TopDoc Privacy Policy
At TopDoc, Inc. (“TopDoc,” “we,” or “us”), we are committed to protecting your privacy, and we take great care with your personal information that we gather when you access or use TopDoc.com and related websites, applications, and services owned and operated by TopDoc and that link to this Privacy Policy (collectively, the “Services”). This Privacy Policy is meant to help those who use our Services to explore providers or book appointments (“Users”) and doctors, dentists, or other healthcare specialists, professionals, providers, organizations or agents, or affiliates thereof that use our marketing, concierge and other services (“Healthcare Providers,” and collectively with Users, “you,” or “your”) understand how we treat your personal information.
By using or accessing the Services in any manner, you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you hereby consent that we will collect, use, and share your information in the following ways. If you do not agree with this Privacy Policy, you may not use the Services. If you use the Services on behalf of someone else (such as your child) or an entity (such as your employer), you represent that you are authorized by such individual or entity to accept this Privacy Policy on such individual’s or entity’s behalf.
Any use of TopDoc’s Services is at all times subject to the Agreement, as defined in our Terms of Use, which incorporates this Privacy Policy. You may print a copy of this Privacy Policy at any time.
Privacy Policy Table of Contents
- HIPAA and PHI
- Personal Data
- COVID-19 Data
- User Personal Data
- Healthcare Provider Personal Data
- Tracking Tools, Advertising, and Opt-Out
- Data Security
- Data Retention
- Children’s Privacy
- How We Use Information That is Neither Personal Data nor PHI
- Controlling Your Personal Data & Notifications
- California Rights and Disclosures
- Virginia Resident Rights and Disclosures
- Colorado Rights and Disclosure
- Exercising Your Rights
- Changes to this Privacy Policy
- Contact Information
HIPAA and PHI
Certain demographic, health and/or health-related information that TopDoc collects about Users as part of providing the Services to our Healthcare Providers may be “protected health information” or “PHI” and governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). Specifically, when (i) TopDoc is providing administrative, operational, and other services to a Healthcare Provider and that Healthcare Provider is a “Covered Entity” (as defined in HIPAA); and (ii) in order to provide those services, TopDoc receives identifiable information about a User on behalf of the Healthcare Provider, TopDoc is acting as a “Business Associate” of the Healthcare Provider, and this identifiable information is regulated as PHI.
HIPAA provides specific protections for the privacy and security of PHI and restricts how PHI is used and disclosed.
Personal Data that a User provides to TopDoc when TopDoc is not acting as a Business Associate is not PHI. Examples include when you (i) create an account, (ii) search for Healthcare Providers or available appointments, (iii) complete general medical history forms that are not required by a particular Healthcare Provider, (iv) post reviews, or (v) provide device / IP information by browsing our websites.
Personal Data
“Personal Data” means any information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws. The following sections detail the categories of Personal Data that we collect and have collected over the past twelve (12) months. For each category, we describe the source, our commercial or business purpose for collecting it, and the categories of third parties with whom we share it.
COVID-19 Data
Personal Data that you provide to TopDoc for the purpose of Covid-19 vaccine scheduling may be shared with local, state, and federal public health authorities. By using this service, you agree that TopDoc may provide any data related to your Covid-19 vaccine to government authorities and that the data sent may contain Personal Data.
User Personal Data
The following subsections apply only to Users. If you are a Healthcare Provider, please see the Healthcare Provider Personal Data section below.
Categories of Personal Data We Collect from Users
- Payment Information — Payment card type, last four digits of payment card, billing contact, billing email. Source: You. Shared with: Service Providers (Stripe).
- Device / IP Information — IP address, device ID, domain server, type of device, operating system, and browser used to access the Services. Source: You and third parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
- Web Analytics — Web page interactions, referring webpage or source, non-identifiable request IDs, statistics associated with the interaction between your device or browser and the Services. Source: You and third parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
- Geolocation Data — IP-address-based location information. Source: You. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
- Other Identifying Information You Voluntarily Provide — Unique identifiers such as passwords, and Personal Data in emails, letters, or other communications you send us. Source: You. Shared with: Service Providers.
- User Contact Data — First and last name, email, phone number, mailing address. Source: You. Shared with: Service Providers, Ad Networks, Healthcare Providers, Insurance Providers, Health Information Exchanges, parties you authorize.
- User Demographic Data — Gender and/or gender identity, age, date of birth, zip code, race, sexual orientation. Source: You. Shared with: Service Providers, Ad Networks, Healthcare Providers, Health Information Exchanges, parties you authorize.
