Privacy Policy

Effective date: February 17, 2023

At ZocDoc, Inc. (“Zocdoc,” “we,” or “us”), we are committed to protecting your privacy, and we take great care with your personal information that we gather when you access or use Zocdoc.com and related websites, applications, and services owned and operated by Zocdoc and that link to this Privacy Policy (collectively, the “Services”). This Privacy Policy is meant to help those that use our Services to explore providers or book appointments (“Users”) and doctors, dentists, or other healthcare specialists, professionals, providers, organizations or agents, or affiliates thereof that use our marketing services (“Healthcare Providers,” and collectively with Users, “you,” or “your”) understand how we treat your personal information.BY USING OR ACCESSING THE SERVICES IN ANY MANNER, YOU ACKNOWLEDGE THAT YOU ACCEPT THE PRACTICES AND POLICIES OUTLINED IN THIS PRIVACY POLICY, AND YOU HEREBY CONSENT THAT WE WILL COLLECT, USE, AND SHARE YOUR INFORMATION IN THE FOLLOWING WAYS. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MAY NOT USE THE SERVICES. IF YOU USE THE SERVICES ON BEHALF OF SOMEONE ELSE (SUCH AS YOUR CHILD) OR AN ENTITY (SUCH AS YOUR EMPLOYER), YOU REPRESENT THAT YOU ARE AUTHORIZED BY SUCH INDIVIDUAL OR ENTITY TO ACCEPT THIS PRIVACY POLICY ON SUCH INDIVIDUAL’S OR ENTITY’S BEHALF. Any use of Zocdoc’s Services is at all times subject to the Agreement (as the term “Agreement” is defined in our Terms of Use, which incorporates this Privacy Policy). You may print a copy of this Privacy Policy by clicking here. Thank you so much for choosing Zocdoc.

Privacy Policy Table of Contents

HIPAA and PHI

Certain demographic, health and/or health-related information that Zocdoc collects about Users as part of providing the Services to our Healthcare Providers may be “protected health information” or “PHI” and governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). Specifically, when (i) Zocdoc is providing administrative, operational, and other services to a Health Care Provider and this Healthcare Provider is a “Covered Entity” (as such term is defined in HIPAA); and (ii) in order to provide those services, Zocdoc receives identifiable information about a User on behalf of the Healthcare Provider, Zocdoc is acting as a “Business Associate” (as such term is defined in HIPAA) of the Health Care Provider, and this identifiable information is regulated as PHI.

HIPAA provides specific protections for the privacy and security of PHI and restricts how PHI is used and disclosed. Please read the Notice of Privacy Practices of your Health Provider to understand how your PHI can be used and disclosed. HIPAA does not apply to Personal Data (defined below) that is not PHI. Personal data that a User provides to Zocdoc when Zocdoc is not acting as a Business Associate is not PHI. To provide just a few examples, when you (i) create an account, (ii) search for Healthcare Providers or available appointments with Healthcare Providers, (iii) complete general medical history forms that are not required by or provided by a particular Healthcare Provider (“General Medical History Forms”), (iv) post reviews, or (v) provide device/IP Information or Web Analytics information by browsing our websites (see below).

Personal Data

The following subsections detail the categories of Personal Data that we collect and have collected over the past twelve (12) months. “Personal Data” means any information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, or regulations. For each category of Personal Data, these subsections also set out the source of that Personal Data, our commercial or business purpose for collecting that Personal Data, and the categories of third parties with whom we share that Personal Data. More information regarding those sources and categories are set forth below.

COVID-19 Data

Personal Data that a User provides to Zocdoc for the purpose of Covid-19 vaccine scheduling may be shared with local, state, and federal public health authorities. These authorities may require or request information maintained by Zocdoc in connection with your appointments to receive the Covid-19 vaccination. By using this service, you agree that Zocdoc may provide any data related to your Covid-19 vaccine to government authorities and that the data sent to those authorities may contain Personal Data.

User Personal Data

THE FOLLOWING SUBSECTIONS APPLY ONLY TO USERS. IF YOU ARE A HEALTHCARE PROVIDER, PLEASE SEE THE HEALTHCARE PROVIDER PERSONAL DATA SECTION BELOW.


