Privacy Policy
Grayce, Inc.
Last Updated: March 28, 2021
We at Grayce value your privacy and are committed to keeping your personal data confidential. We use your data solely in the context of providing our web-based services (the “services) which offers you a convenient and high-quality website that will allow you to easily and purposefully upload the personal data of individuals desiring to connect with and receive services from a Grayce Expert.
This privacy policy (“Policy”) describes how Grayce, Inc. and its related companies (“Grayce,” “Company,” “We,” or “Us”) collect, use and share personal information of consumer users of this website, www.withgrayce.com (“Website” or “Site”). This Policy also applies to the Grayce application. This Policy does not apply to websites that post different statements.
By submitting your personal data through this application or using or accessing our services in any matter, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy. Please note that we occasionally update this privacy policy and that it is your responsibility to stay up to date with any amended versions. The current version of the privacy policy can always be accessed at https://www.withgrayce.com/privacy. We will also notify you via email of any material changes to this policy. You can store this policy and/or any amended version(s) digitally, print it, or save it in any other way. If you have a disability, you may access this Privacy Policy in an alternative format by contacting security@withgrayce.com. Any changes to this privacy policy will be effective immediately upon providing notice, and shall apply to all information we maintain, use, and disclose. If you continue to use the application following such notice, you are agreeing to those changes.
Privacy Policy Table of Contents
What this Privacy Policy Covers
How We Share Your Personal Data
How We Protect Your Personal Data
How You Can Update, Correct, or Delete Personal Data
How You Can Opt-Out of Receiving Communications from Us
European Union Data Subject Rights
What this Privacy Policy Covers
This privacy policy applies to personal data Grayce collects from users of the Website. “Personal data” includes any information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules or regulations. We believe that transparency about the use of your personal data is of utmost importance. The policy explains what kind of information we collect, when and how we might use that information, how we protect the information, and your rights regarding your personal data.
Personal Data
Categories of Personal Data that We Collect
This section details the categories of Personal Data that we collect and have collected over the past 12 months. We may collect the following data about You or your dependent.
- Profile or Contact Data
- For example, we may collect your first and last name, email address, phone number, mailing address, country of residence, and unique identifiers.
- Categories of third parties with whom we share this personal data: service providers.
- Demographic Data
- For example, we may collect demographic information, such date of birth, gender, or age. Primarily, the collection of your Personal Data assists us in creating your User Account, which you can use to securely upload healthcare information for review by a Grayce Expert for support purposes.
- Categories of third parties with whom we share this personal data: service providers.
- Payment Data
- For example, when you sign up for the Services via our Website, we may require that you provide your financial and billing information, such as billing name and address, credit card number or bank account information in order to process your payment for access to the Services.
- Categories of third parties with whom we share this personal data: payment processors. We currently use Stripe as our payment processor, and We do not process payment data ourselves.
- Support Data
- For example, if you contact Grayce for support or to lodge a complaint, We may collect technical or other information from you through log files and other technologies, some of which may qualify as Personal Data. (e.g., IP address). Such information will be used for the purposes of troubleshooting, customer support, software updates, and improvement of the Application and related services in accordance with this Privacy Policy. Calls with Grayce may be recorded or monitored for training, quality assurance, customer service, and reference purposes.
- Categories of third parties with whom we share this personal data: service providers.
- Device/IP Data, Web Analytics Data, and Geolocation Data
- We use common information-gathering tools, such as log files, cookies, web beacons, and similar technologies to automatically collect information, which may contain Personal Data, from Your computer or mobile device as you navigate our Website, or interact with emails We have sent You. For example, this information may include your Internet Protocol (IP) address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages and files you viewed, Your searches, Your operating system and system configuration information, IP-address based location information) and date/time stamps associated with Your usage. This information is used to analyze overall trends, to help us provide and improve our websites and to guarantee their security and continued proper functioning.
- Categories of third parties with whom we share this personal data: service providers and analytics partners.
- Professional or Employment-Related Data
- For example, we may collect the name of your employer, your work email, and your employee ID.
- Categories of third parties with whom we share this personal data: service providers.
- Sensory Data
- For example, we may collect photos, videos or recordings of your environment when you when you communicate with Us by video and if you upload these items to your profile.