- Medical Data — Health conditions, Healthcare Providers visited, reasons for visit, dates of visit, medical history and health information you provide us. Source: You. Shared with: Service Providers, Healthcare Providers, Insurance Providers, Health Information Exchanges, parties you authorize.
- Insurance Information — Insurance carrier, plan, member ID, group ID, payer ID. Source: You. Shared with: Service Providers, Healthcare Providers, Health Information Exchanges, parties you authorize.
- Booking Appointment Data — Appointment date and time, provider information, appointment procedure, whether you are a new patient for a particular provider. Source: You and third parties. Shared with: Service Providers, Analytics Partners, Healthcare Providers, Health Information Exchanges.
- Social Network Data — Email, phone number, username, IP address, device ID. Source: You and third parties. Shared with: Service Providers, Ad Networks, parties you authorize.
- Categories of data that may be considered “sensitive” under certain privacy laws — Health information, sexual orientation, unique identifiers such as your account login and password.
Categories of Sources of Personal Data
- From you, when you provide information directly: when you create an account, use our interactive tools and services (such as searching for Healthcare Providers or completing Medical History Forms), voluntarily provide information in free-form fields, respond to surveys, or post reviews; when you email or chat with us.
- From you, automatically as you use the Services: through Cookies (defined below); if you download our applications, information transmitted from your computing device; if you use a location-enabled browser, information about your location.
- From Service Providers: to help us analyze how you interact with the Services and provide customer support.
- From Analytics Partners: to help us understand website traffic and usage of the Services.
- From Healthcare Providers: certain data needed to facilitate booking appointments.
- From Social Networks: content and information from third-party accounts if you sign in via social login.
- From Advertising Partners: information about your interactions with our Services, advertisements, or communications.
Commercial or Business Purposes for Collecting Data
- Providing, customizing, and improving the Services — creating and managing your account, billing our Healthcare Provider clients, providing requested products and services, support and assistance, testing and product development, personalization, fraud protection, security, and debugging.
- Marketing the Services — marketing and selling the Services, showing you advertisements including interest-based advertising.
- Corresponding with you — responding to your messages, sending appointment reminders, sending information about TopDoc and the Services.
- Legal requirements — fulfilling our legal obligations under applicable law, regulation, court order, or other legal process; protecting the rights, property, or safety of you, TopDoc, or another party; enforcing agreements; responding to claims; resolving disputes.
How We Share Your Personal Data
We share Personal Data with the following categories of service providers and other third parties:
- Payment Processors (Stripe) — to process voluntarily provided payment card information.
- Security and Fraud Prevention Consultants — to detect security incidents and protect against malicious or illegal activity.
- Hosting, Technology, Communications, Data Storage, Analytics, and Insurance Verification Providers — to perform operational services, debug errors, and enable Service features.
- Analytics Partners — to track how Users found or were referred to the Services.
- Ad Networks — for ad customizing, serving, and auditing.
- Healthcare Providers — when you choose to schedule with them, complete a Medical History Form and elect to share it, or in the event of an emergency.
- Insurance Providers — to determine eligibility, cost-sharing obligations, and benefit plan information.
- Health Information Exchanges — organizations that collect and organize User information to make it more securely accessible to your Healthcare Providers.
- Other Users — anything you reveal in a review posting or public discussion is intentionally open to the public.
- Third-Party Business Partners You Access Through the Services — if you choose to use a third-party service to log in or to interact with the Services.
We may also share information for legal obligations (responding to lawful requests), in connection with a business transfer (such as a merger, acquisition, or bankruptcy), and as aggregated or de-identified data that cannot identify you.
Healthcare Provider Personal Data
The following subsections apply only to Healthcare Providers. If you are a User, please see the User Personal Data section above.
Categories of Personal Data We Collect from Healthcare Providers
- Payment Information — Payment card type, last four digits, billing contact, billing email. Source: You. Shared with: Service Providers (Stripe).
- Device / IP Information — IP address, device ID, domain server, type of device / operating system / browser used. Source: You and third parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
- Web Analytics — Webpage interactions, referring webpage, non-identifiable request IDs, statistics. Source: You and third parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
- Geolocation Data — IP-address-based location information. Source: You and third parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
- Other Identifying Information You Voluntarily Provide — Unique identifiers such as passwords, personal data in emails or letters, information disclosed over the phone. Source: You. Shared with: Service Providers.
- Healthcare Provider Contact Data — First and last name, email, phone number, mailing address. Source: You and third parties. Shared with: Service Providers, Ad Networks, Healthcare Providers, Insurance Providers, Health Information Exchanges, parties you authorize.
