user’s rights described above or afforded to it under applicable data privacy law.
8. EXERCISING RIGHTS, CONTACT US AND ACCESSING YOUR INFORMATION
Headlamp Health users may exercise their rights regarding their personal information as follows:
You can contact us at privacyrequest@headlamp.com.
You may withdraw your consent to receive cookies or tokens by adjusting your browser settings.
You may withdraw your consent to receive marketing or promotional communications at any time by clicking the “unsubscribe” link found within our email updates and changing your contact preferences. Please note, you will continue to receive essential account-related information, even if you unsubscribe from promotional emails.
If you have any questions about our privacy practices, or if you wish to make a request, contact us at either:
Headlamp Health, Inc.
Attn: Privacy
23 Geary Street, Suite 600
San Francisco, CA 94108
or
privacyrequest@headlamp.com
