Welcome to Twentyeight Health! We’re excited you’re here.
‍‍If you had an account with The Pill Club or SimpleHealth, check out details on the transition from the Pill Club here and SimpleHealth FAQs here. 

Privacy Policy for California Residents

This Privacy Policy for California Residents (“California Privacy Policy”) only applies to visitors to our website and users of our online services that reside in the State of California. For purposes of this California Privacy Policy, the term “personal information” does not include: (a) information subject to HIPAA or the California Confidentiality of Medical Information Act; (b) deidentified or aggregated consumer information; or (c) publicly available information that (i) has been lawfully made available from government records; (ii) we have a reasonable basis to believe has lawfully been made available to the general public by you or from widely distributed media; or (iii) has been made available by a person to whom you disclosed the information unless you restricted such information to a specific audience. Of note, if you receive telehealth services through Twentyeight Health’s platform, this policy does not apply to your protected health information. Our use and disclosure of your protected health information is instead governed by HIPAA, the California Confidentiality of Medical Information Act, and our agreements with the telehealth providers.  

‍

  1. Notice at Collection. This Notice at Collection (“Notice”) is to inform you that Twentyeight Health is collecting your personal information and sensitive personal information to support its business operations, including for the business purposes listed in the tables below. 

‍

Information about the categories of personal information from consumers we have collected within the last twelve (12) months, including the business purposes for which we collect the information, is set forth in the tables below. Of note, Twentyeight Health does not sell personal information or sensitive personal information and we do not share sensitive personal information. Twentyeight Health does share limited amounts of personal information as indicated in the tables below. [Our personal information sharing does not include information about consumers we know are under age 16. OR Our personal information sales [and/or] sharing does include information about consumers we know are under age 16. However, we do not sell or share personal information of consumers:

  • Between ages 13 and 15 unless the consumer provides affirmative, opt-in consent.
  • Under age 13 unless their parent or legal guardian provides affirmative, opt-in consent.]
Personal Information Category
Business Purpose
Shared?
Identifiers, such as name, date of birth, and contact information
Performing services, certain short-term uses, security
No
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (i.e., name, address, telephone number, education, employment history).
Performing services, certain short-term uses, security, to administer the employment relationship
No
Protected classification characteristics under California or federal law, such as age, marital status, and sex.
Performing services, certain short-term uses, security, to administer the employment relationship
No
Internet or other similar network activity, such as browsing history and search history.
Performing services, certain short-term uses, security, auditing interactions with our website, debugging, marketing
Yes
Geolocation data.
Auditing interactions with our website, marketing
Yes
Professional or employment-related information, such as current or past job history or performance evaluations (with respect to Twentyeight Health job applicants only).
Job recruitment purposes; to administer the employment relationship
No
Inferences drawn from other personal information (profile reflecting a person’s preferences, characteristics, behavior, attitudes, etc.).
To administer the employment relationship
No
Personal Information Category
Business Purpose
Shared?
Government identifiers (SSN, driver’s license #, state ID card, passport #)
To administer the employment relationship
No
Racial or ethnic origin, religious or philosophical beliefs, or union membership (with respect to Twentyeight Health job applicants only)
Job recruitment purposes (to the extent you choose to provide this information)
No
Citizenship or immigration status (with respect to Twentyeight Health job applicants only)
Job recruitment purposes, to administer the employment relationship
No
Mail, email, or text message contents (with respect to Twentyeight Health employees only)
Performing services, certain short-term uses, security
No
Sex life or sexual orientation information (with respect to Twentyeight Health job applicants only)
Job recruitment purposes (to the extent you choose to provide this information)
No

Our Retention of your Personal Information and Sensitive Personal Information.   Twentyeight Health retains personal information and sensitive personal information for as long as necessary to provide the services and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types, the context of our interactions with you or your use of services, actual retention periods can vary significantly.

Other criteria used to determine the retention periods include:

  • Is the personal information considered to be of a sensitive type? If so, a shortened retention time would generally be adopted.
  • Has Twentyeight Health adopted and announced a specific retention period for a certain data type? As an example, Twentyeight Health retains email communications not proactively deleted for one year, unless a longer retention period is necessary for a legal or business reason.
  • Has the individual provided consent for a longer retention period? If so, we will retain data in accordance with the individual’s consent.
  • Is Twentyeight Health subject to a legal, contractual, or similar obligation to retain or delete the data? Examples can include mandatory data retention laws in the applicable jurisdiction, government orders to preserve data relevant to an investigation, or data retained for the purposes of litigation.

If you have any questions about this Notice or need to access it in an alternative format due to having a disability, please contact contact@twentyeighthealth.com.

II. Sources of Personal Information

We obtain the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or information and records you provide to us.
  • Indirectly from you. For example, from forms you complete or information you provide to other parties who share them with us.
  • Internet cookies.
  • Data analytics providers.

III. Use of Personal Information

We may use the personal information we collect for one or more of the following purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to obtain a service, we will use that information to facilitate the performance of that service. We may also save your information to facilitate new product orders or process returns.
  • To provide, support, personalize, and develop our products and services.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, purchases, transactions, and payments and prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your experience and to deliver content and service offerings relevant to your interests, including via website, email or text message (with your consent, where required by law).
  • To help maintain the safety, security, and integrity of our services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our users and/or consumers is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

IV. Disclosure of Personal Information

We do not sell personal information or sensitive personal information.

However, we may disclose your personal information to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, we have disclosed personal information for a business purpose to the categories of third parties indicated in the chart below.