Categories of Personal Data We Collect


Category of Personal Data

Examples of Personal Data Collected

Source

Third Parties With Whom We Share Data For Business Purposes

Payment Information

  • Payment card type
  • Last four digits of payment card
  • Billing contact
  • Billing email
  • You
  • Service Providers (specifically, our current payment processing partner, Stripe, Inc. (“Stripe”)
  • Device/IP Information

    • IP address
    • Device ID
    • Domain server
    • Type of device/operating system/browser used to access the Services
    • You
    • Third Parties
    • Service Providers
    • Analytics Partners
    • Ad Networks
    • Third-Party Business Partners You Access Through the Services

    Web Analytics

    • Web page interactions
    • Referring webpage/source through which you access the Services
    • Non-identifiable request IDs
    • Statistics associated with the interaction between device or browser and the Services
    • You
    • Third Parties
    • Service Providers
    • Analytics Partners
    • Ad Networks
    • Third-Party Business Partners You Access Through the Service

    Geolocation Data

    • IP address-based location information
    • You
    • Service Providers
    • Analytics Partners
    • Ad Networks
    • Third-Party Business Partners You Access Through the Service

    Other Identifying Information That You Voluntarily Choose to Provide

    • Unique identifiers such as passwords
    • Personal Data in emails, letters, or other communications you send to us
    • You
    • Service Providers

    User Contact Data

    • First and last name
    • E-mail
    • Phone number
    • Mailing address
    • You
    • Service Providers
    • Ad Networks
    • Healthcare Providers
    • Insurance Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate

    User Demographic Data

    • Gender and/or gender identity
    • Age
    • Date of birth
    • Zip code
    • Race
    • Sexual orientation
  • You
    • Service Providers
    • Ad Networks
    • Healthcare Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate

    Medical Data

    • Health conditions
    • Healthcare Providers visited
    • Reasons for visit
    • Dates of visit
    • Medical history and health information you provide us
    • You
    • Service Providers
    • Healthcare Providers
    • Insurance Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate

    Insurance Information

    • Insurance carrier
    • Insurance plan
    • Member ID
    • Group ID
    • Payer ID
    • You
    • Service Providers
    • Healthcare Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate

    Booking Appointment Data

    • Appointment date/time
    • Provider information
    • Appointment procedure
    • Whether or not user is a new patient for a particular provider
    • You
    • Third Parties
    • Service Providers
    • Analytics Partners
    • Healthcare Providers
    • Health Information Exchanges

    Social Network Data

    • E-mail
    • Phone number
    • Username
    • IP address
    • Device ID
    • You
    • Third Parties
    • Service Providers
    • Ad Networks
    • Parties You Authorize, Access or Authenticate

    Categories of Data that may be Considered “Sensitive” Under certain privacy laws

    • Health information, such as:
    • Health conditions
    • Healthcare Providers visited
    • Reasons for visit
    • Dates of visit
    • Medical history and health information you provide us
    • You
    • Service Providers
    • Healthcare Providers
    • Insurance Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate
    • Sexual orientation
    • You
    • Service Providers
    • Ad Networks
    • Healthcare Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate
    • Unique identifiers such as your account login and password
    • You
    • Service Providers /li>

    Categories of Sources of Personal Data

    Categories of Sources of Personal Data

    From You

    When You Provide Information Directly to Us

    • When you create an account or use our interactive tools and services, such as searching for Healthcare Providers or available appointments with Healthcare Providers and completing Medical History Forms prior to Healthcare Provider appointments.
    • When you voluntarily provide information in free-form text boxes through the Services or through responses to surveys and questionnaires, or post reviews.
    • When you send us an email or otherwise contact us.

    When Personal Data is Automatically Collected When You Use the Services

    • Through Cookies (defined below).
    • If you download and install certain applications and software we make available, we may receive and collect information transmitted from your computing device for the purpose of providing you the relevant Services, such as information regarding when you are logged on and available to receive updates or alert notices.
    • If you download our mobile application or use a location-enabled browser, we may receive information about your location and mobile device, as applicable.

    From Third Parties

    Service Providers

    • We may use service providers to analyze how you interact and engage with the Services, or to help us provide you with customer support.
    • We may use service providers to obtain information to generate leads and to create user profiles.

    Analytics Partners

    • We may work with analytics partners to provide us analytics on website traffic or the usage of the Services.
    • We use this data to optimize and market our Services.

    Healthcare Providers

    • We may receive certain data from your Healthcare Provider(s) to facilitate booking appointments.

    Social Networks

    • If you provide your social network account credentials to us or otherwise sign in to the Services through a third-party site or service, you understand some content and/or information in those accounts may be transmitted into your account with us.