- Healthcare Provider Demographic Data — Gender and/or gender identity, age, date of birth, zip code, race, sexual orientation, spoken language. Source: You and third parties. Shared with: Service Providers, Ad Networks, Healthcare Providers, Health Information Exchanges, parties you authorize.
- Professional License Information — Professional licenses, education history, specialties and certifications. Source: You and third parties. Shared with: Service Providers.
- Categories of data that may be considered “sensitive” under certain privacy laws — Sexual orientation, unique identifiers such as your account login and password.
Categories of Sources of Personal Data
- From you, when you provide information directly: when you create an account or contact us via email.
- From you, automatically as you use the Services: through Cookies; if you download applications, information transmitted from your device; if you use a location-enabled browser, location information.
- From Service Providers: to analyze how you interact with the Services, provide customer support, generate leads, and create user profiles.
- From Analytics Partners: to provide analytics on website traffic or usage of the Services.
- From Government or Public Records: for onboarding or verifying Healthcare Providers.
- From Advertising Partners: information about your interactions with our Services, advertisements, or communications.
Commercial or Business Purposes for Collecting Data
- Providing, customizing, and improving the Services — creating and managing accounts, producing invoices, fulfilling requests, providing support, improving the Services, personalization, fraud protection, security, and debugging.
- Marketing the Services — marketing and selling the Services, showing advertisements.
- Corresponding with you — responding to correspondence, sending appointment reminders, sending communications.
- Legal requirements — fulfilling legal obligations, protecting rights, enforcing agreements, responding to claims, resolving disputes.
- Onboarding verification — confirming providers have the necessary credentials to practice in the state where advertised.
How We Disclose Your Personal Data
We disclose Personal Data to the following categories of service providers and other third parties: Payment Processors (Stripe); Security and Fraud Prevention Consultants; Hosting, Technology, Communications, Fulfillment, Data Storage, Analytics, and Insurance Verification Providers; Analytics Partners; Ad Networks; Health Information Exchanges; and Third-Party Business Partners You Access Through the Services.
We may also share information for legal obligations (responding to lawful requests), in connection with a business transfer (such as a merger, acquisition, or bankruptcy), and as aggregated or de-identified data that cannot identify you.
Tracking Tools, Advertising, and Opt-Out
The Services use cookies and similar technologies (collectively, “Cookies”) — including pixel tags, web beacons, clear GIFs, mobile identifiers, and JavaScript — so our servers can recognize your browser and understand how and when you use our Services. We use these to analyze trends, advertise to our user base, and operate and improve our Services.
We use the following types of Cookies:
- Essential Cookies — required to provide features or services you have requested (for example, logging into secure areas).
- Functional Cookies — to record your choices and settings and recognize you when you return.
- Performance / Analytical Cookies — to understand how visitors use our Services and measure the performance of our advertising campaigns. Google Analytics is one example; you can opt out via Google’s opt-out tools.
- Retargeting / Advertising Cookies — to identify your interests and provide advertising we believe is relevant to you.
- Web Beacons — tiny graphic image files embedded in a webpage or email to track usage and engagement.
- Mobile Device Identifiers — data stored on mobile devices to learn about Users’ demographics and behaviors.
- Cross-Device Matching — to determine if Users have interacted with content across multiple devices and to match those devices.
You can disable Cookies through your browser settings; however, some Service functionality may not work properly without them. Browsers may offer a “Do Not Track” option; the Services do not currently support “Do Not Track” requests sent from a browser.
We may also serve interest-based advertisements through ad networks. We comply with the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising; you can opt out via the DAA or NAI opt-out pages, or by installing the DAA’s AppChoice app on your mobile device. Even after opting out of interest-based ads, you may still see TopDoc advertisements that are not interest-based.
Data Security
The security of your Personal Data is important to us. We seek to protect your Personal Data from unauthorized access, use, and disclosure using appropriate physical, technical, organizational, and administrative security measures, including industry-standard Secure Sockets Layer (SSL) encryption. We store and process your information on servers in the United States and abroad. You should also help protect your data by selecting a strong password and protecting your devices.
No method of transmitting or storing data is completely secure, and we cannot guarantee the complete security of any data you share with us. If we believe that the security of your Personal Data may have been compromised, we will use reasonable efforts to notify you, generally via the email address on file. You can update that email address anytime in your account profile, and you may also email us at [email protected] to request notice via U.S. mail.
Data Retention
We retain Personal Data about you as necessary to provide our Services or to perform our business or commercial purposes. We may retain Personal Data for longer if necessary to comply with our legal obligations, resolve disputes, collect fees owed, or as otherwise permitted by law. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
- We retain your account information and credentials for as long as you have an account with us.
- We retain your device / IP data for as long as we need it to ensure our systems work correctly.
