Shuttle Health Privacy Policy
Last Revised: July 17, 2024
This is the Privacy Policy for Shuttle Health, Inc. (collectively, “Shuttle Health,” “us,” or “we”) that describes the collection and use of your information through our prescription automation engine software-as-a-service (the “SaaS”), websites and other online channels we own or operate, and any other products and services we offer (collectively, with the SaaS, our “Services”). This Privacy Policy is governed by and part of our Terms of Use.
​
By accessing our Services in any manner, you agree to our privacy practices as described in this Privacy Policy. If you do not agree with this Privacy Policy, do not access or use our Services.
​
If you have questions about our privacy practices or would like to make a complaint, please contact Shuttle Health at legal@shuttle.health.
HEALTH PRIVACY
Shuttle Health collects certain health data about Patients as necessary to facilitate the fulfillment or prescription and other orders through the Services. More specifically, Shuttle Health may receive Patient contact information, their healthcare provider’s information, and details about the Patient’s prescriptions. Health data is collected from the Patient’s healthcare provider after the Patient (or their guardian) opts-in to use our Services. If a Client of Shuttle Health, such as your healthcare provider, is a covered entity under the Health Insurance Portability and Accountability Act of 1996, Shuttle Health is a business associate to that Client subject to a Business Associate Agreement. A Patient may withdraw this consent at any time by opting out through the Services or through their healthcare provider. If you are a Patient and you have questions about health privacy, please contact the healthcare provider with which you use our Services.
​
DEFINITION: PERSONAL DATA
As used in this Privacy Policy, “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Data falls within certain categories, for example:
-
Identifiers (e.g., name, email, telephone number, address);
-
Sensitive information (e.g., health information; government ID; racial or ethnic origin; religious beliefs; contents of messages when we are not the recipient; in some cases, information about a known child);
-
Legally protected information (e.g., race, citizenship, marital status, sex);
-
Biometrics (e.g., DNA, face/voice prints, health data) and audio, electronic, visual, thermal, or olfactory information;
-
Employment-related information (e.g., current or past employment);
-
Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99);
-
Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
-
Internet or other similar activity (e.g., browsing history; content interactions); or
-
Inferences drawn from Personal Data to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes.
Information that is not protected as Personal Data includes publicly available information; aggregated information (meaning data summaries or reports with Personal Data removed); and anonymized information that cannot be linked back to an individual.
​
PRIVACY PRACTICES
Shuttle Health collects Personal Data from Patients as described in this section. We only collect, use, retain, and disclose Personal Data as is adequate and relevant to the specific, express purpose of providing the Services to our Clients or as reasonably necessary and proportionate to achieve our internal business or other purposes permitted by applicable law.
​
During the preceding 12 months, Shuttle Health has collected Patient identifiers, sensitive information, commercial information, and other categories of Personal Data that might be disclosed to us as a business associate to our Clients. We will not collect additional categories of Personal Data or use already collected Personal Data for purposes that are materially different, unrelated, or not reasonably necessary or compatible with the original purpose without notice and consent to you as required by law.
​
Shuttle Health collects your Personal Data (a) with your consent when you opt-in to use our Services; (b) if we have a legitimate interest in doing so, like providing the Services to our Clients; or (c) as authorized or required by law. Our sources of Personal Data include:
​
-
Patient’s healthcare provider or prescription supplier. Patients opt-in to use our Services in connection with a healthcare provider or prescription supplier that is a Client of Shuttle Health. The Client will disclose Personal Data about the Patient as necessary for our Services to facilitate the Patient’s prescription order fulfillment and communication between the Client and the Patient. Personal Data disclosed to Shuttle Health may include the Patient’s name, mobile number, and certain health information related to the prescription.
​
-
Patient use of the Services. When you use the Services as a Patient, we will collect the Personal Data you input to the Services like commercial history related to your prescription or other orders, shipping information, and messages between you and your healthcare provider or prescription supplier sent via the Services.
​
-
Your visit to our website. When you use visit our website or interact with our online channels, we collect technical data, which may include Personal Data, like your IP address, browser type, browser version, and analytics data about your interactions with our content. We collect this data to achieve our legitimate interest of providing and improving our online presence and the Services we offer.
​
We use the Personal Data we collect to provide and improve our Services, for internal business purposes, and as permitted by law. We may also use Personal Data to: maintain the safety, security, and integrity of our technology assets; protect the legal interests of Shuttle Health, our Client or a Patient; respond to law enforcement requests and as required by applicable law, court order, or governmental regulations; for the purpose of a potential or current business transition involving the transfer of Personal Data as a company asset; or for any purpose with your consent. Any Personal Data protected under HIPAA is used only as permitted by the Client subject to a business associate agreement with the Client.