    Advertising Partners

    • We receive information about you from some of our service providers who assist us with marketing or promotional services related to how you interact with our Services, advertisements or communications.

    Commercial or Business Purposes for Collecting Data


    How We Share Your Personal Data

    In certain circumstances, we may share your Personal Data with the following categories of service providers and other third parties for the indicated business purposes:


    Categories of Third Parties With Whom We Share Personal Data

    Business Purpose for Sharing Data

    Service Providers

    Payment Processors

    • Our payment processing partner (currently Stripe, Inc. (“Stripe”)) collects your voluntarily provided payment card information necessary to process your payment.
    • Please see Stripe’s terms of service and privacy policy for information on its use and storage of Personal Data.

    Security and Fraud Prevention Consultants

    • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

    Hosting, Technology and Communications Providers;

    Fulfillment Providers;

    Data Storage Providers;

    Analytics Providers;

    Insurance Verification Providers;

    Staff Augmentation Personnel

    • To perform operational services (such as hosting, billing, fulfillment, data storage, security, insurance verification, web service analytics) and/or make certain services, features or functionality available to our Users.
    • Debugging to identify and repair errors that impair intended functionality.
    • Short-term, transient use of Personal Data that is not used by another party to build a User profile or otherwise alter your user experience outside the current interaction.
    • Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
    • Undertaking internal research for technological development and demonstration.
    • Undertaking activities to verify or maintain the quality or safety of our Services.

    Selected Recipients

    Analytics Partners

    • To track how users found or were referred to the Services and otherwise interact with the Services.

    Ad Networks

    • Ad customizing and serving.
    • Auditing related to a current interaction and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

    Healthcare Providers

    • Healthcare Providers with whom Users choose to schedule through the Services. For example, if you complete a Medical History Form using the Services in advance of an appointment and elect to share it with your selected Healthcare Provider.
    • If you choose to use the applicable Services, Healthcare Providers in order to enable them to refer you to, and make appointments with, other Healthcare Providers on your behalf or to perform analyses on potential health issues or treatments.
    • In the event of an emergency.

    Insurance Providers

    • To determine eligibility and cost-sharing obligations and to otherwise obtain benefit plan information on your behalf.

    Health Information Exchanges

    • Health Information Exchanges and related organizations that collect and organize User information (such as Regional Health Information Organizations) to make your information more securely and easily accessible to your Healthcare Providers. The goal of such organizations is to facilitate access to health information to improve the safety, quality, and efficiency of patient-centered care. More information on Health Information Exchanges can be found here

    Parties You Authorize, Access or Authenticate

    Other Users

    • Any information that you may reveal in a review posting or online discussion, or forum is intentionally open to the public and is not in any way private. We recommend that you carefully consider whether to disclose any Personal Data in any public posting or forum. What you have written may be seen and/or collected by third parties and may be used by others in ways we are unable to control or predict. You can learn more about our reviews process at zocdoc.com/verified reviews.

    Third-Party Business Partners You Access Through the Services

    • We will share certain Personal Data if you choose to use any service to log in to the Services./li>
    • To meet or fulfill the reason you provided the information to us.

    Healthcare Provider Personal Data

    THE FOLLOWING SUBSECTIONS APPLY ONLY TO HEALTHCARE PROVIDERS. IF YOU ARE A USER, PLEASE SEE THE USER PERSONAL DATA SECTION ABOVE.


    Categories of Personal Data We Collect


    Category of Personal Data

    Examples of Personal Data Collected

    Source

    Third Parties With Whom We Share Data For Business Purposes

    Payment Information

    • Payment card type
    • Last four digits of payment card
    • Billing contact
    • Billing email
    • You
    • Service Providers (specifically, our current payment processing partner, Stripe, Inc. (“Stripe”)

    Device/IP Information

    • IP address
    • Device ID
    • Domain server
    • Type of device/operating system/browser used to access the Services
    • You
    • Third Parties
    • Service Providers
    • Analytics Partners
    • Ad Networks
    • Third-Party Business Partners You Access Through the Services

    Web Analytics

    • webpage interactions
    • Referring webpage/source through which you access the Services
    • Non-identifiable request IDs
    • Statistics associated with the interaction between device or browser and the Services
    • You
    • Third Parties
    • Service Providers
    • Analytics Partners
    • Ad Networks
    • Third-Party Business Partners You Access Through the Services

