TopDoc Privacy Policy

At TopDoc, Inc. (“TopDoc,” “we,” or “us”), we are committed to protecting your privacy, and we take great care with your personal information that we gather when you access or use TopDoc.com and related websites, applications, and services owned and operated by TopDoc and that link to this Privacy Policy (collectively, the “Services”). This Privacy Policy is meant to help those that use our Services to explore providers or book appointments (“Users”) and doctors, dentists, or other healthcare specialists, professionals, providers, organizations or agents, or affiliates thereof that use our marketing, concierge and other services (“Healthcare Providers,” and collectively with Users, “you,” or “your”) understand how we treat your personal information.

BY USING OR ACCESSING THE SERVICES IN ANY MANNER, YOU ACKNOWLEDGE THAT YOU ACCEPT THE PRACTICES AND POLICIES OUTLINED IN THIS PRIVACY POLICY, AND YOU HEREBY CONSENT THAT WE WILL COLLECT, USE, AND SHARE YOUR INFORMATION IN THE FOLLOWING WAYS. IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MAY NOT USE THE SERVICES.

Any use of TopDoc’s Services is at all times subject to the Agreement, as defined in our Terms of Use, which incorporates this Privacy Policy.

HIPAA and PHI

Certain demographic, health and/or health-related information that TopDoc collects about Users as part of providing the Services to our Healthcare Providers may be “protected health information” or “PHI” and governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). Specifically, when (i) TopDoc is providing administrative, operational, and other services to a Health Care Provider and this Healthcare Provider is a “Covered Entity” (as such term is defined in HIPAA); and (ii) in order to provide those services, TopDoc receives identifiable information about a User on behalf of the Healthcare Provider, TopDoc is acting as a “Business Associate” of the Health Care Provider, and this identifiable information is regulated as PHI.

HIPAA provides specific protections for the privacy and security of PHI and restricts how PHI is used and disclosed.

Personal data that a User provides to TopDoc when TopDoc is not acting as a Business Associate is not PHI. Examples include when you create an account, search for Healthcare Providers, complete general medical history forms not required by a particular Healthcare Provider, post reviews, or provide device/IP information.

Personal Data

The following sections detail the categories of Personal Data that we collect. “Personal Data” means any information that identifies or relates to a particular individual and includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws.

COVID-19 Data

Personal Data that a User provides to TopDoc for the purpose of Covid-19 vaccine scheduling may be shared with local, state, and federal public health authorities. By using this service, you agree that TopDoc may provide any data related to your Covid-19 vaccine to government authorities and that the data sent to those authorities may contain Personal Data.

User Personal Data

THE FOLLOWING SUBSECTIONS APPLY ONLY TO USERS. IF YOU ARE A HEALTHCARE PROVIDER, PLEASE SEE THE HEALTHCARE PROVIDER PERSONAL DATA SECTION BELOW.

Categories of Personal Data We Collect from Users

• Payment Information — Payment card type, last four digits of payment card, billing contact, billing email. Source: You. Shared with: Service Providers (Stripe).
• Device/IP Information — IP address, device ID, domain server, type of device/operating system/browser used. Source: You and Third Parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
• Web Analytics — Web page interactions, referring webpage, non-identifiable request IDs, statistics. Source: You and Third Parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
• Geolocation Data — IP address-based location information. Source: You. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
• Other Identifying Information You Voluntarily Provide — Unique identifiers such as passwords, personal data in emails or letters. Source: You. Shared with: Service Providers.
• User Contact Data — First and last name, email, phone number, mailing address. Source: You. Shared with: Service Providers, Ad Networks, Healthcare Providers, Insurance Providers, Health Information Exchanges, Parties You Authorize.
• User Demographic Data — Gender, age, date of birth, zip code, race, sexual orientation. Source: You. Shared with: Service Providers, Ad Networks, Healthcare Providers, Health Information Exchanges, Parties You Authorize.
• Medical Data — Health conditions, Healthcare Providers visited, reasons for visit, dates of visit, medical history. Source: You. Shared with: Service Providers, Healthcare Providers, Insurance Providers, Health Information Exchanges, Parties You Authorize.
• Insurance Information — Insurance carrier, plan, member ID, group ID, payer ID. Source: You. Shared with: Service Providers, Healthcare Providers, Health Information Exchanges, Parties You Authorize.
• Booking Appointment Data — Appointment date/time, provider information, procedure, new vs. existing patient status. Source: You and Third Parties. Shared with: Service Providers, Analytics Partners, Healthcare Providers, Health Information Exchanges.
• Social Network Data — Email, phone number, username, IP address, device ID. Source: You and Third Parties. Shared with: Service Providers, Ad Networks, Parties You Authorize.
• Categories of Data that may be Considered “Sensitive” — Health information, sexual orientation, unique identifiers such as account login and password.

Categories of Sources of Personal Data

• From You — When You Provide Information Directly to Us: When you create an account or use our interactive tools and services, search for Healthcare Providers, complete Medical History Forms, voluntarily provide information, submit surveys or reviews, or contact us.
• From You — When Personal Data is Automatically Collected: Through Cookies. If you download applications, we may receive information transmitted from your device.
• From Service Providers: We may use service providers to analyze how you interact with the Services, provide customer support, generate leads, and create user profiles.
• From Analytics Partners: We may work with analytics partners to provide us analytics on website traffic or the usage of the Services.
• From Healthcare Providers: We may receive certain data from your Healthcare Provider(s) to facilitate booking appointments.
• From Social Networks: If you provide your social network account credentials to us, content and/or information in those accounts may be transmitted into your account with us.
• From Advertising Partners: We receive information about you from some of our service providers who assist us with marketing or promotional services.

Commercial or Business Purposes for Collecting Data

• Providing, Customizing, and Improving the Services — Creating and managing accounts, billing, fulfilling requests, providing support, improving the Services, personalizing content, fraud protection, security, and debugging.
• Marketing the Services — Marketing and selling the Services, showing you advertisements including interest-based advertising.
• Corresponding with You — Responding to correspondence, contacting you when necessary, including appointment reminders, sending communications.
• Legal Requirements — Fulfilling our legal obligations under applicable law, regulation, court order, or other legal process; protecting rights, property or safety; enforcing agreements; responding to claims; resolving disputes.

How We Share Your Personal Data

In certain circumstances, we may share your Personal Data with the following categories of service providers and other third parties:

• Payment Processors — Our payment processing partner (currently Stripe, Inc.) collects voluntarily provided payment card information necessary to process your payment.
• Security and Fraud Prevention Consultants — Detecting security incidents, protecting against malicious activity.
• Hosting, Technology, and Communications Providers; Fulfillment Providers; Data Storage Providers; Analytics Providers; Insurance Verification Providers; Staff Augmentation Personnel — To perform operational services.
• Analytics Partners — To track how users found or were referred to the Services.
• Ad Networks — Ad customizing and serving, auditing.
• Healthcare Providers — Healthcare Providers with whom Users choose to schedule through the Services. In the event of an emergency.
• Insurance Providers — To determine eligibility and cost-sharing obligations.
• Health Information Exchanges — Organizations that collect and organize User information to make your information more securely and easily accessible to your Healthcare Providers.
• Other Users — Information you reveal in a review posting or online discussion is intentionally open to the public.
• Third-Party Business Partners You Access Through the Services — Sharing if you choose to use any third-party service to log in to the Services.

Healthcare Provider Personal Data

THE FOLLOWING SUBSECTIONS APPLY ONLY TO HEALTHCARE PROVIDERS. IF YOU ARE A USER, PLEASE SEE THE USER PERSONAL DATA SECTION ABOVE.

Categories of Personal Data We Collect from Healthcare Providers

• Payment Information — Payment card type, last four digits, billing contact and email. Source: You. Shared with: Service Providers (Stripe).
• Device/IP Information — IP address, device ID, domain server, type of device/OS/browser. Source: You and Third Parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
• Web Analytics — Webpage interactions, referring webpage, non-identifiable request IDs. Source: You and Third Parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
• Geolocation Data — IP address-based location information. Source: You and Third Parties. Shared with: Service Providers, Analytics Partners, Ad Networks, Third-Party Business Partners.
• Other Identifying Information You Voluntarily Provide — Unique identifiers such as passwords, personal data in emails or letters, information disclosed over the phone. Source: You. Shared with: Service Providers.
• Healthcare Provider Contact Data — First and last name, email, phone number, mailing address. Source: You and Third Parties. Shared with: Service Providers, Ad Networks, Healthcare Providers, Insurance Providers, Health Information Exchanges, Parties You Authorize.
• Healthcare Provider Demographic Data — Gender, age, date of birth, zip code, race, sexual orientation, spoken language. Source: You and Third Parties. Shared with: Service Providers, Ad Networks, Healthcare Providers, Health Information Exchanges, Parties You Authorize.
• Professional License Information — Professional licenses, education history, specialties and certifications. Source: You and Third Parties. Shared with: Service Providers.
• Categories of Data that may be Considered “Sensitive” — Sexual orientation, unique identifiers such as account login and password.

Categories of Sources of Personal Data

• From You — When You Provide Information Directly to Us: When you create an account or contact us via email.
• From You — When Personal Data is Automatically Collected: Through Cookies. If you download applications, we may receive information transmitted from your device.
• From Service Providers: To analyze how you interact and engage with the Services, provide customer support, generate leads, and create user profiles.
• From Analytics Partners: To provide us analytics on website traffic or the usage of the Services.
• From Government or Public Records: For onboarding or verifying Healthcare Providers.
• From Advertising Partners: From service providers who assist us with marketing or promotional services.

