Second Opinion USA LLC (SecOpp) PRIVACY POLICY

Version: 1.0

Effective Date: February 1, 2025

Last Updated: January 31, 2025

TABLE OF CONTENTS

1. Introduction
2. Definitions
3. Data Collection
4. Data Usage
5. Data Sharing and Disclosures
6. Data Storage and Security
7. User Rights and Choices
8. Consent Management
9. Cookies and Tracking Technologies
10. Special Provisions for Healthcare Data
11. Communications
12. Children’s Privacy
13. Updates to Privacy Policy
14. Contact Information
15. Jurisdiction-Specific Addenda

1.  INTRODUCTION

1. Purpose of the Policy

This Privacy Policy (“Policy”) describes how Second Opinion USA LLC (“SecOpp,” “we,” “our,” or “us”), a telemedicine platform connecting U.S. physicians with patients in India, collects, uses, maintains, protects, and discloses your personal information and protected health information. This Policy applies to all information collected through our website (www.thesugrclinic.com), mobile application, and any related services, sales, marketing, or events (collectively, the “Platform”).

1.2  Our Commitment to Priva

At SecOpp, we are deeply committed to protecting your privacy and the security of your personal and health information. We understand the sensitive nature of health data and take our responsibility as custodians of this information seriously. Our commitment extends to compliance with all applicable laws and regulations in the jurisdictions where we operate, particularly focusing on U.S. and Indian legal frameworks.

1.3  General Approach to Data Protection and Compliance

We implement a comprehensive, multi-layered approach to data protection that includes:

• Technical Safeguards: Advanced encryption, secure servers, and regular security audits
• Administrative Controls: Staff training, access limitations, and comprehensive data handling policies
• Physical Security: Secure facilities for any physical records and hardware containing personal data
• Compliance Programs: Ongoing adherence to healthcare privacy standards including HIPAA, HITECH, GDPR (where applicable), and CCPA/CPRA (for California residents)
• Risk Assessment: Regular evaluation of potential vulnerabilities and implementation of preventive measures

BY ACCESSING OR USING OUR PLATFORM, YOU AGREE TO THIS PRIVACY POLICY. IF YOU DO NOT AGREE WITH ANY PART OF THIS POLICY, PLEASE DO NOT USE OUR SERVICES.

• DEFINITIONS

To ensure clarity throughout this Policy, the following terms are defined as:

2.1  Personal and Healthcare-Related Terms

• Personal Data/Personal Information: Any information relating to an identified or identifiable natural person (“data subject”). This includes, but is not limited to, name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained in any form or medium that relates to: (i) the past, present, or future physical or mental health or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for the provision of healthcare to an individual, as defined under HIPAA.
• Sensitive Personal Information: A subset of personal information that includes health information, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, and other categories defined by applicable law as requiring special protection.

• De-identified Information: Information that has been processed to remove or obscure all direct and indirect identifiers such that the information cannot reasonably identify, relate to, describe, or be capable of being associated with a particular individual.

2.2  Role-Based Terms

• Data Controller: The entity (Second Opinion USA LLC) that determines the purposes and means of processing personal data.
• Data Processor: A third party that processes personal data on behalf of Second Opinion USA LLC.
• Covered Entity: A healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically in connection with certain HIPAA-defined transactions.
• Business Associate: A person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity.
• User/Patient: Any individual who uses our Platform to access telemedicine services.
• Provider: Any healthcare professional, including physicians, specialists, and allied health professionals, who provides healthcare services through our Platform.

2.3  Technical and Legal Terms

• Processing: Any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• Consent: Freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which they signify agreement to the processing of their personal data.
• Data Breach: A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data or PHI.
• Cross-Border Transfer: The movement of personal data from one country or jurisdiction to another, particularly relevant for our operations between the U.S. and India.

• DATA COLLECTION
  • Types of Data Collected
    • Personal Information

We collect personal information that you voluntarily provide to us when you register on the Platform, express interest in obtaining information about our services, or otherwise contact us. This personal information may include, but is not limited to:

• Full name
  • Date of birth
    • Gender
    • Email address
    • Mailing address
    • Phone number
    • Government-issued identification numbers (for identity verification)
    • Payment information (credit card numbers, banking details)
    • Profile pictures
    • Authentication credentials (usernames, passwords)
    • Electronic signatures
    • Communication preferences

3.1.2  Health Data

In the course of providing telemedicine services, we collect health-related information, including:

• Medical history and conditions
  • Current symptoms and concerns
    • Allergies and adverse reactions
    • Medications and supplements
    • Previous treatments and procedures
    • Test results and diagnostic information
    • Family medical history
    • Lifestyle information (smoking status, alcohol consumption, exercise habits)
    • Insurance details and billing information
    • Treatment plans and recommendations
    • Healthcare provider notes and assessments
    • Images or videos submitted for diagnostic purposes
    • Monitoring data from connected medical devices (if applicable)

3.1.3  Technical Data

Our Platform automatically collects certain information when you visit, use, or navigate it. This information does not reveal your specific identity but may include:

• IP address
  • Device and browser information
    • Operating system
    • Geographic location (country and city level)
    • Time zone
    • Referring website
    • Pages visited and features used
    • Clickstream data and browsing patterns
    • System activity and hardware settings
    • Session duration and timing
    • Network connection information
    • Platform performance metrics
    • Error logs and crash analytics

3.2  How Data Is Collected

• Direct Collection

Information you provide directly to us through:

• Account registration and profile creation
  • Intake forms and medical questionnaires
    • Telemedicine consultation sessions
    • Customer support interactions
    • Surveys and feedback forms
    • User-generated content (questions, comments)
    • Correspondence (email, chat, phone)
    • Payment processing

3.2.2  Automated Collection

Information collected automatically through:

• Cookies and similar tracking technologies

• Server logs and analytics tools
  • Mobile device identifiers
    • Application programming interfaces (APIs)
    • Web beacons and pixel tags
    • Local storage objects
    • Session replay tools
    • Network monitoring software

3.2.3  Third-Party Sources

Information we may receive from other sources:

• Healthcare providers and medical professionals
  • Electronic health record (EHR) systems
    • Health insurance providers
    • Identity verification services
    • Payment processors
    • Analytics providers
    • Marketing partners
    • Public databases and registries
    • Social media platforms (if you connect them to our service)
    • Connected medical devices and health monitoring applications

3.3  Legal Basis for Collection

• United States

Under U.S. law, including HIPAA, we collect and process data based on:

• Provision of healthcare services (treatment)
  • Processing payments and managing billing
    • Healthcare operations and administrative functions
    • Compliance with legal and regulatory obligations
    • Your explicit consent where required by law

3.3.2  For Users in the European Union

Under GDPR (where applicable), we process data based on:

• Your explicit consent
  • Performance of a contract (service agreement)
    • Compliance with legal obligations
    • Protection of vital interests in emergency situations
    • Legitimate interests, where not overridden by your fundamental rights

3.3.3  For California Residents

Under CCPA/CPRA, we collect and process data based on:

• Your consent
  • Necessity to provide requested services
    • Compliance with legal obligations
    • Other purposes disclosed at the time of collection

3.3.4  Special Considerations for Sensitive Health Information

We take additional precautions when processing PHI and sensitive health information:

• We obtain specific consent for processing sensitive health data
  • We limit access to authorized personnel on a need-to-know basis
    • We implement enhanced security measures for sensitive data
    • We only use such data for treatment, payment, healthcare operations, or as otherwise permitted by law or with your consent

• DATA USAGE
  • Primary Purposes for Data Usage
    • Service Delivery

We use your personal and health information to:

• Establish and maintain your user account
  • Authenticate your identity for secure access
    • Connect you with appropriate healthcare providers
    • Facilitate telemedicine consultations and follow-ups
    • Manage appointments and scheduling
    • Process and transmit prescriptions (where legally permitted)

• Monitor health conditions and treatment progress
  • Provide personalized health recommendations
    • Coordinate care between multiple providers (if applicable)
    • Generate and maintain medical records
    • Enable communication between you and your healthcare providers

4.1.2  Internal Processing

We use your information for operational purposes, including:

• Processing payments and managing billing
  • Verifying insurance coverage and eligibility
    • Conducting clinical reviews and quality assurance
    • Resolving technical issues and customer support inquiries
    • Analyzing service utilization and health outcomes
    • Improving clinical workflows and processes
    • Training our staff and healthcare providers
    • Managing and optimizing Platform performance
    • Developing and testing new features
    • Maintaining accurate records and documentation

4.2  Secondary Purposes for Data Usage

• Research and Analytics

With appropriate safeguards and consent where required, we may use data for:

• Conducting clinical research and studies
  • Analyzing healthcare trends and patterns
    • Evaluating treatment efficacy and outcomes
    • Developing new healthcare protocols and best practices
    • Contributing to medical knowledge and innovation
    • Preparing statistical reports and aggregated insights
    • Quality improvement initiatives

4.2.2  Legitimate Business Interests

We may use information to:

• Prevent fraud and ensure Platform security
  • Enforce our Terms of Service and other policies
    • Protect the rights and safety of users and the public
    • Comply with legal obligations and regulatory requirements
    • Defend against legal claims or proceedings
    • Conduct business planning and strategic development
    • Evaluate business transactions (mergers, acquisitions, etc.)
    • Communicate non-marketing information about our services

4.2.3  Marketing and Communications

With your consent, we may use your information to:

• Send promotional content about our services
  • Deliver personalized health information and resources
    • Invite participation in surveys or research opportunities
    • Share educational content and healthcare news
    • Announce new features or service enhancements
    • Provide information about events or webinars

4.3  Limitations on Data Usage

We are committed to using your information responsibly. We will:

• Only use your information for purposes disclosed in this Policy
• Process data in a manner compatible with the purpose for which it was collected
• Limit processing to what is necessary for stated purposes
• Not use your information for incompatible purposes without appropriate notice and consent
• Not sell your personal information to third parties for their commercial purposes
• Not use your information for automated decision-making that produces legal or similarly significant effects without human oversight

• DATA SHARING AND DISCLOSURES
  • Categories of Third Parties
    • Healthcare Providers and Organizations

We share your information with:

• U.S.-based physicians and specialists who provide consultations through our Platform
  • Other healthcare professionals involved in your care
    • Pharmacies for prescription fulfillment (where applicable)
    • Laboratories and diagnostic centers for test orders and results
    • Health information exchanges for care coordination

5.1.2  Service Providers and Vendors

We share information with third parties who help us operate our Platform:

• Cloud hosting and storage providers
  • Payment processors and billing services
    • Customer support and communication tools
    • Identity verification services
    • Analytics and performance monitoring services
    • Appointment scheduling systems
    • Medical language translation services
    • Telehealth infrastructure providers
    • Electronic health record (EHR) systems
    • Quality assessment and accreditation organizations

5.1.3  Business Partners

We may share information with:

• Healthcare institutions and organizations
  • Insurance providers and payers
    • Medical device manufacturers (for integrated devices)
    • Health monitoring application providers
    • Strategic business partners who offer complementary services

5.2  Purposes for Sharing

We share your information for the following purposes:

• Healthcare Delivery: To facilitate medical consultations, coordinate care, and provide treatment

• Treatment Continuity: To ensure seamless healthcare services across providers
• Payment Processing: To bill for services, verify insurance coverage, and process claims
• Platform Operations: To maintain and improve our services
• Legal Compliance: To fulfill regulatory requirements and mandatory reporting
• Research and Innovation: To advance medical knowledge (with appropriate consent)
• Safety and Security: To protect users and maintain Platform integrity

5.3  International Data Transfers and Safeguards

• Cross-Border Data Flows

Given our operations connecting U.S. physicians with patients in India, data is transferred between these jurisdictions. Specifically:

• Patient information from India may be transferred to the U.S. for physician consultation
  • Consultation records and clinical documentation may be transferred from the U.S. to India
    • Data may be stored on cloud servers located in various geographic regions

5.3.2  Transfer Safeguards

We implement the following safeguards for international data transfers:

• Standard Contractual Clauses: We use contract provisions approved by regulatory authorities
  • Data Processing Agreements: We maintain agreements with all data processors that mandate appropriate security measures
    • End-to-End Encryption: We encrypt data in transit and at rest
    • Data Minimization: We transfer only the information necessary for the intended purpose
    • Access Controls: We restrict access to authorized personnel only
    • Regular Audits: We conduct periodic reviews of our data transfer practices
    • Localization Where Required: We store certain data locally when mandated by law

5.4  Legal and Regulatory Disclosures

We may disclose your information when legally required, including:

• In response to a court order, subpoena, or similar legal process
• To comply with laws, regulations, or governmental requests
• To report suspected abuse, neglect, or domestic violence

• For public health activities (disease reporting, adverse events, etc.)
• For health oversight activities (audits, investigations, inspections)
• To avert a serious threat to health or public safety
• For specialized government functions (national security, military)
• For workers’ compensation claims
• In connection with a business transfer (merger, acquisition, sale of assets)
• To enforce our agreements, policies, and terms of use
• To protect our rights, privacy, safety, or property, or that of others

5.5  Limitations on Sharing

We limit our data sharing in the following ways:

• Minimum Necessary Standard: We disclose only the information required for the intended purpose
• De-identification: When possible, we de-identify data before sharing for research or analytics
• Consent Requirements: We obtain consent when required by law before sharing
• No Sale of Data: We do not sell personal information or PHI to third parties
• Contractual Protections: We require third parties to maintain appropriate security and confidentiality
• Accountability Mechanisms: We maintain records of disclosures as required by law

• DATA STORAGE AND SECURITY
  • Data Retention Periods
    • General Retention Principles

We retain your information for as long as needed to provide you with our services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods vary based on:

• The type of information
  • The purpose for which it was collected
    • Legal and regulatory requirements
    • Operational necessity
    • Risk management considerations

6.1.2  Specific Retention Periods

• Medical Records: We retain healthcare data for a minimum of 7 years or as required by state laws, HIPAA, and other applicable regulations
  • Account Information: We maintain active account data for the duration of your relationship with us
    • Payment Information: We store transaction records for 7 years for tax and accounting purposes
    • Communication Records: We keep records of communications for 3 years
    • Technical Data: We retain logs and analytics data for 18 months
    • Marketing Preferences: We maintain opt-out records indefinitely to honor your choices

6.1.3  Data Destruction

When retention periods expire, we securely delete or anonymize information using industry-standard methods, including:

• Secure overwriting of digital files
  • Cryptographic erasure for encrypted data
    • Physical destruction of storage media when appropriate
    • Anonymization techniques that prevent re-identification

6.2  Security Measures and Standards

• Technical Security Controls

We implement comprehensive security controls, including:

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Management: Role-based access controls, multi-factor authentication, and privileged access management
    • Network Security: Firewalls, intrusion detection/prevention systems, and regular penetration testing
    • Endpoint Protection: Anti-malware solutions, device management, and security patch management
    • Monitoring: 24/7 security monitoring, logging, and alerting
    • Backup Systems: Regular backups with secure off-site storage
    • High Availability: Redundant systems to ensure service continuity

6.2.2  Administrative Safeguards

Our administrative security measures include:

• Security Policies: Comprehensive policies and procedures governing data handling
  • Staff Training: Regular security awareness training for all personnel
    • Background Checks: Pre-employment screening for employees with access to sensitive data
    • Security Certifications: Compliance with industry standards and security frameworks
    • Vendor Assessment: Thorough security evaluation of third-party service providers
    • Incident Response Plan: Documented procedures for handling security incidents
    • Regular Audits: Internal and external security assessments

6.2.3  Physical Security

For facilities housing our systems:

• Access Controls: Restricted physical access to server rooms and data centers
  • Environmental Controls: Climate control, fire suppression, and power redundancy
    • Surveillance: Video monitoring and security personnel
    • Media Handling: Secure disposal of physical media containing sensitive information

6.3  Encryption and Anonymization Practices

• Encryption Implementation

We employ encryption throughout our systems:

• Data at Rest: All stored PHI and sensitive personal information is encrypted
  • Data in Transit: All network communications use TLS 1.3 or higher
    • End-to-End Encryption: For telemedicine sessions and sensitive communications
    • Key Management: Secure generation, storage, and rotation of encryption keys
    • Mobile Applications: Local encryption for data stored on mobile devices

6.3.2  Anonymization and Pseudonymization

For data used in analytics, research, and non-direct care purposes:

• De-identification Techniques: Removal of direct and indirect identifiers
  • Aggregation: Combining data to prevent individual identification
    • Tokenization: Replacing sensitive values with non-sensitive equivalents
    • Statistical Disclosure Control: Methods to minimize re-identification risk
    • Expert Determination: Review of de-identification methods by qualified experts

6.4  Breach Notification Procedures

In the event of a data breach affecting your personal information or PHI:

6.4.1  Internal Response

• We will activate our incident response team
  • Contain and investigate the breach
    • Assess the nature and scope of the affected information
    • Implement measures to mitigate harm
    • Document the incident and response actions

6.4.2  Notification Timelines

• For breaches involving PHI, we will notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, as required by HIPAA
  • For other personal data breaches, we will notify affected individuals in accordance with applicable laws, including GDPR (72 hours to authorities) and state breach notification laws

6.4.3  Notification Content

Our notifications will include:

• Description of the breach
  • Types of information involved
    • Steps individuals can take to protect themselves
    • Measures we are taking to investigate and mitigate
    • Contact information for questions and additional information

6.4.4  Regulatory Reporting

We will notify relevant regulatory authorities as required by law, including:

• U.S. Department of Health and Human Services for PHI breaches
  • State attorneys general where required by state law
    • Data protection authorities for breaches affecting EU residents
    • Indian regulatory authorities as applicable

7.  USER RIGHTS AND CHOICES

• Your Privacy Rights

Depending on your location and applicable laws, you may have the following rights regarding your personal information:

7.1.1  Access Rights

• Right to Know: You can request information about what personal data we collect, use, disclose, and sell
  • Right to Access: You can request a copy of your personal information in our records
    • Right to Confirmation: You can ask whether we process your personal data

7.1.2  Correction Rights

• Right to Rectification: You can request that we correct inaccurate personal information
  • Right to Complete: You can ask us to complete incomplete information
    • Right to Update: You can update your profile information directly through your account settings

7.1.3  Deletion Rights

• Right to Erasure: You can request deletion of your personal information in certain circumstances
  • Right to be Forgotten: You can ask us to remove your data from our systems
    • Limitations: Some information may be retained for legal, compliance, or business purposes

7.1.4  Control Rights

• Right to Restrict Processing: You can request limits on how we use your data
  • Right to Object: You can object to certain processing activities
    • Right to Opt-Out: You can opt-out of certain disclosures, sales of personal information, or the use of sensitive personal information
    • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

7.1.5  Portability Rights

• Right to Data Portability: You can request your personal information in a structured, commonly used, and machine-readable format
  • Right to Transfer: You can ask us to transmit your data directly to another controller, when technically feasible

7.2  How to Exercise Your Rights

• Submission Methods

You can submit requests to exercise your rights through:

• Online Form: Available in your account settings or our privacy portal
  • Email: privacy@thesugrclinic.com
    • Postal Mail: Second Opinion USA LLC, Attn: Privacy Office, 3748 Dover Dr, Birmingham, AL – 35223

7.2.2  Verification Process

To protect your information, we need to verify your identity before processing your request:

• Account Holders: We will verify your identity through your account credentials
  • Non-Account Holders: We may request additional information to verify your identity
    • Authorized Agents: If using an authorized agent, we require written permission and identity verification

7.2.3  Response Timeline

• We aim to respond to all verifiable requests within 30 days
  • If necessary, we may extend the response time by an additional 30 days, with notification
    • For complex requests, we will keep you informed about the status of your request

7.2.4  Response Format

• We will provide information in a concise, transparent, intelligible, and easily accessible form
  • We will use clear and plain language
    • Information will be provided in writing or electronically in a commonly used format

7.3  Jurisdiction-Specific Rights

• HIPAA Rights (United States)

As a covered entity under HIPAA, we provide patients with:

• Right to access and obtain copies of their health records
  • Right to request amendments to records
    • Right to an accounting of disclosures
    • Right to request restrictions on certain uses and disclosures
    • Right to confidential communications
    • Right to file a complaint with the covered entity or HHS

7.3.2  GDPR Rights (European Union)

For individuals protected by the GDPR, additional rights include:

• Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority
    • Rights related to automated decision-making and profiling
    • Right to be informed about the appropriate safeguards where data is transferred to a third country

7.3.3  CCPA/CPRA Rights (California)

California residents have specific rights, including:

• Right to know about personal information collected, disclosed, or sold
  • Right to delete personal information collected from the consumer
    • Right to opt-out of the sale or sharing of personal information
    • Right to limit use and disclosure of sensitive personal information
    • Right to non-discrimination for exercising consumer rights

7.3.4  Other State-Specific Rights

Residents of other states may have additional rights under applicable state laws, which we will honor in accordance with those laws.

7.4  Limitations and Exceptions

In some cases, we may be unable to fulfill your rights requests due to:

• Legal obligations requiring retention of information
• Legitimate business needs for the information
• Technical limitations
• Protection of the rights of others
• Requests that are manifestly unfounded or excessive

When we cannot fulfill a request, we will explain the reasons and inform you of your right to complain to the relevant supervisory authority.

• CONSENT MANAGEMENT
  • Obtaining Consent
    • Methods of Consent Collection

We obtain consent through:

• Explicit Consent Forms: Digital forms with clear consent language
  • Click-through Agreements: During account creation and registration
    • Checkboxes: Clearly labeled opt-in checkboxes for specific processing activities
    • Digital Signatures: For telehealth consent and authorization forms
    • Verbal Consent: Recorded in certain telehealth contexts, with documentation
    • Granular Options: Separate consent for different processing activities
    • Just-in-Time Notices: Contextual consent requests at the point of data collection

8.1.2  Consent Requirements

Our consent mechanisms ensure that consent is:

• Freely Given: Obtained without pressure or conditional terms
  • Specific: Clearly explaining each purpose for which consent is sought
    • Informed: Accompanied by clear information about the processing
    • Unambiguous: Requiring a clear affirmative action
    • Demonstrable: Recorded and documented for compliance purposes
    • Accessible: Presented in clear, plain language
    • Distinguishable: Separate from other terms and conditions
    • Revocable: With clear information on how to withdraw consent

8.1.3  Special Categories of Consent

We implement enhanced consent procedures for:

• Healthcare Services: Informed consent for telehealth treatment
  • Research Participation: Separate consent for any research activities
    • Marketing Communications: Explicit opt-in for promotional messages
    • Cookie Consent: Granular options for different types of cookies
    • International Data Transfers: Specific consent for cross-border transfers
    • Minor’s Data: Parental/guardian consent process

8.2  Withdrawal of Consent

• Withdrawal Mechanisms

You can withdraw previously granted consent through:

• Account Settings: Self-service preference center

• Unsubscribe Links: One-click unsubscribe in all marketing communications
  • Privacy Portal: Centralized consent management interface
    • Customer Support: Assistance with consent withdrawal requests
    • Written Requests: Via email or postal mail

8.2.2  Effects of Withdrawal

Upon withdrawal of consent:

• We will cease processing data based on that consent
  • Processing performed prior to withdrawal remains lawful
    • Alternative legal bases may allow continued processing for certain purposes
    • Some services may be limited or unavailable if essential processing cannot continue

8.2.3  Processing Withdrawal Requests

We handle consent withdrawal by:

• Confirming receipt of the request promptly
  • Processing withdrawal requests without undue delay
    • Updating our systems to reflect consent changes
    • Notifying relevant processors and partners
    • Documenting the withdrawal for compliance purposes
    • Providing confirmation when the withdrawal has been processed

8.3  Special Provisions for Vulnerable Populations

• Minors (Under 18)

For users under 18 years of age:

• Parental Consent: Required for users under 13 (under 16 in some jurisdictions)
  • Verification Methods: Age verification and parent/guardian identity confirmation
    • Guardian Authorization: Medical decision-makers must authorize healthcare services
    • Age-Appropriate Language: Consent forms designed for comprehension
    • Additional Safeguards: Enhanced privacy protections for minors’ data

8.3.2  Individuals with Limited Capacity

For those with limited decision-making capacity:

• Legal Representatives: Authorized representatives may provide consent

• Power of Attorney: Recognition of healthcare proxies and legal guardians
  • Accessible Formats: Consent materials in formats appropriate to different abilities
    • Documentation Requirements: Additional verification and record-keeping
    • Best Interest Assessment: Consideration of the individual’s best interests

8.3.3  Language and Accessibility

To ensure informed consent across populations:

• Multiple Languages: Consent materials available in languages common to our user base
  • Plain Language: Information presented at an 8th-grade reading level
    • Assistive Technology Support: Compatibility with screen readers and other tools
    • Visual Aids: Graphics and videos to enhance understanding
    • Support Options: Availability of human assistance for consent questions

8.4  Consent Records and Documentation

We maintain comprehensive records of consent, including:

• Date, time, and method of consent
• Version of privacy notices presented
• Specific purposes for which consent was given
• Identity verification methods used
• Withdrawal of consent when applicable
• Parental/guardian consent for minors
• Consent renewal and updating activities

These records are maintained in accordance with applicable retention requirements and are available for audit and compliance purposes.

• COOKIES AND TRACKING TECHNOLOGIES
  • Types of Cookies and Trackers
    • Essential Cookies

These cookies are necessary for the Platform to function properly and cannot be disabled:

• Session Cookies: Maintain your session state during navigation
  • Authentication Cookies: Remember your login status

• Security Cookies: Help detect and prevent security risks
  • Load Balancing Cookies: Distribute traffic to ensure service availability
    • User Interface Customization Cookies: Remember your preferences for Platform display

9.1.2  Functional Cookies

These cookies enable enhanced functionality but are not essential:

• Preference Cookies: Remember your settings and choices
  • Language Cookies: Store your language preference
    • Location Cookies: Remember your general location for relevant content
    • Accessibility Cookies: Store accessibility settings
    • Form Completion Cookies: Remember information you’ve entered in forms

9.1.3  Analytics Cookies

These cookies help us understand how visitors interact with our Platform:

• Performance Measurement: Track page load times and server response times
  • User Behavior Analysis: Monitor navigation patterns and feature usage
    • Error Tracking: Identify technical issues and errors
    • A/B Testing Cookies: Support comparison of different versions of our service
    • Heatmap and Session Recording Cookies: Analyze how users interact with pages

9.1.4  Marketing and Advertising Cookies

These optional cookies are used for marketing purposes:

• Conversion Tracking: Measure the effectiveness of marketing campaigns
  • Retargeting Cookies: Enable delivery of relevant advertisements
    • Social Media Cookies: Support sharing and integration with social platforms
    • Affiliate Tracking: Monitor referrals from partner websites
    • Interest-Based Advertising: Build profiles of interests for targeted ads

9.2  Purpose and Control

• How We Use These Technologies

We use cookies and similar technologies to:

• Maintain Security: Protect user accounts and prevent fraud

• Enhance Experience: Provide a personalized and efficient Platform
  • Analyze Performance: Identify areas for improvement
    • Support Features: Enable interactive elements and user preferences
    • Measure Effectiveness: Evaluate our marketing and communication efforts
    • Improve Content: Understand what information is most valuable to users
    • Technical Functionality: Ensure the Platform works correctly across devices

9.2.2  Cookie Consent Management

We provide tools for you to control your cookie preferences:

• Cookie Banner: Clear notice upon first visit with consent options
  • Preference Center: Granular controls to manage cookie categories
    • Browser Settings: Information on blocking cookies through browser settings
    • Opt-Out Links: Direct links to opt out of analytics and advertising tracking
    • Do Not Track: Recognition of browser Do Not Track signals where required by law

9.2.3  Third-Party Cookies

Some cookies are placed by third parties on our Platform:

• We provide details about third-party cookies in our Cookie Policy
  • We contractually require third parties to respect privacy preferences
    • We periodically review third-party cookie usage for compliance
    • We offer links to third-party privacy policies for transparency

9.3  Cookie Lifespan and Storage

• Session CookiesTemporary cookies that exist only during your browsing sessionDeleted automatically when you close your browserDo not collect information from your device

9.3.2  Persistent Cookies

• Remain on your device between browsing sessions
  • Have expiration dates ranging from 30 days to 2 years
    • Used for remembering preferences and providing continuity

9.4  Other Tracking Technologies

• Web Beacons and PixelsSmall transparent images that track page views and email opensHelp us understand user engagement with contentUsed to measure advertising effectiveness

9.4.2  Local Storage

• HTML5 storage mechanisms that persist data on your device
  • Used for improved performance and offline functionality
    • Subject to the same privacy controls as cookies

9.4.3  Device Fingerprinting

• Collection of device attributes to identify unique browsers
  • Used for fraud prevention and security purposes
    • Limited to necessary identification for legitimate purposes

9.5  Cookie Policy

For more detailed information about the specific cookies we use, their purposes, and your choices, please refer to our separate Cookie Policy, which is incorporated by reference into this Privacy Policy.

1. SPECIAL PROVISIONS FOR HEALTHCARE DATA
   1. HIPAA Compliance Measures
      1. Privacy Rule Compliance

As a covered entity and business associate under HIPAA, we implement:

• Notice of Privacy Practices: Comprehensive information about PHI handling
  • Minimum Necessary Standard: Limiting PHI access and disclosure to what is required
    • Patient Rights Implementation: Processes to fulfill access, amendment, and accounting requests
    • Workforce Training: Regular HIPAA training for all staff with PHI access
    • Privacy Officer: Designated individual responsible for privacy policies and compliance
    • Administrative Safeguards: Policies and procedures for PHI protection
    • Business Associate Agreements: Contracts ensuring third-party compliance

10.1.2  Security Rule Compliance

Our technical safeguards include:

• Risk Analysis: Regular assessment of potential risks to electronic PHI
  • Risk Management: Implementation of security measures to reduce identified risks
    • Access Controls: Technical policies limiting ePHI access to authorized persons
    • Audit Controls: Hardware, software, and procedural mechanisms to record activity
    • Integrity Controls: Measures to ensure ePHI is not improperly altered or destroyed
    • Transmission Security: Technical security measures for data transmission
    • Device and Media Controls: Policies governing receipt and removal of hardware

10.1.3  Breach Notification Rule

Our breach response protocols include:

• Breach Definition: Clear understanding of what constitutes a breach
  • Risk Assessment Process: Methodology to evaluate breach impact
    • Notification Procedures: Processes for timely notification to affected individuals
    • Documentation: Comprehensive record-keeping of breach incidents and responses
    • Workforce Training: Education on breach identification and reporting
    • Mitigation Strategies: Plans to minimize harm from breaches

10.2  Notice of Privacy Practices Integration

1. Notice Distribution

We provide our Notice of Privacy Practices:

• During initial registration on our Platform
  • Upon request at any time
    • Via prominent link on our website
    • In updated form when material changes occur
    • In accessible formats for individuals with disabilities
    • In multiple languages for non-English speakers

10.2.2  Content of Notice

Our Notice of Privacy Practices includes:

• How we may use and disclose PHI
  • Individual rights regarding PHI

• Our legal duties to protect privacy
  • Complaint procedures
    • Contact information for privacy questions
    • Effective date and revision information

10.2.3  Acknowledgment of Receipt

We maintain records of:

• User acknowledgment of the Notice of Privacy Practices
  • Documentation of good faith efforts to obtain acknowledgment
    • Alternative means of providing the Notice when electronic delivery is not feasible

10.3  Handling of Treatment, Payment, and Operations Data

1. Treatment Data

Information used for patient care is:

• Accessible only to treating providers and support staff
  • Shared between providers only for coordination of care
    • Subject to additional safeguards for sensitive conditions (mental health, substance use, HIV status, genetic information)
    • Protected during telehealth sessions through secure transmission
    • Documented in compliance with medical record requirements

10.3.2  Payment Data

Information used for billing and reimbursement is:

• Limited to the minimum necessary for processing payments
  • Shared with payers and financial institutions as required
    • Secured during transmission and storage
    • Retained according to financial record requirements
    • Subject to appropriate accounting controls

10.3.3  Healthcare Operations Data

Information used for operational activities is:

• Limited to authorized personnel
  • Used for quality assessment and improvement

• Applied to provider credentialing and performance evaluation
  • Utilized for business planning and development
    • Employed for compliance and administrative functions

10.4  Special Categories of Health Information

1. Psychotherapy Notes

For mental health services:

• Psychotherapy notes are stored separately from the main medical record
  • Heightened protection and restricted access apply
    • Specific authorization is required for disclosure
    • Patients have the right to restrict certain disclosures

10.4.2  Substance Use Disorder Information

For substance use treatment:

• Compliance with 42 CFR Part 2 regulations
  • Additional authorization requirements for disclosure
    • Prohibition of redisclosure without patient consent
    • Special notice requirements for any permitted disclosures

10.4.3  Genetic Information

For genetic testing and results:

• Compliance with the Genetic Information Nondiscrimination Act (GINA)
  • Enhanced security for genetic test results
    • Restrictions on certain uses and disclosures
    • Special consent requirements for research use

10.4.4  HIV/AIDS Information

For HIV-related information:

• Compliance with state-specific HIV confidentiality laws
  • Heightened protections for HIV status and test results
    • Special authorization requirements for disclosure
    • Additional training for staff handling HIV information

1. COMMUNICATIONS
   1. Marketing Communications
      1. Consent for Marketing

We only send marketing communications with your explicit consent:

• Opt-in Process: Clear, affirmative action required to receive marketing
  • Separate Consent: Marketing consent obtained independently from service consent
    • Specific Channels: Consent collected for each communication channel (email, SMS, push notifications)
    • Granular Options: Ability to select types of marketing content
    • Record Keeping: Documentation of all marketing consent

11.1.2  Marketing Content

Our marketing communications may include:

• Information about new services and features
  • Educational content about health conditions and treatments
    • Invitations to webinars and virtual events
    • Surveys and feedback requests
    • Special offers and promotions
    • Provider spotlights and success stories
    • Newsletter content and health tips

11.1.3  Opting Out

You can opt out of marketing communications at any time through:

• Unsubscribe Links: Present in every marketing email
  • STOP Instructions: Text message opt-out directions
    • Preference Center: Self-service marketing preferences
    • Customer Support: Assistance with communication preferences
    • Do Not Call List: Compliance with telemarketing regulations

11.2  Service-Related Communications

1. Essential Communications

We send necessary service communications that are not subject to marketing opt-out:

• Account Notifications: Registration confirmation, password resets, and security alerts
  • Appointment Communications: Scheduling confirmations, reminders, and follow-ups
    • Medical Updates: Test results, treatment plans, and care instructions
    • Billing Notices: Payment confirmation, insurance information, and invoices
    • Policy Changes: Updates to Terms of Service, Privacy Policy, and other agreements
    • Legal Notices: Required disclosures and important information about your rights
    • Service Announcements: Platform maintenance, outages, and critical updates

11.2.2  Delivery Channels

We use various channels for service communications:

• Email: Primary method for detailed information and documentation
  • SMS/Text Messages: For time-sensitive notifications and reminders
    • Push Notifications: Mobile app alerts for important updates
    • In-App Messaging: Communications within the Platform interface
    • Secure Messaging: Encrypted channel for PHI and sensitive information
    • Phone Calls: For urgent matters requiring immediate attention
    • Mail: Physical documents when required by law or requested

11.2.3  Frequency and Timing

We are mindful of communication frequency:

• Critical alerts sent immediately when necessary
  • Appointment reminders sent at appropriate intervals
    • Batched notifications where possible to reduce volume
    • Consideration of time zones for non-urgent communications
    • Options to customize notification frequency where appropriate

11.3  Emergency Communications

1. Emergency Protocols

In medical emergencies:

• Urgent Alerts: Immediate notifications through multiple channels
  • Follow-up Instructions: Clear guidance on next steps

• Emergency Services Integration: Coordination with local emergency resources when necessary
  • Provider Notification: Automatic alerts to treating physicians
    • Designated Contact: Communication with emergency contacts when authorized
    • Documentation: Records of emergency communications and responses
    • Post-Emergency Follow-up: Communications after emergency resolution

11.3.2  Crisis Response

During platform-wide incidents or data breaches:

• Timely Notification: Prompt disclosure of relevant information
  • Impact Assessment: Clear explanation of potential effects
    • Mitigation Steps: Instructions for user actions to reduce risk
    • Support Resources: Additional assistance for affected users
    • Regular Updates: Ongoing communications until resolution
    • Regulatory Reporting: Parallel communication with authorities as required

11.4  Communication Security

1. Secure Messaging

For PHI and sensitive communications:

• End-to-End Encryption: Protection of message content
  • Secure Access: Authentication required to access messages
    • Auto-Timeout: Automatic session expiration for security
    • No Persistent Storage: Option for ephemeral messages that expire
    • Screen Protection: Prevention of screenshots where possible
    • Audit Trails: Records of message delivery and access
    • Data Loss Prevention: Controls to prevent unauthorized forwarding or copying

11.4.2  Communication Standards

All communications adhere to:

• Plain Language: Clear, understandable content without jargon
  • Accessibility: Compliance with web accessibility guidelines
    • Identifiable Source: Clear identification of SecOpp as the sender

• Contact Information: Methods to reach us with questions
  • Privacy Respect: No inclusion of sensitive information in unsecured channels
    • Regulatory Compliance: Adherence to healthcare communication requirements

1. CHILDREN’S PRIVACY
   1. Age Restrictions and Verification
      1. Platform Age Limitations
         1. Our Platform is not intended for use by children under 13 years of age
         1. Users between 13-18 years may access the Platform only with parental/guardian involvement
         1. Special protections apply to all users under 18 years

12.1.2  Age Verification Methods

We employ multiple approaches to verify user age:

• Self-Declaration: Initial age verification during registration
  • Guardian Verification: Confirmation of parental/guardian authorization
    • Document Verification: Where appropriate, verification of identification documents
    • Technical Measures: Implementation of age-gating technologies
    • Contextual Signals: Monitoring for indications of underage usage
    • Account Linking: Connection of minor accounts to parent/guardian accounts

12.1.3  Action on Underage Access

If we discover that personal information has been collected from a child under 13 without parental consent:

• We will immediately suspend the account
  • Delete all collected personal information
    • Provide notification to parents/guardians
    • Implement additional safeguards for future prevention

12.2  Parental Consent Mechanisms

1. Methods of Obtaining Parental Consent

For users between 13-18 years, we obtain verifiable parental consent through:

• Electronic Signature: Digital signature of consent forms

• Credit Card Verification: Limited transaction to verify adult status
  • Video Verification: Real-time identity confirmation calls
    • Signed Consent Forms: Scanned and uploaded authorization documents
    • Knowledge-Based Questions: Questions only a parent/guardian would know
    • Two-Factor Verification: Multiple methods combined for higher assurance

12.2.2  Scope of Parental Consent

Parental consent includes authorization for:

• Collection and use of the minor’s personal information
  • Creation and management of the minor’s account
    • Telehealth consultations and healthcare services
    • Communication with the minor through the Platform
    • Storage and processing of the minor’s health information
    • Disclosure to healthcare providers as needed for treatment

12.2.3  Parental Access and Control

Parents/guardians of minor users have:

• Access Rights: Ability to review information collected from their child
  • Modification Rights: Authority to request changes to their child’s information
    • Deletion Rights: Option to request deletion of their child’s data
    • Communication Control: Management of communications sent to their child
    • Consent Withdrawal: Right to revoke consent at any time
    • Activity Monitoring: Access to their child’s Platform usage history
    • Provider Selection: Approval of healthcare providers for consultations

12.3  Special Protections for Minors’ Data

1. Data Minimization

For users under 18:

• We collect only information that is reasonably necessary
  • We avoid collection of non-essential personal information
    • We implement automated purging of data when no longer needed
    • We use de-identification where possible for analytical purposes

12.3.2  Enhanced Security Measures

Additional protections include:

• Stricter Access Controls: Further limited access to minors’ data
  • Enhanced Encryption: Higher security standards for minors’ information
    • Special Handling Flags: System identifiers for minor accounts
    • Regular Auditing: More frequent review of access to minors’ records
    • Staff Training: Specialized training for personnel handling minors’ data

12.3.3  Marketing and Advertising Restrictions

For minor users:

• No Targeted Advertising: Prohibition on behavioral advertising
  • No Data Sharing: No sharing with third parties for marketing
    • Age-Appropriate Content: Only suitable content and communications
    • No Profiling: No interest-based profile creation
    • No Incentives: No rewards or gamification for providing additional information

12.4  Jurisdiction-Specific Compliance

1. United States

Compliance with:

● Children’s Online Privacy Protection Act (COPPA)

• Family Educational Rights and Privacy Act (FERPA) where applicable
  • State-specific minor privacy laws
    • Minor consent to treatment laws
  • International Considerations
    • GDPR provisions for children’s data (for EU residents)
    • India’s data protection requirements for minors
    • Other jurisdiction-specific protections
  • Healthcare-Specific Regulations
    • HIPAA special provisions for minors
    • Mature minor doctrines where applicable
    • Sensitive service confidentiality (reproductive health, mental health, substance use)

1. UPDATES TO PRIVACY POLICY
   1. Policy Change Process
      1. Reasons for Updates

We may update this Privacy Policy for various reasons, including:

• Changes in our data practices or services
  • New features or technologies implemented
    • Regulatory and legal compliance requirements
    • Industry best practice developments
    • Organizational changes
    • Security enhancement implementations
    • Clarifications based on user feedback

13.1.2  Review and Approval Process

Our policy update process includes:

• Regular scheduled policy reviews (at least annually)
  • Legal assessment of proposed changes
    • Privacy impact analysis
    • Stakeholder consultation
    • Executive approval
    • Documentation of changes
    • Version control and archiving

13.1.3  Material vs. Non-Material Changes

We distinguish between:

• Material Changes: Significant alterations to how we collect, use, or share personal information
  • Non-Material Changes: Minor updates, clarifications, or corrections that do not substantially affect your rights or our practices

13.2  Notification Methods

1. Communication Channels

We notify users of policy updates through:

• Email Notifications: Direct messages for material changes
  • Platform Notices: Prominent banners or pop-ups within the service
    • Website Announcements: Updates on our homepage or privacy page
    • Mobile App Alerts: In-app notifications where applicable
    • Blog Posts: Detailed explanations for significant changes
    • Social Media Updates: Additional notifications on official channels
    • API Notifications: For developers and integration partners

13.2.2  Content of Notifications

Our update notifications include:

• Summary of key changes
  • Effective date of the updated policy
    • Access to both the current and updated versions
    • Instructions for reviewing the changes
    • Information about your options and rights
    • Contact details for questions or concerns
    • Timeline for implementation

13.2.3  Timing of Notifications

We provide:

• Advance Notice: Typically at least 30 days before implementation of material changes
  • Immediate Notice: Prompt communication for urgent security or compliance updates
    • Reminder Notifications: Follow-up communication before implementation
    • Post-Implementation Confirmation: Verification that changes are in effect

13.3  Implementation Timeline

1. Grace Periods

For material changes:

• Minimum 30-day notice before implementation
  • Reasonable time for users to review and understand changes
    • Opportunity to ask questions and seek clarification
    • Staged rollout for significant platform changes

• Extended timelines for changes affecting healthcare operations

13.3.2  User Response Options

During the notice period, users may:

• Continue using the service under the current policy until the effective date
  • Contact us with questions or concerns about the changes
    • Download a copy of their data if desired
    • Update their privacy preferences
    • Request account closure if they do not agree with the changes
    • Exercise applicable data rights (access, deletion, etc.)

13.3.3  Transition Assistance

For significant changes, we provide:

• FAQs explaining the changes in plain language
  • Support resources to help understand the impact
    • Instructions for adjusting settings or preferences
    • Direct assistance through customer support channels
    • Webinars or educational materials for major updates

13.4  Records and Documentation

1. Policy Archives

We maintain:

• Archives of all previous policy versions
  • Date ranges when each version was in effect
    • Change logs documenting modifications
    • Records of notification methods and timing
    • User acknowledgment data where collected

13.4.2  Accessibility of Previous Versions

We make previous policy versions:

• Available upon request
  • Accessible through our privacy portal
    • Provided in machine-readable formats when possible

• Formatted for comparison with current version
  • Preserved with original formatting and content

1. CONTACT INFORMATION
   1. Data Protection Officer
      1. DPO Details

Our appointed Data Protection Officer is:

Name: Purvi Shah

Title: Chief Privacy Officer, Second Opinion USA LLC

Email: dpo@thesugrclinic.com

Office Address: 3748 Dover Dr, Birmingham, AL – 35223

Office Hours: Monday to Friday, 9:00 AM to 5:00 PM Eastern Time

14.1.2  DPO Responsibilities

Our Data Protection Officer is responsible for:

• Overseeing data protection strategy and implementation
  • Monitoring compliance with privacy regulations
    • Advising on data protection impact assessments
    • Serving as the primary contact for data subjects
    • Cooperating with supervisory authorities
    • Managing the internal data protection team
    • Privacy training and awareness programs

14.1.3  When to Contact the DPO

You should contact our DPO directly for:

• Complex privacy inquiries
  • Unresolved privacy complaints
    • Data breach notifications
    • Data protection impact assessment questions
    • Regulatory compliance matters
    • Cross-border data transfer issues
    • Privacy policy interpretation

14.2  Privacy Team Contact

1. General Privacy Inquiries

For general privacy questions or to exercise your rights:

Email: privacy@thesugrclinic.com

Online Form: www.thesugrclinic.com/privacy-request

Postal Mail:

Privacy Team

Second Opinion USA LLC

3748 Dover Dr, Birmingham, AL – 35223

14.2.2  Response Timeframes

Our commitment to timely responses:

• Acknowledgment of requests within 2 business days
  • Substantive responses within 30 calendar days
    • Notification if additional time is needed
    • Regular status updates for complex requests
    • Expedited handling for urgent matters

14.2.3  Specialized Contact Channels

For specific privacy matters:

• HIPAA Privacy Officer: hipaa-privacy@thesugrclinic.com
  • Data Subject Requests: dsr@thesugrclinic.com
    • Security Concerns: security@thesugrclinic.com
    • Marketing Opt-Out: unsubscribe@thesugrclinic.com
    • Children’s Privacy Questions: minors-privacy@thesugrclinic.com
    • Accessibility Requests: accessibility@thesugrclinic.com
    • Media Inquiries: media-privacy@thesugrclinic.com

14.3  Regulatory Authority Contact

1. United States Authorities

For unresolved concerns, you may contact:

U.S. Department of Health and Human Services (HHS)

Office for Civil Rights

200 Independence Avenue, S.W. Washington, D.C. 20201

Toll Free Call Center: 1-800-368-1019 Website: www.hhs.gov/ocr/privacy

Federal Trade Commission (FTC) 600 Pennsylvania Avenue, NW Washington, DC 20580

Toll-Free: 1-877-FTC-HELP (1-877-382-4357)

Website: www.ftc.gov

14.3.2  California-Specific Authority

For California residents:

California Attorney General’s Office

California Department of Justice Attn: Office of Privacy Protection

P.O. Box 944255

Sacramento, CA 94244-2550

Toll-Free: 1-800-952-5225

Website: oag.ca.gov/privacy

14.3.3  EU/EEA Authority

For EU/EEA residents (if applicable):

European Data Protection Board

Website: edpb.europa.eu

(You may also contact your local EU member state’s data protection authority)

14.3.4 Indian Authority

For Indian residents:

Ministry of Electronics & Information Technology

Electronics Niketan, 6, CGO Complex New Delhi – 110003

Website: www.meity.gov.in

14.4 Additional Contact Resources

Technical Support

For Platform technical issues:

Email: support@thesugrclinic.com

Hours: Monday to Friday, 8:00 AM to 8:00 PM Eastern Time

Live Chat: Available through our website and mobile app

14.4.2 Billing and Account Inquiries

For account and payment questions:

Email: billing@thesugrclinic.com

Hours: Monday to Friday, 8:00 AM to 8:00 PM Eastern Time

14.4.3 Healthcare Providers

For healthcare providers using our Platform:

Email: providers@thesugrclinic.com

Hours: 24/7 provider support

JURISDICTION-SPECIFIC ADDENDA

United States (HIPAA & HITECH)

HIPAA Privacy Rule Provisions

As a covered entity and business associate under HIPAA:

• We comply with all applicable provisions of the HIPAA Privacy Rule
• We maintain a separate Notice of Privacy Practices as required
• We implement appropriate administrative, technical, and physical safeguards
• We conduct regular risk assessments and workforce training
• We provide patients with access to their protected health information
• We account for disclosures of protected health information when required
• We report breaches as mandated by the Breach Notification Rule

15.1.2 HITECH Act Compliance

Under the HITECH Act:

• We implement enhanced security provisions for electronic protected health information
• We adhere to stricter breach notification requirements
• We comply with business associate agreement provisions
• We respond to requests for electronic copies of health records
• We honor restrictions on certain disclosures to health plans
• We limit marketing communications as prescribed
• We maintain audit trails of electronic health record access

15.1.3 State-Specific Healthcare Privacy Laws

We also comply with:

• State medical privacy laws that may be more stringent than HIPAA
• State data breach notification laws
• State-specific consent requirements for sensitive information
• State laws regarding minors’ healthcare privacy
• State telehealth and telemedicine regulations
• State electronic prescription and health record laws

15.2 European Union (GDPR)

For users who are residents of the European Economic Area (EEA), United Kingdom, or Switzerland, we comply with the General Data Protection Regulation (GDPR) and equivalent laws:

15.2.1 Legal Basis for Processing

We process personal data only when we have a lawful basis, including:

• Your explicit consent
• Performance of a contract with you
• Compliance with a legal obligation
• Protection of vital interests
• Performance of a task in the public interest
• Legitimate interests that are not overridden by your rights

15.2.2 Enhanced Rights

In addition to the rights outlined elsewhere in this policy, you have:

• Right to Data Portability: Receive your data in a structured, commonly used format
• Right to Object to Processing: Object to processing based on legitimate interests or public interest
• Right to Restrict Processing: Limit how we use your data while your request is being considered
• Right to Withdraw Consent: Revoke previously given consent without affecting lawfulness of prior processing
• Right to Lodge a Complaint: File a complaint with a supervisory authority
• Rights Related to Automated Decision Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects

15.2.3 International Transfers

For transfers of personal data outside the EEA:

• We implement appropriate safeguards such as Standard Contractual Clauses
• We conduct transfer impact assessments as required
• We provide additional protective measures where necessary
• We obtain prior consent for certain transfers
• We comply with adequacy decisions of the European Commission

15.3 California (CCPA/CPRA)

For California residents, we comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

15.3.1 California Privacy Rights

In addition to other rights, California residents have:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information with certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing: Direct businesses not to sell or share personal information
• Right to Limit Use of Sensitive Personal Information: Restrict use of sensitive personal information to specified purposes
• Right to Non-Discrimination: Not be discriminated against for exercising CCPA rights

15.3.2 California Privacy Disclosures

As required by California law, we provide:

• Categories of personal information collected in the preceding 12 months
• Categories of sources from which information is collected
• Business or commercial purposes for collecting information
• Categories of third parties with whom information is shared
• Categories of personal information sold or disclosed for business purposes
• Retention periods for each category of personal information

15.3.3 Do Not Sell or Share My Personal Information

We provide clear and conspicuous methods to opt out of the sale or sharing of personal information, including:

• “Do Not Sell or Share My Personal Information” link on our homepage
• Process for submitting opt-out requests
• Honor of Global Privacy Control signals
• Verification procedures for requests
• Retention of opt-out preferences

15.4 India

India Data Protection Compliance

For our operations serving patients in India:

• We adhere to India’s evolving data protection framework
• We comply with the Information Technology Act, 2000 (IT Act) and its amendments
• We follow the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• We monitor and will comply with the Digital Personal Data Protection Act when fully implemented
• We adopt security practices prescribed by relevant Indian regulatory authorities
• We maintain documentation demonstrating compliance with Indian privacy requirements

15.4.2 Cross-Border Data Transfers from India

For personal data transferred from India:

• We implement appropriate safeguards for cross-border data transfers
• We obtain explicit consent for transfers where required
• We ensure that data transferred to the U.S. maintains equivalent protection
• We comply with any data localization requirements for certain categories of data
• We maintain transparency about where Indian users’ data is processed
• We facilitate exercise of privacy rights regardless of data location
• We monitor regulatory developments affecting cross-border transfers

CONCLUSION

This Privacy Policy demonstrates Second Opinion USA LLC’s commitment to protecting your personal information and health data while providing high-quality telemedicine services. We strive to be transparent about our data practices and to empower you with meaningful choices about your information.

By using our Platform, you acknowledge that you have read and understand this Privacy Policy. If you have questions or concerns about our privacy practices, please contact us using the information provided in Section 14.

© 2025 Second Opinion USA LLC. All Rights Reserved.