    Geolocation Data

    • IP address-based location information
    • You
    • Third Parties
    • Service Providers
    • Analytics Partners
    • Ad Networks
    • Third-Party Business Partners You Access Through the Services

    Other Identifying Information That You Voluntarily Choose to Provide

    • Unique identifiers such as passwords
    • Personal Data in emails or letters you send to us
    • Personal information that you disclose over the phone
    • You
    • Service Providers

    Healthcare Provider Contact Data

    • First and last name
    • E-mail
    • Phone number
    • Mailing address
    • You
    • Third Parties
    • Service Providers
    • Ad Networks
    • Healthcare Providers
    • Insurance Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate

    Healthcare Provider Demographic Data

    • Gender and/or gender identity
    • Age
    • Date of birth
    • Zip code
    • Race
    • Sexual orientation
    • Spoken language
    • You
    • Third Parties
    • Service Providers
    • Ad Networks
    • Healthcare Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate

    Professional License Information

    • Professional licenses
    • Education history
    • Specialties and certifications
    • You
    • Third Parties
    • Service Providers

    Categories of data that may be considered “Sensitive” under certain privacy laws

    • Sexual orientation
    • You
    • Third Parties
    • Service Providers
    • Ad Networks
    • Healthcare Providers
    • Health Information Exchanges
    • Parties You Authorize, Access or Authenticate
    • Unique identifiers such as your account login and password
    • You
    • Service Providers

    Categories of Sources of Personal Data


    Categories of Sources of Personal Data

    From You

    When You Provide Information Directly to Us

    • When you create an account.
    • When you send us an email or otherwise contact us.

    When Personal Data is Automatically Collected When You Use the Services

    • Through Cookies (defined below).
    • If you download and install certain applications and software we make available, we may receive and collect information transmitted from your computing device for the purpose of providing you the relevant Services, such as information regarding when you are logged on and available to receive updates or alert notices.
    • If you download our mobile application or use a location-enabled browser, we may receive information about your location and mobile device, as applicable.

    From Third Parties

    Service Providers

    • We may use service providers to analyze how you interact and engage with the Services, or to help us provide you with customer support.
    • We may use service providers to obtain information to generate leads and to create user profiles.

    Analytics Partners

    • We may work with analytics partners to provide us analytics on website traffic or the usage of the Services.
    • We use this data to optimize and market our Services.

    Government or Public Records

    • We may use government or other public records for onboarding or verifying Healthcare Providers.

    Advertising Partners

    • We receive information about you from some of our service providers who assist us with marketing or promotional services related to how you interact with our Services, advertisements, or communications.

    Commercial or Business Purposes for Collecting Data


    How We Disclose Your Personal Data

    In certain circumstances, we may disclose your Personal Data to the following categories of service providers and other third parties for the indicated business purposes:


    Categories of Third Parties With Whom We Share Personal Data

    Business Purpose for Sharing Data

    Service Providers

    Payment Processors

    • Our payment processing partner (currently Stripe, Inc. (“Stripe”)) collects your voluntarily provided payment card information necessary to process your payment.
    • Please see Stripe’s terms of service and privacy policy for information on its use and storage of Personal Data.

    Security and Fraud Prevention Consultants

    • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

    Hosting, Technology, and Communications Providers;

    Fulfillment Providers;

    Data Storage Providers;

    Analytics Providers;

    Insurance Verification Providers;

    Staff Augmentation Personnel

    • To perform operational services (such as hosting, billing, fulfillment, data storage, security, insurance verification, web service analytics) and/or make certain services, features or functionality available to our Users.
    • Debugging to identify and repair errors that impair existing intended functionality.
    • Short-term, transient use of Personal Data that is not used by another party to build a User profile or otherwise alter your user experience outside the current interaction.
    • Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
    • Undertaking internal research for technological development and demonstration.
    • Undertaking activities to verify or maintain the quality or safety of our Services.

    Selected Recipients

    Analytics Partners

    • To track how users found or were referred to the Services and otherwise interact with the Services.

    Ad Networks

    • Ad customizing and serving.
    • Auditing related to a current interaction and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

    Health Information Exchanges

    • Health Information Exchanges and related organizations that collect and organize User information (such as Regional Health Information Organizations) to make your information more securely and easily accessible to your Healthcare Providers. The goal of such organizations is to facilitate access to health information to improve the safety, quality, and efficiency of patient-centered care. More information on Health Information Exchanges can be found here

    Parties You Authorize, Access, or Authenticate

    Third-Party Business Partners You Access Through the Services

    • We will share certain Personal Data if you choose to use any service to log in to the Services.
    • To meet or fulfill the reason you provided the information to us.