Commercial or Business Purposes for Collecting Data

• Providing, Customizing, and Improving the Services — Creating and managing accounts, producing invoices, fulfilling requests, providing support, improving the Services, personalizing content, fraud protection, security, and debugging.
• Marketing the Services — Marketing and selling the Services, showing advertisements.
• Corresponding with You — Responding to correspondence, sending appointment reminders, sending communications.
• Legal Requirements — Fulfilling legal obligations, protecting rights, enforcing agreements, responding to claims, resolving disputes.
• Onboarding Verification — Confirming providers have the necessary credentials to practice in the state where advertised.

How We Disclose Your Personal Data

In certain circumstances, we may disclose your Personal Data to the following categories of service providers and other third parties: Payment Processors (Stripe), Security and Fraud Prevention Consultants, Hosting/Technology/Communications/Fulfillment/Data Storage/Analytics/Insurance Verification Providers, Analytics Partners, Ad Networks, Health Information Exchanges, and Third-Party Business Partners You Access Through the Services.

Tracking Tools, Advertising, and Opt-Out

The Services use cookies and similar technologies (pixel tags, web beacons, clear GIFs, mobile identifiers, JavaScript) to recognize your web browser and tell us how and when you visit and use our Services. We use Cookies to tailor the Services, customize advertisements, store authentication status, measure performance, and for analytics and fraud prevention.

Types of Cookies we use:

• Essential Cookies — Required to provide features or services you have requested.
• Functional Cookies — Used to record your choices and settings.
• Performance/Analytical Cookies — Allow us to understand how visitors use our Services.
• Retargeting/Advertising Cookies — Collect data about your online activity for relevant advertising.
• Web Beacons — Tiny graphic image files embedded in a webpage or email.
• Mobile Device Identifiers — Data stored on mobile devices that may track activities.
• Cross Device Matching — To determine if users have interacted with content across multiple devices.

You can decide whether or not to accept Cookies through your internet browser’s settings. We comply with the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising.

Data Security

The security of your Personal Data is important to us. We seek to protect your Personal Data from unauthorized access, use, and disclosure using appropriate physical, technical, organizational, and administrative security measures. The Services use industry-standard Secure Sockets Layer (SSL) technology to allow for the encryption of Personal Data. We store and process your information on our servers in the United States and abroad. No method of transmitting data over the Internet or storing data is completely secure. We cannot and do not guarantee the complete security of any data you share with us.

Data Retention

We retain Personal Data about you as necessary to provide our Services or to perform our business or commercial purposes. We retain account information and credentials for as long as you have an account with us. We retain device/IP data for as long as we need it. We retain any protected health information consistent with our obligations under our Business Associate Agreements with Covered Entities and HIPAA.

Children’s Privacy

The Services are not directed to or intended for use by children under 13 years of age. We do not knowingly collect or solicit Personal Data from children under the age of 13.

If you are between the age thirteen (13) and the age of majority in your place of residence, you may use the Services only with the consent of or under the supervision of your parent or legal guardian.

How We Use Information That is Neither Personal Data nor PHI

Certain information that TopDoc collects may be neither Personal Data nor PHI, including information that does not include any identifiable information at collection or which we have de-identified and/or aggregated. We may use this information for any purpose permitted by applicable law.

Controlling Your Personal Data & Notifications

If you are a registered user of the Services, you can modify certain Personal Data or account information by logging in and accessing your account. If you wish to close your account, please email us at [email protected].

California Rights and Disclosures

The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with specific rights regarding their personal information: Access, Deletion, Correction, Processing of Sensitive Personal Information Opt-Out, and Personal Data Sharing or Selling. We will not discriminate against you for exercising your rights under the CCPA. To exercise these rights, please contact us at [email protected] and indicate “California Rights” in the subject line.

Virginia Resident Rights and Disclosures

If you are a Virginia resident, you have the rights set forth under the Virginia Consumer Data Protection Act (“VCDPA”): Access, Correction, Portability, Deletion, and Opt-Out of Certain Processing Activities. To appeal a decision, email [email protected] (title must include “VCDPA Appeal”) or call (347) 604-7436.

Colorado Rights and Disclosure

If you are a Colorado resident, you have the rights set forth under the Colorado Privacy Act (“CPA”): Access, Correction, Portability, Deletion, and Opt-Out of Certain Processing Activities. To appeal, email [email protected] (title must include “CPA Appeal”) or call (347) 604-7436.

Exercising Your Rights

To exercise the rights under the CCPA, VCDPA, or CPA, you must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data and (2) describes your request in sufficient detail. You may submit a Valid Request by emailing us at [email protected].

Changes to this Privacy Policy

We reserve the right to amend our Privacy Policy at our discretion and at any time. When we make changes, we will notify you by email or through a notice on our website homepage.

Contact Information

If you have any questions or comments about this Privacy Policy, please contact us at:

• Email: [email protected]
• Address: TopDoc, Inc., 232 Mott Street, New York, NY 10012
• Phone: (347) 604-7436