​
HEALTH DATA PRIVACY
Shuttle Health collects certain health data related to a Patient’s prescriptions. Health data is collected from the Patient’s healthcare provider or prescription supplier that is a Client using our Services. Patients may withdraw their consent at any time by contacting your healthcare provider or prescription supplier and replying to any SMS with STOP or UNSUBSCRIBE to opt-out of our Services.
​
CHILDEREN'S PRIVACY
Shuttle Health Services are intended for use by adults, not children. A parent or guardian may use the Services for their child’s prescription needs, but Shuttle Health will never knowingly collect Personal Data from a child online. If we learn we have collected or received Personal Data from a child without authorization, we will delete that information.
​
DATA RETENTION
Shuttle Health only retains Personal Data for the minimum period necessary to provide our Services or achieve our business goals. Our retention periods are governed by our contracts with Clients and our company policies. For example, we retain Personal Data protected under HIPAA for six years or as otherwise required by our HIPAA business associate agreement with the Client that is your healthcare provider or prescription supplier. Shuttle Health reserves the right to retain data for longer periods as required by law or court order or if doing so is critical to our business. We securely delete data at the conclusion of the applicable retention period.
​
DISCLOSURES OF PERSONAL DATA
Shuttle Health will only disclose Personal Data to third parties as described in this section, with your permission, or as required by law. In the preceding 12 months, we have disclosed Personal Data for a business purpose to:
​
-
Your healthcare provider or prescription supplier. Patient’s use the Services through a healthcare provider or prescription supplier that is a Client of Shuttle Health. Clients associated with a Patient’s prescription needs will have access to the Patient’s Personal Data as necessary to facilitate the Patient’s prescription order fulfillment and communication with the Client. Disclosure of Personal Data protected by HIPAA is subject to our business associate agreement with the Client.
​
When you opt-in to use the Services as a Patient, you consent to this disclosure of your Personal Data to the Client. Any other use of your Personal Data by a Client is governed by that Client’s privacy practices. We do not control and are not responsible for the privacy practices of any Client beyond what is necessary to provide the Services to that Client. Please direct any questions about these policies and practices to the Client that is your healthcare provider or prescription supplier.
​
-
Manufacturers that work with us. If you use the Services to fulfill a prescription for a medical device or other healthcare product, we may disclose data related to your order with the manufacturer of that product. Most of the data disclosed to manufacturers will be analytics and statistics, such as conversion status and timeframes. However, the manufacturer may also receive data linking your account with the product you ordered through the Services, which may qualify as protected health information under health privacy laws. Any health information disclosed in this manner is protected under health privacy legal standards and confidentiality obligations.
​
-
Our service providers. Shuttle Health’s service providers like telecom service providers, email and data hosting providers, and data analytics companies may have access to Personal Data as needed to perform their contractual obligations to us. We prohibit our service providers from selling or disclosing the Personal Data we provide, and we require all service providers to maintain confidentiality standards and appropriate technical and organizational measures to ensure the security of your Personal Data.
​
-
Law enforcement, and other governmental agencies, as permitted or required by law.
​
-
Other third parties, as permitted by applicable law, for example: if we go through a business transition (e.g., merger, acquisition, or sale of a portion of our assets); to comply with a legal requirement or a court order; when we believe it is appropriate in order to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.
​
-
Aggregated and Deidentified Information. Shuttle Health reserves the right to disclose aggregated, anonymized, or de-identified information, including reports generated based on these data sets, about any individuals with nonaffiliated entities for research, marketing, or other purposes, without restriction. Shuttle Health may receive compensation in exchange for these disclosures, however, because no Personal Data is included in the data sets, doing so does not qualify as “selling” or “sharing” Personal Data under applicable privacy laws.
​
CONTROLLING YOUR PERSONAL DATA
Depending on where you live or are located, you may have certain rights over your Personal Data that we collect and retain. Shuttle Health provides you a variety of methods and options to directly control how we collect and use your Personal Data, including but not limited to:
​
-
Your healthcare provider or prescription supplier. Most of the Personal Data we process is provided to us by your healthcare provider or prescription supplier that is a Client of Shuttle Health. To access, correct, delete, or control that Personal Data, please contact your healthcare provider or prescription supplier.
​
-
Texting. If you opt-in to use our Services or provide us with your wireless phone number, you consent to Shuttle Health sending you service text messages. The number of texts you receive will depend on the Services you use and the information you request from us. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
​
You can unsubscribe from our text messages by replying STOP or UNSUBSCRIBE to any of these text messages. If you opt out of our text messages, you will not receive your order status updates via text.