    THE FOLLOWING SECTIONS APPLY TO ONLY TO USERS.

    Legal Obligations

    We may share any Personal Data that we collect with third parties in conjunction with any of the activities set forth under “Meeting Legal Requirements and Enforcing Legal Terms” in the “Our Commercial or Business Purposes for Collecting Personal Data” sections above.

    Business Transfers

    All Personal Data may be transferred to a third party if we undergo a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.

    Data that is Not Personal Data

    We may create aggregated and/or de-identified data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified, or anonymized data and share it with third parties for our lawful business purposes, including to analyze, build, and improve the Services and promote our business, provided that we will not share such data in a manner that could identify you.


    Tracking Tools, Advertising, and Opt-Out

    The following sections provide additional information about how we collect your Personal Data.

    Information Collected Automatically

    The Services use cookies and similar technologies such as pixel tags, web beacons, clear GIFs, mobile identifiers, and JavaScript (collectively, “Cookies”) to enable our servers to recognize your web browser and tell us how and when you visit and use our Services. We do this to analyze trends, learn about and advertise to our user base, and operate and improve our Services. For example, we use Cookies to tailor the Services or customize advertisements by tracking navigation habits, measuring performance, storing authentication status so re-entering credentials is not required, customizing user experiences with the Services, and for analytics and fraud prevention. Cookies are small pieces of data – usually text files – placed on your computer, tablet, phone, or similar device when you use that device to visit our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s).

    We use the following types of Cookies:

    You can decide whether or not to accept Cookies through your internet browser’s settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on your browser software) allowing you to decide on acceptance of each new Cookie in a variety of ways. You may also be able to reject mobile device identifiers by activating the appropriate setting on your mobile device. You can also delete all Cookies that are already on your computer. Although you are not required to accept Zocdoc’s Cookies, if you block, reject, or delete them, you may have to manually adjust some preferences every time you access the Services, as some functionalities may not work.

    To explore what Cookie settings are available to you, look in the “preferences” or “options” section of your browser’s menu. To find more information about Cookies, including how to manage and delete Cookies, please visit here.

    Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications, and services that you do not wish such operators to track certain of your online activities over time and across different websites. Not all browsers offer a Do Not Track option, and there is currently no industry consensus as to what constitutes a Do Not Track signal. Please note that, for these reasons and because of our use of Cookies, our Services, like many website operators, do not support “Do Not Track” requests sent from a browser at this time. To find out more about “Do Not Track,” you can visit here.

    Information about Interest-Based Advertisements

    We may serve advertisements, and also allow third-party ad networks, including third-party ad servers, ad agencies, ad technology vendors and research firms, to serve advertisements through the Services. These advertisements may be targeted to users who fit certain general profile categories or display certain preferences or behaviors (“Interest-Based Ads”). Information for Interest-Based Ads (including Personal Data) may be provided to us by you or derived or inferred from the online activity or usage patterns of particular users on the Services and/or services of third parties. Such information may include IP address, mobile device ID, operating system, browser, webpage interactions, geographic location, and demographic information, such as gender and age range. Such information may be gathered through tracking users’ activities across time and unaffiliated properties, including when you leave the Services. To accomplish this, we or our service providers may deliver Cookies, including Web Beacons, from an ad network to you through the Services. Web Beacons allow ad networks to provide anonymized, aggregated auditing, research and reporting for us and for advertisers. This information helps Zocdoc learn more about our Users’ demographics and internet behaviors. Web Beacons also enable ad networks to serve targeted advertisements to you when you visit other websites. Web Beacons allow ad networks to view, edit or set their own Cookies on your browser, just as if you had requested a webpage from their site.

    We comply with the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising. Through the DAA and Network Advertising Initiative (“NAI”), several media and marketing associations have developed an industry self-regulatory program to give users a better understanding of and greater control over ads that are customized based on a user’s online behavior across different websites and properties. To make choices about Interest-Based Ads from participating third parties, including to opt-out of receiving behaviorally targeted advertisements from participating organizations, please visit the DAA’s or NAI’s User opt-out pages, which are located here, or install the DAA’s AppChoice app (for iOS; for Android) on your mobile computing device. When you use these opt-out features, an “opt-out” Cookie will be placed on your computer, tablet, or mobile computing device, indicating that you do not want to receive Interest-Based Ads from NAI or DAA member companies. If you delete Cookies on your computer, tablet, or mobile computing device, you may need to opt-out again. For information about how to opt out of Interest-Based Ads on mobile devices, please visit here. You will need to opt out of each browser and device for which you desire to apply these opt-out features.