‍

Personal Information Category
Business Purpose Disclosures
Categories of Third Party Recipients
Identifiers, such as name, date of birth, and contact information
Identifiers, such as name, date of birth, and contact information
• Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development
‍
• Government agencies
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (i.e., name, address, telephone number, education, employment history).
Performing services, certain short-term uses, security, to administer the employment relationship, to comply with the law
• Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development

• Government agencies
Protected classification characteristics under California or federal law, such as age, marital status, and sex.
To comply with the law
• Government agencies
Internet or other similar network activity, such as browsing history and search history.
Performing services, certain short-term uses, security, auditing interactions with our website, debugging, marketing
• Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development
Geolocation data.
Auditing interactions with our website, security, marketing
• Outside organizations in connection with providing products and services, completing transactions, supporting our everyday operations, or business management and development
Sensitive Personal Information Category
Business Purpose Disclosures
Categories of Third Party Recipients
Government identifiers (SSN, driver’s license #, state ID card, passport #)
To comply with the law, job recruitment purposes, to administer the employment relationship (with respect to Twentyeight Health employees only)
• Outside organizations in connection with administering background checks on job applicants and payroll for employees

• Government agencies
Racial or ethnic origin, religious or philosophical beliefs, or union membership (with respect to Twentyeight Health job applicants only)
To comply with the law
• Government agencies
Citizenship or immigration status (with respect to Twentyeight Health job applicants only)
To comply with the law, job recruitment purposes, to administer the employment relationship
• Outside organizations in connection with administering background checks on job applicants and payroll for employees

• Government agencies
Sex life or sexual orientation information (with respect to Twentyeight Health job applicants only)
To comply with the law
• Government agencies

V. Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

  1. Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the “right to know”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know, Delete, or Correct), we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting that personal information.
  • If we disclosed your personal information for a business purpose, a list of all disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  1. Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the “right to delete”). Once we receive your request and confirm your identity (see Exercising Your Rights to Know, Delete, or Correct), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

  1. Right to Correct

You have the right to correct inaccurate personal information we maintain about you. We will use commercially reasonable efforts to correct such inaccurate personal information.  Once we receive a correction request and confirm your identity (see Exercising Your Rights to Know, Delete, or Correct), we will review the contested information’s accuracy, considering the totality of the circumstances, and determine if it is more likely than not that the personal information we maintain is inaccurate. We will review and consider any documentation you provide to support your correction request and encourage you to make a good faith effort to provide us with all necessary information during the request submission process. If we determine it is more likely than not that the personal information is inaccurate, we will correct such information on our systems and instruct all service providers and contractors to whom such personal information was disclosed to make the necessary corrections in their respective systems.

Alternatively, we may delete the contested personal information instead of correcting it when either:

  • Deleting it does not negatively impact you, for example, by making it harder for you to obtain a job or any other type of opportunity; or
  • You consent to deletion.

We may deny your correction request if:

  • The request conflicts with federal or state law or qualifies for an exception;
  • Based on the circumstances, the request makes compliance impossible or involves disproportionate effort;
  • We have a good faith, reasonable, and documented belief that the request is fraudulent or abusive;
  • The request was previously made and denied within the past six months, unless you provide new or additional documentation to prove the contested information is inaccurate; or
  • We cannot verify your identity to the requisite level.
  1. Exercising Your Rights to Know, Delete, or Correct

To exercise your rights to know, delete, or correct described above, please submit a request by e-mailing us at [insert email address] or by dialing [insert toll-free phone number].

Only you, or someone legally authorized to act on your behalf, may make a request to know, delete, or correct related to your personal information.

You may only submit a request to know twice within a 12-month period. Your request to know, delete, or correct must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include:
    • Confirmation of your name, address, date of birth, or other similar information about you in our possession.
    • Confirmation by your legally authorized representative of your name, address, date of birth or other similar information about you in our possession, as well as delivery of a valid power of attorney or other documentation verifying their status as your legally authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

You do not need to create an account with us to submit a request to know, delete, or correct.

We will only use personal information provided in the request to verify the requestor’s identity or authority to make it.

  1. Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact [insert email address] .

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

[If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.]

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

  1. Right to Limit Our Use and Disclosure of Your Sensitive Personal Information

Twentyeight Health only uses and discloses your sensitive personal information for statutorily-permitted purposes. Therefore, Twentyeight Health does not offer you the ability to request that we limit our uses and disclosures of your sensitive personal information.

  1. Personal Information Sales and Sharing Opt-Out Rights

As aforementioned, Twentyeight Health does not sell personal information.  Therefore, we do not offer a process for opting out of such selling.

Twentyeight Health does share limited amounts of personal information (as described herein). Twentyeight Health does not knowingly share the personal information of minors under the age of 16 without first obtaining consent from consumers who are between 13 and 15 years old or the consumer’s parent or guardian for consumers under age 13.

To exercise the right to opt-out of personal information sharing, you (or your authorized representative) may submit a request to us by emailing contact@twentyeighthealth.com or visiting the following Internet webpage link:

Your Privacy Choices

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sharing. However, you may change your mind and opt back in to personal information sharing at any time through the Your Privacy Choices

webpage.

You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

VI. Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you with a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

VII. Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to [insert email address].

VIII. Changes to Our Privacy Policy

We reserve the right to amend this notice at our discretion and at any time. When we make changes to this notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our services following the posting of changes constitutes your acceptance of such changes.

IX. Contact Information

If you have any questions or comments about this notice, the ways in which Twentyeight Health collects and uses your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at: contact@twentyeighthealth.com.

‍