- We retain any PHI consistent with our obligations under our Business Associate Agreements with Covered Entities and HIPAA.
Children’s Privacy
The Services are not directed to or intended for use by children under 13 years of age. If you are under 13, please do not attempt to register for or use the Services or send us any Personal Data. We do not knowingly collect or solicit Personal Data from children under 13. If we learn that we have received Personal Data directly from a child under 13 without parental consent, we will use that data only to respond to the child or parent and will then delete it. If you believe a child under 13 may have provided us with Personal Data, please contact us at [email protected].
If you are between 13 and the age of majority in your jurisdiction, you may use the Services only with the consent of or under the supervision of your parent or legal guardian. If you are a parent or legal guardian of a minor child, you may, in compliance with the Agreement, use the Services on behalf of such minor child. Any information you provide while using the Services on behalf of your minor child will be treated as Personal Data as otherwise provided herein.
How We Use Information That is Neither Personal Data nor PHI
Certain information that TopDoc collects may be neither Personal Data nor PHI — including information that does not include any identifiable information at collection or which we have de-identified and aggregated. We may use this information for any purpose permitted by applicable law, including to better understand who uses TopDoc and how we can deliver a better digital healthcare experience.
Controlling Your Personal Data & Notifications
If you are a registered User, you can modify certain Personal Data or account information by logging in and accessing your account. If you wish to close your account, please email us at [email protected]. We will use reasonable efforts to delete your account as soon as reasonably possible. TopDoc reserves the right to retain information from closed accounts consistent with our internal data retention policies and procedures. You must promptly notify us if any of your account data is lost, stolen, or used without permission.
California Rights and Disclosures
The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with specific rights regarding their personal information. To exercise these rights, contact us at [email protected] with “California Rights” in the subject line.
- Access — request information about our collection and use of your Personal Data over the past 12 months, including the categories of Personal Data we have collected, the categories of sources, the business or commercial purpose, the categories of third parties with whom we have shared it, and the specific pieces of Personal Data we have collected about you.
- Deletion — request that we delete the Personal Data we have collected from you (subject to certain CCPA exceptions, such as our need to retain it to provide you with the Services).
- Correction — request that we correct inaccurate Personal Data we have collected about you.
- Limit Use of Sensitive Personal Information — direct us to limit our use or sharing of your Sensitive Personal Information to what is necessary to perform the requested services.
- Personal Data Sharing or Selling — opt out of “sharing” or “selling” your Personal Data for cross-contextual behavioral advertising. We have shared demographic data and web analytics for these purposes.
We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices, or provide you with a lower quality of service. From time to time we may offer a financial incentive in exchange for your participation in user research; participation is entirely optional and you may withdraw at any time. Under California Civil Code Sections 1798.83–1798.84, California residents may contact us at [email protected] to prevent disclosure of Personal Data to third parties for those third parties’ direct marketing purposes.
Virginia Resident Rights and Disclosures
If you are a Virginia resident, you have the rights set forth under the Virginia Consumer Data Protection Act (“VCDPA”): access, correction, portability, deletion, and opt-out of certain processing activities (targeted advertising, sale, and profiling that produces legal or similarly significant effects). To appeal a decision, email [email protected] with “VCDPA Appeal” in the subject line. We will respond to your appeal within 60 days of receiving your request. If we deny your appeal, you have the right to contact the Virginia Attorney General.
Colorado Rights and Disclosure
If you are a Colorado resident, you have the rights set forth under the Colorado Privacy Act (“CPA”): access, correction, portability, deletion, and opt-out of certain processing activities (targeted advertising, sale, and profiling). To appeal a decision, email [email protected] with “CPA Appeal” in the subject line. We will respond to your appeal within 45 days of receiving your request.
Exercising Your Rights
To exercise the rights under the CCPA, VCDPA, or CPA, send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data and (2) describes your request in sufficient detail to allow us to understand, evaluate, and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” You do not need an account to submit a Valid Request. We will respond within the applicable time period required by law and will not charge you a fee unless your request is excessive, repetitive, or manifestly unfounded. Submit a Valid Request by emailing us at [email protected].
Changes to this Privacy Policy
We reserve the right to amend our Privacy Policy at our discretion and at any time. When we make changes, we will notify you by email or through a notice on our website homepage. Use of the information we collect is subject to the Privacy Policy in effect at the time such information is collected.
Contact Information
If you have any questions or comments about this Privacy Policy, the ways we collect and use your Personal Data, or your choices and rights, please contact us at:
- Email: [email protected]
- Address: TopDoc, Inc., 232 Mott Street, New York, NY 10012