    Please note that even after opting out of Interest-Based Ads, you may still see Zocdoc advertisements that are not interest-based (i.e., not targeted toward you). Also, opting out does not mean that Zocdoc is no longer using tracking tools. Zocdoc may still collect information about your use of the Services even after you have opted out of Interest-Based Ads and may still serve advertisements to you via the Services based on information collected via the Services.


    Data Security

    The security of your Personal Data is important to us. We seek to protect your Personal Data from unauthorized access, use, and disclosure using appropriate physical, technical, organizational, and administrative security measures based on the type of Personal Data and how we process that data. We endeavor to follow generally accepted industry standards to protect the Personal Data submitted to us, both during transmission and in storage. For example, the Services use industry-standard Secure Sockets Layer (SSL) technology to allow for the encryption of Personal Data. We store and process your information on our servers in the United States and abroad. We maintain what we consider industry-standard backup and archival systems. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanisms; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, for example, by making good faith efforts to store Personal Data in a secure operating environment that is not open to the public, please be aware that no method of transmitting data over the Internet or storing data is completely secure. We cannot and do not guarantee the complete security of any data you share with us, and except as expressly required by law, we are not responsible for the theft, destruction, loss, or inadvertent disclosure of your information or content.

    If at any time during or after our relationship, we believe that the security of your Personal Data may have been compromised, we may seek to notify you of that development. If a notification is appropriate, we will endeavor to notify you as promptly as possible under the circumstances. If we have your e-mail address, we may notify you by e-mail to the most recent e-mail address you have provided us in your account profile. Please keep your e-mail address in your account up to date. You can update that e-mail address anytime in your account profile. If you receive a notice from us, you can print it to retain a copy. To receive these notices, you must check your e-mail account using your computer or mobile device and email application software. You consent to our use of e-mail as a means of such notification. If you prefer for us to use the U.S. Postal Service to notify you in this situation, please e-mail us at [email protected]. Please include your address when you submit your request. You can make this election at any time, and it will apply to notifications we make after a reasonable time thereafter for us to process your request. You may also use this e-mail address to request a print copy, at no charge, of an electronic notice we have sent to you regarding a compromise of your Personal Data.


    Data Retention

    We retain Personal Data about you as necessary to provide our Services or to perform our business or commercial purposes for collecting your Personal Data. When establishing a retention period for specific categories of data, we consider who we collected the data from, our need for the Personal Data, why we collected the Personal Data, and the sensitivity of the Personal Data. In some cases, we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, provide our Services, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.

    For example:


    Children’s Privacy

    The Services are not directed to or intended for use by children under 13 years of age. If you are a child under the age of 13, please do not attempt to register for or otherwise use the Services or send us any Personal Data. By accessing, using, and/or submitting information to or through the Services, you represent that you are over the age of 13. As noted in the Terms of Use, we do not knowingly collect or solicit Personal Data from children under the age of 13. If we learn that we have received any Personal Data directly from a child under age 13 without first receiving their parent’s verified consent, we will use that Personal Data only to respond directly to that child (or their parent or legal guardian) to inform the child that they cannot use the Services. We will then subsequently delete that child’s Personal Data. If you believe that a child under 13 may have provided us with Personal Data, please contact us at [email protected].

    If you are between the age thirteen (13) and the age of majority in your place of residence, you may use the Services only with the consent of or under the supervision of your parent or legal guardian. If you are a parent or legal guardian of a minor child, you may, in compliance with the Agreement, use the Services on behalf of such minor child. Any information that you provide us while using the Services on behalf of your minor child will be treated as Personal Data as otherwise provided herein.

    If you use the Services on behalf of another person, regardless of age, you agree that Zocdoc may contact you for any communication made in connection with providing the Services or any legally required communications. You further agree to forward or share any such communication with any person for whom you are using the Services on behalf.