- Categories of third parties with whom we share this personal data: service providers.
- Health Data (for Consumers and Patients who are non-Provider users)
- We may collect health data from You regarding the individual that will ultimately benefit from the Grayce Expert services, such as weight, height, areas of concern, health or exercise activity monitoring, mental health information, medical insurance information, and existing conditions. We collect this information to provide the Expert with sufficient information to provide services. Note that this information is not considered protected health information (PHI) as Grayce is not a Covered Entity.
- Categories of third parties with whom we share this personal data: service providers and parties you authorize, access, or authenticate.
- Other Identifying Information that You Voluntarily provide to Us
- You may voluntarily provide us with identifying information when You correspond with Grayce, including when You schedule consults or send messages to Your Grayce Expert.
- Categories of third parties with whom we share this personal data: service providers and parties you authorize, access, or authenticate.
Data that is Not Personal Data
We may, from time to time, rent or sell aggregated, de-identified, or anonymized data. We may aggregate, de-identify, or anonymize data by removing information that makes the data personally identifiable to an individual user. The purpose of this type of disclosure is to deliver better care and services to our users. Once Your data is anonymized, it is no longer Personal Data, and We are not restricted in Our use of that data for any purpose.
Categories of Sources of Personal Data
We collect Personal Data about you from the following categories of sources:
- You
- When you provide such information directly to us.
- When you create an account or use our interactive tools and Services.
- When you voluntarily provide information in free-form text boxes through the Services or through responses to surveys or questionnaires.
- When you send us an email or otherwise contact us.
- When you use the Services and such information is collected automatically.
- Through Cookies (defined in the “Tracking Tools, Advertising and Opt-Out” section below).
- If you use a location-enabled browser, we may receive information about your location and mobile device, as applicable.
- If you download and install certain applications and software we make available, we may receive and collect information transmitted from your computing device for the purpose of providing you the relevant Services, such as information regarding when you are logged on and available to receive updates or alert notices.
- When you provide such information directly to us.
- Third Parties
- Vendors
- We may use analytics providers to analyze how you interact and engage with the Services, or third parties may help us provide you with customer support.
- Vendors
Our Commercial or Business Purposes for Collecting Personal Data
- Providing, Customizing and Improving the Services
- Creating and managing your account or other user profiles.
- Processing orders or other transactions; billing.
- Providing you with the products, services or information you request.
- Meeting or fulfilling the reason you provided the information to us.
- Providing support and assistance for the Services.
- Improving the Services, including testing, research, internal analytics and product development.
- Personalizing the Services, website content and communications based on your preferences.
- Doing fraud protection, security and debugging.
- Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws, such as the California Consumer Privacy Act (the “CCPA”).
- Marketing the Services
- Marketing and selling the Services.
- Corresponding with You
- Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Grayce or the Services.
- Sending emails and other communications according to your preferences or that display content that we think will interest you.
- Meeting Legal Requirements and Enforcing Legal Terms
- Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
- Protecting the rights, property or safety of you, Grayce or another party.
- Enforcing any agreements with you.
- Responding to claims that any posting or other content violates third-party rights.
- Resolving disputes.
We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing you notice.
How We Share Your Personal Data
We disclose your Personal Data to the categories of service providers and other parties listed in this section. Depending on state laws that may be applicable to you, some of these disclosures may constitute a “sale” of your Personal Data. For more information, please refer to the state-specific sections below.
- Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
- Hosting, technology and communication providers.
- Security and fraud prevention consultants.
- Payment processors.
- Our payment processing partner Stripe, Inc. (“Stripe”) collects your voluntarily-provided payment card information necessary to process your payment.
- Please see Stripe’s terms of service and privacy policy for information on its use and storage of your Personal Data.
- Analytics Partners. These parties provide analytics on web traffic or usage of the Services. They include:
- Companies that track how users found or were referred to the Services.
- Companies that track how users interact with the Services.
- Parties You Authorize, Access or Authenticate
- Third parties you access through the services, or who you authorize Grayce to communicate with for support services, such as healthcare providers.
- Other users.
Legal Obligations
We may share any Personal Data that we collect with third parties in conjunction with any of the activities set forth under “Meeting Legal Requirements and Enforcing Legal Terms” in the “Our Commercial or Business Purposes for Collecting Personal Data” section above.
Business Transfers
All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.
Links to Other Sites
Our Website may contain links to websites and services that are owned or operated by third parties (each, a “Third-party Service”). Any information that you provide on or to a Third-party Service or that is collected by a Third-party Service is provided directly to the owner or operator of the Third-party Service and is subject to the owner’s or operator’s privacy policy. We’re not responsible for the content, privacy or security practices and policies of any Third-party Service. To protect your Personal Data, we recommend that you carefully review the privacy policies of all Third-party Services that you access.
How We Protect Your Personal Data
Grayce is committed to protecting the security and confidentiality of your Personal Data. We use a combination of reasonable physical, technical, and administrative security controls to maintain the security and integrity of your Personal Data, to protect against any anticipated threats or hazards to the security or integrity of such information, and to protect against unauthorized access to or use of such information in our possession or control that could result in substantial harm or inconvenience to you. However, Internet data transmissions, whether wired or wireless, cannot be guaranteed to be 100% secure. As a result, we cannot ensure the security of information you transmit to us. By using the Website and Services, you are assuming this risk.
Safeguards
The information collected by Grayce and stored on secure servers, is protected by a combination of technical, administrative, and physical security safeguards, such as authentication, encryption, backups, and access controls. If Grayce learns of a security concern, We may attempt to notify You and provide information on protective steps, if available, through the email address that You have provided to Us or by an in app notification. Depending on where You live, You may have a legal right to receive such notices in writing.
You are solely responsible for protecting information entered or generated via the Website that is stored on Your device and/or removable device storage. Grayce has no access to or control over Your device’s security settings, and it is up to You to implement any device level security features and protections You feel are appropriate (e.g., password protection, encryption, remote wipe capability, etc.). We recommend that You take any and all appropriate steps to secure any device that You use to access Our Application.
We recommend that You take any and all appropriate steps to secure any device that You use to access Our Application.
NOTWITHSTANDING ANY OF THE STEPS TAKEN BY US, IT IS NOT POSSIBLE TO GUARANTEE THE SECURITY OR INTEGRITY OF DATA TRANSMITTED OVER THE INTERNET. THERE IS NO GUARANTEE THAT YOUR PERSONAL DATA WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS. THEREFORE, WE DO NOT AND CANNOT ENSURE OR WARRANT THE SECURITY OR INTEGRITY OF ANY PERSONAL DATA YOU TRANSMIT TO US AND YOU TRANSMIT SUCH PERSONAL DATA AT YOUR OWN RISK.
How You Can Protect Your Personal Data
In addition to securing Your device, as discussed above, We will NEVER send you an email requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and You should NEVER respond to any email requesting such information. If You receive such an email purportedly from Grayce, DO NOT RESPOND to the email and DO NOT click on any links and/or open any attachments in the email, and notify Grayce support at security@withgrayce.com.
You are responsible for taking reasonable precautions to protect Your user ID, password, and other User Account information from disclosure to third parties, and You are not permitted to circumvent the use of required encryption technologies. You should immediately notify Grayce at security@withgrayce.com if You know of or suspect any unauthorized use or disclosure of Your user ID, password, and/or other User Account information, or any other security concern.
How You Can Update, Correct, or Delete Personal Data
You can change your email address and other contact information by editing via Your User Profile within Grayce. If you need to make changes or corrections to other information, you may email support@withgrayce.com. Please note that in order to comply with certain requests to limit use of Your Personal Data, we may need to terminate your account and Your ability to access and use the Services, and You agree that We will not be liable to you for such termination or for any refunds of prepaid fees paid by You. You can deactivate your account by emailing support@withgrayce.com.
How You Can Opt-Out of Receiving Communications from Us
We pledge not to market third party services to You without Your consent. We only send emails to You regarding Your Grayce account and Services if We have Your express consent to do so. You can choose to filter these emails using Your email client settings, but We do not provide an option for You to opt out of Grayce Services emails. You can opt out of non-Services related emails by updating your Grayce profile or utilizing unsubscribe links available in all non-Services related emails.
Personal Data of Children
We do not knowingly collect or solicit Personal Data from children under 18 years of age. However, parents or guardians may choose to provide personally identifiable information about children under 18. If you believe that a child under 18 years of age may have provided Personal Data to us, please contact us at security@withgrayce.com.
European Union Data Subject Rights
If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway or Iceland, you may have additional rights under the EU or UK General Data Protection Regulation (the “GDPR”) with respect to your Personal Data, as outlined below.
For this section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data” generally means information that can be used to individually identify a person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage and disclosure. Grayce is the controller of your Personal Data and may process this data in accordance with the Privacy Policy.
If there are any conflicts between this this section and any other provision of this Privacy Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict. You can contact Us with any questions about our Privacy Policy at security@withgrayce.com. You can reach our data privacy officer by emailing dpo@withgrayce.com. Note that we may also process Personal Data of our customers’ end users or employees in connection with our provision of certain services to customers, in which case we are the processor of Personal Data. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller party in the first instance to address your rights with respect to such data.
Personal Data We Collect
The “Categories of Personal Data We Collect” section above details the Personal Data that we collect from you.
How We use Your Personal Data
We process your Personal Data for purposes based on legitimate business interests, the fulfillment of our Services to You, compliance with Our legal obligations, and/or Your consent.
Specifically, we process Your Personal Data for the following legitimate business purposes:
- Contractual Necessity: We process the following categories of Personal Data as a matter of “contractual necessity,” meaning that we need to process the data to fulfill our obligations to You under the Terms of Use or other applicable services agreement. When We process data due to contractual necessity, failure to provide such Personal Data will result in your inability to use some or all portions of the Services that require such data.
- Profile or Contact Data, Demographic Data, Support Data, Professional- or Employment-Related Data, and Health Data.
- Legitimate Interest: We process the following categories of Personal Data when we believe it furthers the legitimate interest of us or third parties:
- Device/IP Data, Web Analytics Data, Sensory Data, and Other Identifying Information that You Voluntarily provide to Us.
- Examples of these legitimate interests include (as described in more detail above):
- To communicate with You about and manage Your User Account
- To properly store and track Your data within our system
- Marketing the Services
- Meeting legal requirements and enforcing legal terms
- Completing corporate transactions
- To protect our rights, privacy, safety or property, and/or that of you or others by providing proper notices, pursuing available legal remedies, and acting to limit Our damages
- To handle technical support and other requests from You
- To enforce and ensure your compliance with our Terms of Use or the terms of any other applicable services agreement We have with You
- To manage and improve our operations and the Website, including the development of additional functionality
- To manage payment processing
- To evaluate the quality of service You receive, identify usage trends, and thereby improve Your user experience
- To keep our Website safe and secure for You and for Us
- To send You product, service and new feature information and/or information about changes to our terms, conditions, and policies (with your consent, if required by law)
- To allow us to pursue available remedies or limit the damages that we may sustain
- Consent: In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection.
- Other Processing Grounds: To respond to lawful requests from public and government authorities, and to comply with applicable state/federal law, including cooperation with judicial proceedings or court orders
Note that You can opt-out of receiving promotional emails by changing the notification preferences in your account settings or by unsubscribing via the “Unsubscribe” link in any Grayce email. Opting-out of these emails will not end transmission of important service-related emails that are necessary to your use of the Website.
Sharing Personal Data
The “How We Share Your Personal Data” section above details how we share your Personal Data with third parties.
Your rights
You have certain rights relating to your Personal Data, subject to local data protection laws. These rights may include:
- to access your Personal Data held by us;
- to erase/delete your Personal Data, to the extent permitted by applicable data protection laws;
- to receive communications related to the processing of your personal data that are concise, transparent, intelligible and easily accessible;
- to restrict the processing of your Personal Data to the extent permitted by law (while we verify or investigate your concerns with this information, for example);
- to object to the further processing of your Personal Data, including the right to object to marketing;
- to request that your Personal Data be transferred to a third party, if possible;
- to receive your Personal Data in a structured, commonly used and machine-readable format;
- to lodge a complaint with a supervisory authority;
- to rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete; and
- to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects (“Automated Decision-Making”).
Where the processing of Your Personal Data by Grayce is based on consent, You have the right to withdraw that consent without detriment at any time by emailing support@withgrayce.com. You can exercise the rights listed above at any time by contacting us at security@withgrayce.com.
Where Your Personal Data is Processed
Personal Data Grayce collects through the Website will be stored on secure servers in the United States, even if you are accessing the Website from outside the United States. Your country’s data protection laws may not apply, and may be more stringent than those to which Grayce is legally subject. Personal Data may be transmitted to third parties, which parties may store or maintain the data on their secure servers.
By using the Services, you acknowledge that any Personal Data about you, regardless of whether provided by you or obtained from a third party, is being provided to Grayce in the U.S. and will be hosted on U.S. servers, and you authorize Grayce to transfer, store and process your information to and in the U.S., and possibly other countries.
Our Retention of Your Personal Data
We will retain your Personal Data for as long as you maintain a User Account and up to 6 months after the account is closed. The exact period of retention will depend on the type of Personal Data, our contractual obligation to You, and applicable law. We keep your Personal Data for as long as necessary to fulfill the purpose for which it was collected, unless otherwise required or necessary pursuant to a legitimate business purpose outlined herein. At the end of the applicable retention period, We will remove your Personal Data from our databases and will request that our Business Partners remove your Personal Data from their databases. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing of such data. We retain anonymized data indefinitely. Contact Us regarding the applicable data retention period for your Personal Data.
NOTE: Once we disclose your Personal Data to third parties, we may not be able to access that Personal Data any longer and cannot force the deletion or modification of any such information by the parties to whom we have made those disclosures. Written requests for deletion of Personal Data other than as described should be directed to security@withgrayce.com.
California Resident Rights
If you are a California resident, you have the rights set forth in this section. Please see the “Exercising Your Rights” section below for instructions regarding how to exercise these rights. Please note that we may process Personal Data of our customers’ end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Data as a service provider, you should contact the entity that collected your Personal Data in the first instance to address your rights with respect to such data.
If there are any conflicts between this section and any other provision of this Privacy Policy and you are a California resident, the portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at security@withgrayce.com.
Access
You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. In response, we will provide you with the following information:
- The categories of Personal Data that we have collected about you.
- The categories of sources from which that Personal Data was collected.
- The business or commercial purpose for collecting or selling your Personal Data.
- The categories of third parties with whom we have shared your Personal Data.
- The specific pieces of Personal Data that we have collected about you.
If we have disclosed your Personal Data to any third parties for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient. If we have sold your Personal Data over the past 12 months, we will identify the categories of Personal Data sold to each category of third party recipient.
Deletion
You have the right to request that we delete the Personal Data that we have collected about you. Under the CCPA, this right is subject to certain exceptions: for example, we may need to retain your Personal Data to provide you with the Services or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request.
Exercising Your Rights
To exercise the rights described above, you or your Authorized Agent (defined below) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data, including login credentials and personal contact information, and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Data provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.
We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.
You may submit a Valid Request using the following methods:
- Email us at: security@withgrayce.com
- Submit a form here.
You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.
We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA
We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our Services as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates or levels of quality of the goods or services you receive related to the value of Personal Data that we receive from you.
Other State Law Privacy Rights
California Resident Rights
Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties’ direct marketing purposes; in order to submit such a request, please contact us at security@withgrayce.com.
Nevada Resident Rights
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at security@withgrayce.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.
Contact Us
If You have any questions about this Privacy Policy, please do not hesitate to contact Us by email at:
- security@withgrayce.com
- 1400 Greenwich Street, # 9, San Francisco, California 94109.
Please note that email communications are not always secure; so please do not include sensitive information in Your emails to Us.
Individuals and data protection supervisory authorities in the EU and the UK may contact our Data Protection Officer at dpo@withgrayce.com, or our data protection representatives according to Articles 27 EU and UK GDPR:
- EU: DP-Dock GmbH, Attn: Grayce, Ballindamm 39, 20095 Hamburg, Germany
- UK: DP Data Protection Services UK Ltd., Attn: Grayce 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
- www.dp-dock.com
- grayce@gdpr-rep.com