Skip to content

Privacy Policy

Scope and overview

This Website Privacy and Cookie Notice explains how DeepHealth, Inc. (“DeepHealth,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data when you visit our websites, microsites, portals, and other online services such as social media pages to the extent DeepHealth controls the processing on those pages (together, “websites”). It incorporates our cookie policy and serves as our comprehensive online privacy policy. It also explains your choices and rights under laws in the European Economic Area (EEA), the United Kingdom (UK), and the United States (US).

This Notice applies globally to our website processing. Where laws differ, we shall process personal data in accordance with applicable legal requirements, including but not limited to the EU General Data Protection Regulation (GDPR), UK GDPR, Swiss Data Protection Act, and applicable national implementations.

This notice does not apply to protected health information handled in our clinical products or services. When we act as a business associate or service provider under HIPAA or similar laws, privacy terms are governed by our contracts, Business Associate Agreements, and product- specific notices.

Controller and contacts

Controller: DeepHealth, Inc., 212 Elm St. Somerville, MA 02144.

Data Protection Officer: [email protected]

EU Representative under GDPR Article 27: MedEnvoy Global BV, Prinsessegracht 20, 2514 AP Den Haag, Netherlands; [email protected]

UK Representative under UK GDPR Article 27: Aidence UK Ltd., 4 King’s Bench Wal, Temple, London, England United Kingdom, EC4Y7DL; [email protected]

General privacy contact: [email protected]

Accessibility: If you need this notice in an alternative format, contact [email protected].

Definitions used in this notice

For purposes of this Website Privacy and Cookie Notice, the following terms have the meanings described below. Where a term is defined differently under applicable law, the definition that provides the greatest protection to individuals applies.

Personal data means any information that identifies or relates to an identified or identifiable individual, including direct identifiers (e.g., name, email address) and indirect identifiers (e.g., IP address, device ID, unique cookie ID).

Sensitive Personal Information means information defined as “sensitive” under applicable law, including but not limited to:

  • Precise geolocation
  • Account log-in credentials
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Biometric identifiers or biometric information
  • Genetic data
  • Information concerning a person’s sex life or sexual orientation
  • The contents of a consumer’s mail, email, or text messages, unless we are the intended recipient.

Sell means disclosing personal data to a third party for monetary or other valuable consideration as defined by applicable law.

Share means disclosing personal data to a third party for cross-context behavioral advertising or similar targeted advertising uses, as defined by applicable law.

Consumer health data means information that identifies or is reasonably linkable to a consumer, and that reveals physical or mental health status or is processed to infer such status or health information, as defined by applicable state law.

Cookies include browser cookies, SDKs, pixels, tags, local storage, and similar technologies.

Profiling means automated processing of personal data to evaluate personal aspects relating to an individual, such as analyzing or predicting preferences, interests, health, behavior, location, or movements.

Precise geolocation means data derived from a device that can locate an individual within a specific radius as defined by applicable law.

Service provider/contractor means a person or entity that processes personal data on behalf of DeepHealth under a written contract limiting use to specific services and prohibiting sale or sharing for other purposes.

What we collect

Categories of personal data

  • Identifiers and contact data such as name, email address, and phone number when you submit forms.
  • Online identifiers such as IP address and device identifiers.
  • Internet or network activity including pages viewed, links clicked, session duration, and referring URLs.
  • Approximate geolocation derived from IP address at city or region level.
  • Inferences created from analytics to improve the website and security.
  • Feedback and communications you send to us.
  • Call recordings for quality assurance, training, or incident response, where permitted by law and with required notices provided at the start of such calls.
  • Financial and transactional data such as credit card information, billing address, and transaction details, when you make a purchase.

Sources

  • Directly from you when you submit forms or communicate with us.
  • Automated collection from your browser or device when you access our sites.
  • Service providers that support our websites, analytics, and security.
  • From third parties (where permitted by law), including public database, marketing partners, social networks, and data-enrichment vendors (e.g., reverse IP geolocation), which provide business-to-business contact or interest signals.

How we use personal data

We use personal data to:

  • Provide, operate, and secure websites and online services.
  • Respond to inquiries and manage relationships.
  • Measure and improve performance, content, and user experience.
  • Detect, prevent, and investigate security incidents and fraud.
  • Deliver personalized and targeted advertising where you provide consent.
  • Comply with legal obligations and enforce terms.
  • Legitimate interests to operate and secure our websites, balanced against your interests and fundamental rights.
  • Consent where required for cookies and similar technologies that are not strictly necessary.
  • Compliance with legal obligations.

Who we disclose personal data to

  • Service providers that host our sites and provide security, analytics, and customer support. These providers are bound by contract to use personal data only to provide services to us.
  • Corporate affiliates that assist with website operations, subject to this notice.
  • Public authorities where required by law, court order, or to protect rights and safety.
  • Professional advisors (e.g., lawyers, auditors) under confidentiality.
  • Event co-hosts and promotional partners as described at the time of registration. When you register for a co-hosted event, your information may be provided to that partner, subject to a link to their privacy notice.
  • Business transfers: If we are involved in a reorganization, merger, acquisition, or sale of assets, personal data relevant to the transaction may be transferred as part of that deal, subject to applicable data laws and any required notices.

Cookies and similar technologies

We set only strictly necessary cookies by default. Analytics and advertising cookies load only after you consent in the Cookie Preferences Center (Cookiebot™). You can withdraw consent at any time in the same interface, and we will stop non-essential cookies without delay. We maintain consent receipts with timestamp, preference state, region, and controller identity.

Our Cookie Preferences Center (Cookiebot™) provides a live registry that lists each cookie and similar technology, its provider, purpose, lifetime, and category. The registry is updated when our use of such technologies changes.

Examples of cookies we use

  • Necessary cookies. Required for site functionality and security (e.g., session management, load balancing).
  • Preference cookies. Remember your settings and choices (e.g., language selection).
  • Statistics cookies. Help us understand how visitors interact with the site (e.g., analytics tools).
  • Marketing cookies. Track activity across sites to deliver targeted advertising.

For the most current and complete list, see our live cookie registry confirmation in the Cookie Preferences Center, via Cookiebot™.

Embedded content and social media

  • Prior blocking. Non-essential tags and third-party libraries do not fire until consent is given.
  • Consent Mode. Google Consent Mode v2 defaults are denied for analytics and advertising until updated by the CMP after consent.
  • CMP to tag mapping. Consent categories map to appropriate actions.
  • Withdrawal symmetry. When you withdraw consent, we stop non-essential tags and avoid further use of identifiers.
  • Embeds. Video players and social widgets are blocked until you enable the relevant category.
  • Signal handling. Global Privacy Control and other recognized universal opt-out signals set sale, sharing, and targeted advertising to off and prevent those tags from firing.
  • Cookie inventory. We classify all cookies and do not present an Unclassified category to users.
  • Change control. New tags or embeds require privacy approval and appear in the live registry on release.
  • Emails and web beacons. Our marketing emails may include web beacons or similar technologies that provide delivery and engagement metrics (e.g., opens, link clicks). You can unsubscribe at any time using the link in the message; when you unsubscribe, we shall suppress future marketing emails and update linked systems to honor your preference across future campaigns.

Selling, sharing, and targeted advertising

We do not sell personal data for money. If our use of analytics or advertising technology is deemed a sale, sharing, or targeted advertising under applicable law, you may opt-out through the Cookie Preferences Center or by using a recognized opt-out preference signal. We provide a persistent footer menu that links to opt-out controls and a distinct footer for personalization and accessibility options, Cookiebot™.

We do not offer financial incentives in exchange for personal data, and we do not discriminate against you for exercising your rights.

Universal opt-out signals

We respond to legally recognized Global Privacy Control (GPC) signals and honor other universal opt-out mechanisms recognized by U.S. state authorities. When we detect a valid GPC signal, we treat it as a request to opt-out of sale, sharing, and targeted advertising for that browser or device and apply a device level flag until you change it. While some browsers offer a “Do Not Track” (DNT) signal, there is no industry or legal consensus on how to interpret this signal. Therefore, we do not respond to DNT signals at this time, but we do honor GPC as described.

Consumer Health Data and Sensitive Personal Information

We do not collect consumer health data or sensitive personal information through our websites, except in limited cases where you choose to provide such information in connection with an inquiry or interaction with our products or services.

When this occurs, it may include:

  • Information you voluntarily provide about your current physical or mental health status in connection with inquiries about our products or services.
  • Information relating to the provision of healthcare to you that you choose to disclose through our contact forms, communications, or uploads.
  • Data that, with your explicit consent for analytics or marketing cookies, may be processed in aggregated form to understand interest in our products. We do not use browsing data for individual decision-making or profiling related to health.

Purposes of collection and use, sources of data, and disclosures of consumer health data and sensitive personal information are described in the sections “How we use personal data,” “Sources,” and “Who we disclose personal data to” above. Applicable GDPR legal grounds are described in “Legal bases for Processing in the EEA and UK,” and retention periods are listed in “How long we keep personal data.” Where such data constitutes “special categories of data” under GDPR, it is processed only under a lawful basis permitted by Art. 9(2).

We do not actively collect biometric identifiers, genetic data, or precise geolocation tied to healthcare facility visits through our website. If our practice changes to include additional categories, we will update this Notice and obtain any consents required by law before collection.

Additional protections:

  • We do not use geofencing to identify, track, or target individuals seeking in-person healthcare services.
  • We do not sell consumer health data or sensitive personal information for monetary consideration.
  • Separate, prior consent is obtained before collecting consumer health data where required by law, and again before any sharing of such data with third parties.

Our websites may contain links to third-party sites not operated by us. We are not responsible for the privacy practices, content, or security of third-party sites.

International data transfers

If we transfer personal data outside the country where it was collected, we shall rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. We conduct transfer risk assessments as required by law.

How long we keep personal data

We keep personal data only as long as necessary for the purposes described or as required by law. The following retention guide applies to website data.

  • Web server logs: 12 months.
  • Analytics event data: up to 24 months.
  • Contact form submissions: case life plus 24 months.
  • Marketing preferences: until you unsubscribe, 24 months after your last engagement, or kept only as long as needed to honor your opt-out choices.
  • Consent receipts and rights request logs: as required by law and audit obligations.
  • Aggregated location analytics: up to 14 months.
  • Inference and profile data: retained for the duration of the browsing session or de-identified and aggregated within 24 months.
  • Financial and transactional data: retained for the period required by applicable tax and financial laws (typically 7-10 years).

We may retain aggregated or de-identified data for longer periods, provided it cannot be reasonably used to identify you.

  • We log consent and preference events with timestamp, CMP state, region, and user agent.
  • We keep records of GPC and other opt-out signals detected by device or browser.
  • We retain request and appeal records and outcomes within our retention schedule.

Your privacy rights

Depending on your location, you may have rights to access, correct, delete, and obtain a portable copy of personal data, to opt out of sale, sharing, and targeted advertising, and to limit the use of sensitive personal information. Where applicable, you may object to or restrict processing and withdraw consent. EU/UK residents may also lodge a complaint with a supervisory authority in their country of habitual residence, place of work, or where an alleged infringement occurred.

How to exercise your rights

  • Use Your Privacy Choices in the site footer to manage cookie consent and opt-outs.
  • Submit a request by emailing [email protected] or by using our web form.
  • Use a browser based opt-out preference signal to opt out of sale, sharing, or targeted advertising.
  • To limit the use of Sensitive Personal Information, please click “Your Privacy Choices” in the site footer.

Authorized agents for California residents

You may use an authorized agent to submit access, deletion, correction, or opt-out requests. We require proof of the agent’s authority such as a signed permission, notarized letter, or a valid power of attorney, and shall either verify your identity directly or receive confirmation from you that you authorized the agent. We do not require identity verification to process an opt-out of sale, sharing, or limiting sensitive personal information request.

Appeals of denied requests

If we deny your request, you may appeal our decision. We will respond to appeals within applicable timelines and, where required, provide a method to contact the relevant state authority.

Children

Our websites are not directed to children under 16. We do not knowingly sell or share personal information of consumers under 16. We do not knowingly collect personal information from children under 13 in accordance with U.S. Children’s Online Privacy Protection Act (COPPA). If we learn we have collected such information without a legal basis, we shall delete it.

Security

We apply administrative, technical, and physical safeguards appropriate to the nature of the personal data and the risks of processing. Where call recording is used, you will be informed at the outset and may end the call or use alternative contact channels if you prefer it not to be recorded.

Website-related processing is subject to the controls for secure development, encryption, access management, logging, and regular security testing defined within our Information Security Management System (ISMS).

Breach Notification

In the unlikely event of a data breach affecting your personal data, we will notify you without undue delay as required by applicable law, including any specific timeframes set by relevant regulations.

Accessibility

We aim to provide this notice and our preference center in formats that conform to WCAG 2.1 AA. Contact [email protected] if you need an alternative format.

EU and UK specific information

In addition to contacting us or our representatives, you can lodge a complaint with your local supervisory authority. Contact details are available from the European Data Protection Board and the UK Information Commissioner’s Office.

Automated decision-making and profiling

If we use automated tools to personalize website content or ads, we do so to support human decision-making. Where required, we will provide meaningful information about the logic involved and the significance and consequences, and honor opt-out rights.

AI Processing

Where we use Artificial Intelligence (AI) in connection with this website, we shall provide clear information about its purpose. We design any such systems to meet applicable legal requirements, including GDPR, and, where applicable, the EU Artificial Intelligence Act.

United States State Privacy Annex

This annex summarizes rights under state privacy laws and supplements the main notice.

  • California. Rights to know, delete, correct, data portability, opt out of sale and sharing, and limit the use of sensitive personal information. Recognition of Global Privacy Control.
  • Colorado. Rights to access, correct, delete, portability, and opt out of targeted advertising and sale, and to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Recognition of universal opt-out mechanisms and Colorado’s requirement for opt-in consent to process sensitive data (as defined by the CPA). You may appeal a denied request.
  • Connecticut, Utah, Oregon, Texas, Florida, Iowa, Delaware, New Jersey, New Hampshire, Nebraska, Montana, Tennessee, Indiana, Minnesota, Maryland, and other states with similar laws. Rights to access, correct, delete, portability, and opt out of targeted advertising and sale, and, where applicable, the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. These laws also provide rights regarding sensitive data, which in many of these states requires your opt-in consent for processing. Recognition of opt-out preference signals where required.
  • Virginia. Rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. The processing of sensitive data (as defined by the VCDPA) requires opt-in consent. You may appeal a denied request, and we shall respond to your appeal within the legally required timeframe. If we deny the appeal, our written explanation will include a method for you to contact the Virginia Attorney General.
  • Washington and Nevada consumer health data laws. Additional notice and consent requirements and a prohibition on certain geofencing practices, as described above.

Changes to this notice

We may update this notice. The version and effective date appear at the top. For material changes, we will provide a prominent notice on our website.

Contact

Questions about this notice or our privacy practices can be sent to [email protected] or to the DPO at [email protected].

GDPR Processing Annex

As a supplement to this notice, we provide a processing table that summarizes the specific purposes, legal bases, and retention periods for each category of personal data.

Important Notice: Not for patient information

This website is not intended for submitting medical or patient information. Do not include PHI or other medical information in any form-submissions or communications through this site. If you need to share clinical information, please use the secure channels provided by your healthcare provider.

Click HERE to download DeepHealth’s GDPR Processing Annex

We determine retention based on operational necessity, legal requirements, and documented schedules; where timelines and notice requirements are stated, they reflect maximums for the website context.

Accountability and Contact Information

DeepHealth is committed to complying with all applicable privacy and data protection laws and maintaining practices consistent with the commitments in this Notice. We regularly review and update our privacy practices, technical safeguards, and contractual protections to align with legal requirements and industry standards.

If you have questions about this Notice, our privacy practices, or wish to exercise your rights, please contact us at:

Email: [email protected]

Mail: DeepHealth, Inc., 212 Elm St. Somerville, MA 02144

Controller: DeepHealth, Inc., 212 Elm St. Somerville, MA 02144.

Data Protection Officer: [email protected]

EU Representative under GDPR Article 27: MedEnvoy Global BV, Prinsessegracht 20, 2514 AP Den Haag, Netherlands; [email protected]

UK Representative under UK GDPR Article 27: Aidence UK Ltd., 4 King’s Bench Wal, Temple, London, England United Kingdom, EC4Y7DL; [email protected]

General privacy contact: [email protected]

Accessibility: If you need this notice in an alternative format, contact [email protected].

This notice was last updated on October 31st, 2025.