    How We Use Information That is Neither Personal Data nor PHI

    Certain information that Zocdoc collects may be neither Personal Data nor PHI, including information that does not include any identifiable information at collection or which we have de-identified and/or aggregated from Personal Data or PHI. We may use this information for any purpose permitted by applicable law, including but not limited to purposes of better understanding who uses Zocdoc and how we can deliver a better digital healthcare experience.


    Controlling Your Personal Data & Notifications

    If you are a registered user of the Services, you can modify certain Personal Data or account information by logging in and accessing your account. If you wish to close your account, please e-mail us at [email protected]. Zocdoc will use reasonable efforts to delete your account as soon as reasonably possible. Please note, however, that Zocdoc reserves the right to retain information from closed accounts consistent with our internal data retention policies and procedures.

    You must promptly notify us if any of your account data is lost, stolen, or used without permission.


    California Rights and Disclosures

    The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with specific rights regarding their personal information. Please see the “Exercising Your Rights” section below for instructions regarding how to exercise these rights. This section describes your CCPA rights and explains how to exercise those rights. If you have any questions about this section or whether any of the following applies to you, please contact us at [email protected] and indicate “California Rights” in the subject line of your communication.

    Access

    You have the right to request certain information about our collection and use of your Personal Data over the past 12 months, including the following:

    If we have disclosed your Personal Data for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each third-party recipient. If we have sold your Personal Data over the past 12 months, we will identify the categories of Personal Data purchased by third-party recipients.

    Deletion

    You have the right to request that we delete the Personal Data that we have collected from you. Under the CCPA, this right is subject to certain exceptions: for example, we may need to retain your Personal Data to provide you with the Services or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request.

    Correction

    You have the right to request that we correct any inaccurate Personal Data we have collected about you. Under the CCPA, this right is subject to certain exceptions: for example, if we decide, based on the totality of circumstances related to your Personal Data, that such data is correct. If your correction request is subject to one of these exceptions, we may deny your request.

    Processing of Sensitive Personal Information Opt-Out

    We collect Personal Data that is considered “Sensitive Personal Information” under the CCPA. Because we use or disclose Sensitive Personal Information for purposes other than those set forth in section 7027(m) of the CCPA regulations, California residents have the right to request that we limit the use or sharing of their Sensitive Personal Information (“Right to Limit”). The Right to Limit allows California residents to direct a business that collects Sensitive Personal Information to limit its use of this information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized in the CCPA regulations.

    Personal Data Sharing or Selling

    Under the CCPA, California residents have certain rights when a business “shares” or “sells” Personal Data with third parties for purposes of cross-contextual behavioral advertising. Under the laws of the CCPA, such “sharing” is also considered “selling.” Accordingly, we have shared and sold the foregoing categories of Personal Data for the purposes of cross-contextual behavioral advertising:

    As described in the “Tracking Tools, Advertising and Opt-Out” section above, we have incorporated Cookies from certain third parties into our Services. These Cookies allow those third parties to receive information about your activity on our Services that is associated with your browser or device. Those third parties may use that data to serve you relevant ads on our Services or on other websites you visit. Under the CCPA, sharing your data through third-party Cookies for online advertising may be considered a “sale” of information. You can opt out of data selling and/or sharing by following the instructions in this section.

    We share Personal Data with the following categories of third parties:

    Over the past 12 months, we have shared your Personal Data with the categories of third parties listed above for the following purposes:

    Once you have submitted an opt-out request, we will not ask you to reauthorize the sharing of your Personal Data for at least 12 months. To our knowledge, we do not share the Personal Data of minors under 16 years of age.

    We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA.

    We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you with a lower quality of goods and services if you exercise your rights under the CCPA.

    Financial Incentives

    At Zocdoc, we value your data because it allows us to better understand your goals and preferences and improve our products and services to better serve you. From time to time, we may offer a financial incentive for your participation in our user research. The financial incentive we offer is based on our determination of the estimated value of your data. If you participate in the research, you may be asked to submit personal information in surveys, forms, or through your account. The personal information you submit in connection with this research will only be used internally to improve our product; we will never share or sell this data to third parties.

    Through your participation in the research, we may collect the following categories of personal information about you:

    Participation in the financial incentive is entirely optional. If you participate in a financial incentive, you agree that we are not required to comply with your right to know or delete personal information collected in exchange for the financial incentive. If you are a participant in a financial incentive we offer, you may withdraw from the financial incentive at any time by emailing us at the email address provided to you with your individual notice of the financial incentive.