​
-
Emails. If you give us your email address, we may send you informational or support emails related to the Services. If you opt-in for promotional emails, we may send those as well. If you do not wish to receive emails from Shuttle Health, you can unsubscribe or change your preferences via the links provided in the emails or send a request to legal@shuttle.health. Note that if you opt-out of promotional emails, we may still send you non-promotional emails related to your use of the Services or our ongoing business relations.
​
-
Device Settings. You can control the data we collect through cookies and related technologies by adjusting your device settings or your cookie preferences on our website.
​
-
Privacy Requests. If you wish to exercise your rights under your applicable privacy laws, please contact your healthcare provider or prescription supplier that is a Shuttle Health Client. If you want to express concerns, revoke your consent, lodge a complaint, or request information, please contact legal@shuttle.health.
​
Shuttle Health can only assist with or fulfill a privacy request when we have sufficient information to verify that the requester is the person or an authorized representative of the person about whom we have collected Personal Data, and to properly understand, evaluate, and respond to the request. We do not charge a fee to process or respond to a verifiable request unless we have legal grounds to do so. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. We endeavor to respond to privacy requests in accordance with the requirements of the law applicable to your jurisdiction. If we do not fulfill your request within the legally required timeline, you can appeal our response by contacting legal@shuttle.health.
-
Do Not Track. Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests.
​
YOUR PRIVACY RIGHTS
In the United States, consumer privacy is governed by federal privacy laws covering specific industries or data uses and state privacy laws providing with general consumer privacy rights. This section provides informational notices for state privacy laws applicable in California, Colorado, Connecticut, Nevada, Utah, Virginia, and other states that require companies to inform consumers about their privacy rights and provide a method to exercise those rights. Residents of states offering privacy protections (each a “Consumer”) can exercise their privacy rights by submitting a Privacy Request to their healthcare provider through which the Consumer uses our Services. Some of these laws may not apply to our Services, in which case these notices are offered as a courtesy to those Consumers.
​
-
Right to Correct. You have the right to request that we correct inaccurate Personal Data about you on our systems. If you become aware that the Personal Data that we hold about you is incorrect, or if your information changes, please inform us and we will update our records.
​
-
Right to Deletion. You have the right to request that we delete your Personal Data that we collected and retained, with certain exceptions. Shuttle Health may permanently delete, deidentify, or aggregate the Personal Data in response to a request for deletion.
​
-
Right to Access. You have the right to request confirmation that we have collected Personal Data about you and that we provide you with access to that Personal Data. If you submit an access request, we will provide you with copies of the requested pieces of Personal Data in a portable and readily usable format. Please note that Shuttle Health may be prohibited by law from disclosing certain pieces of Personal Data, and we may be limited in the number or frequency of requests we must fulfill.
​
-
Right to Disclosure. You may request that we disclose information to you about our collection and use of your Personal Data, such as: (a) the categories of Personal Data we have collected about you; (b) the categories of sources for the Personal Data we have collected about you; (c) our business purpose for collecting, using, processing, sharing or selling that Personal Data, as applicable; (d) the categories of third parties with whom we share that Personal Data; and (e) if we sold or shared your Personal Data under the CCPA, two separate lists stating: (i) sales or sharing, identifying the Personal Data categories that each category of recipient purchased; and (ii) disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.
​
-
Limited Use and Disclosure of Sensitive Personal Data. You have the right to opt-out or limit our use of your sensitive Personal Data. Shuttle Health my collect or receive Personal Data from you that qualifies as sensitive Personal Information under privacy laws. Shuttle Health does not and will not disclose any sensitive Personal Data for the purpose of inferring characteristics about you or otherwise use your sensitive Personal Data without your consent. We only use this Personal Data to provide the Services and, where we process the Personal Data for a covered entity, in compliance with HIPAA controls. If this ever changes in the future, we will update this Privacy Policy and provide you with methods to opt-out or limit our use and disclosure of sensitive Personal Data.
​
-
No Selling or Sharing Personal Data. Some states entitle consumers to opt out of the sale or sharing of Personal Data or targeted advertising practices. Shuttle Health does not sell your Personal Data or share your Personal Data with third parties for cross-contextual behavioral advertising purposes. If this changes in the future, we will update this Privacy Policy and provide you with a method to opt-out.
​
-
No Patient Profiling. You have the right to opt-out of automated profiling. Shuttle Health does not process your Personal Data to evaluate, analyze, or predict your interests and preferences or otherwise use automated profiling to produce significant effects that concern you. If this changes in the future, we will update this Privacy Policy and provide you with a method to opt-out.
​
-
Right to Nondiscrimination. We will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (v) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.
​
-
Health Data Rights. Some state laws entitle consumers to certain details about health data collected about them, including (i) confirmation of whether the entity collects, shares, or sells the consumer’s health data and access that data, including a list of all third parties and affiliates with whom the entity has shared or sold the health data and a method to contact those third parties, (ii) a method to withdraw consent related to use of health data, and (iii) the right to have their health data be deleted.
​
-
Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Data sharing with affiliates and/or third parties for marketing purposes.
​
-
HIPAA. To learn about your rights under HIPAA, please contact your healthcare provider.
​
If you are a Consumer, you may exercise these rights by submitting a Privacy Request. Only you or someone legally authorized to act on your behalf may make a verifiable Privacy Request related to your Personal Data. You may also make a verifiable privacy request on behalf of your minor child. You may designate a third party to exercise your rights – an authorized agent – however we will require written proof of the authorization and potentially proof of your identity.
​
CONSENT TO CROSS BORDER DATA TRANSFERS
Shuttle Health is a United States company that technical infrastructure in the United States. We design and market the Services for use by Clients and Patients in the United States. If you access the Services from outside the United States, please be aware that your Personal Data may be transferred to, processed, stored, and used in the United States or other jurisdictions. When your information is moved from your home country to another country, the laws and rules that protect your Personal Data in the country to which your information is transferred may be different from those of the country where you live. For example, if your information is in the United States it may be accessed by government authorities under United States law. By allowing us to collect Personal Data about you, you consent to the transfer and processing of your Personal Data as described in this section.
​
COOKIE NOTICE
Cookies are small text files downloaded and stored on your computer or mobile device when you visit or use an online platform. Cookies help the platform recognize your device, store your preferences, or perform certain functions for the platform. Cookies are used for functionality, security, analytics, or advertising. Some cookies are strictly necessary to the function of the website or other platforms, while others enable certain features. Shuttle Health deploys the following cookies on our websites:
​
-
Shuttle_health_session stores authentication information for a user accessing our website.
-
XSRF-TOKEN ensures that you are not susceptible to Cross-Site Scripting attacks.
-
themeType dictates whether you see the web application in a Light Mode or Dark Mode theme.
​
Each of these cookies is essential for the functionality of our Services. As such, these cookies are not available for opt-out. We may deploy additional cookies in the future. If so, we will update this Privacy Policy and we will provide you with mechanisms to opt-out of cookies that are non-essential.
​
You can directly control how cookies interact with your device by changing your device or browser settings to alert you when cookies are sent to your device or to refuse some or all cookies from being set on your device. Alternatively, you can install a third-party plugin to control cookie behavior. If you disable or refuse cookies or block the use of other tracking technologies, some parts of websites or online services you use may not function properly. If you get a new device, install a new browser, or erase or alter your device’s cookie file or privacy settings, your privacy preferences may not be saved.
​
SECURITY
Shuttle Health has implemented and maintains reasonable security measures to safeguard your Personal Data from accidental loss and unauthorized access, use, alteration, and disclosure. We maintain security measures that are appropriate to the volume, scope, and nature of the personal data processed and designed to meet our duty of care with respect to your Personal Data. This includes a reasonable standard of care to protect the confidentiality, integrity, and accessibility of the health data we collect, including that we limit access to collected health data only to those employees, service providers, and volunteers for which access is necessary. Shuttle Health maintains compliance with SOC2 standards, and we provide the Services to Clients that are covered entities as business associates in compliance with HIPAA.
​
Please remember that no submission of information over the Internet is entirely secure. You are responsible for keeping your device access and login information confidential. You are also encouraged to install anti-virus and anti-malware software on your devices and keep all software updated to avoid security risks. We cannot guarantee the security of information you submit via our Services while it is in transit over the Internet, and any such submission is at your own risk.
​
THIRD PARTY SERVICES
This Privacy Policy only applies to Shuttle Health Services. It does not apply to any third-party platforms or services, or any third-party services linked or accessible from the Services. The Services may offer links to third-party services, but we have no control over third-party websites, apps, devices, or systems, and you should exercise caution when deciding to disclose your Personal Data to anyone.
​
UPDATES
Shuttle Health may update this Privacy Policy from time to time. You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this page. We will notify you about material changes to this Privacy Policy within the Services or by other measures that are appropriate to provide you with notice. We will collect your consent to these changes to the extent required by applicable law.