    Other California Resident Rights

    Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties’ direct marketing purposes. To submit such a request, please contact us at [email protected].


    Virginia Resident Rights and Disclosures

    If you are a Virginia resident, you have the rights set forth under the Virginia Consumer Data Protection Act (“VCDPA”). Please see the “Exercising Your Rights” section below for instructions regarding how to exercise these rights. Please note that we may process Personal Data of our customers’ end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Data as a service provider, you should contact the entity that collected your Personal Data in the first instance to address your rights with respect to such data. Additionally, please note that these rights are subject to certain conditions and exceptions under applicable law, which may permit or require us to deny your request.

    If there are any conflicts between this section and any other provision of this Privacy Policy and you are a Virginia resident, the portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at [email protected] and indicate “Virginia Rights” in the subject line of your communication.

    Access

    You have the right to request confirmation of whether or not we are processing your Personal Data and to access your Personal Data.

    Correction

    You have the right to correct inaccuracies in your Personal Data, to the extent such correction is appropriate in consideration of the nature of such data and our purposes of processing your Personal Data.

    Portability

    You have the right to request a copy of your Personal Data in a machine-readable format to the extent technically feasible.

    Deletion

    You have the right to delete your Personal Data.

    Opt-Out of Certain Processing Activities

    Appealing a Denial

    If we refuse to take action on a request within a reasonable period of time after receiving your request in accordance with this section. In such appeal, you must (1) provide sufficient information to allow us to verify that you are the person about whom the original request pertains and to identify the original request and (2) provide a description of the basis of your appeal. Please note that your appeal will be subject to your rights and obligations afforded to you under the VCDPA. We will respond to your appeal within 60 days of receiving your request. If we deny your appeal, you have the right to contact the Virginia Attorney General using the methods described here.

    You may appeal a decision by us using the following methods:


    Colorado Rights and Disclosure

    If you are a Colorado resident, you have the rights set forth under the Colorado Privacy Act (“CPA”). Please see the “Exercising Your Rights” section below for instructions regarding how to exercise these rights. Please note that we may process Personal Data of our customers’ end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Data as a processor, you should contact the entity that collected your Personal Data in the first instance to address your rights with respect to such data. Additionally, please note that these rights are subject to certain conditions and exceptions under applicable law, which may permit or require us to deny your request.

    If there are any conflicts between this section and any other provision of this Privacy Policy and you are a Colorado resident, the portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at [email protected] and indicate “Colorado Rights” in the subject line of your communication.

    Access

    You have the right to request confirmation of whether or not we are processing your Personal Data and to access your Personal Data.

    Correction

    You have the right to correct inaccuracies in your Personal Data, to the extent such correction is appropriate in consideration of the nature of such data and our purposes of processing your Personal Data.

    Portability

    You have the right to request a copy of your Personal Data in a machine-readable format to the extent technically feasible.

    Deletion

    You have the right to delete your Personal Data.

    Opt-Out of Certain Processing Activities

    Appealing a Denial

    If we refuse to take action on a request within a reasonable period of time after receiving your request in accordance with this section. In your appeal, you must (1) provide sufficient information to allow us to verify that you are the person about whom the original request pertains and to identify the original request and (2) provide a description of the basis of your appeal. Please note that your appeal will be subject to your rights and obligations afforded to you under the CPA. We will respond to your appeal within 45 days of receiving your request. If you have any questions about your appeal, you have the right to contact the Colorado Attorney General using the methods described here.

    You may appeal a decision by us using the following methods:


    Exercising Your Rights

    To exercise the rights under the CCPA, VCDPA, or CPA as described above, you must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data and (2) describes your request in sufficient detail to allow us to understand, evaluate, and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We will only use Personal Data provided in a Valid Request to verify you and complete your request. You do not need an account to submit a Valid Request.

    We will respond to your Valid Request within the applicable time period required by law. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive, or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

    To the extent rights are afforded to you, you may submit a Valid Request using the following methods:

    If you have questions or difficulty submitting a Valid Request, you can call us at (855) 962-3621 or email us at [email protected].


    Changes to this Privacy Policy

    We reserve the right to amend our Privacy Policy at our discretion and at any time. When we make changes to the Privacy Policy, we will notify you by email or through a notice on our website homepage. Use of the information we collect is subject to the Privacy Policy in effect at the time such information is collected.

    Contact Information

    If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data, your choices, and rights regarding such use, please do not hesitate to contact us at: