• We will share some information with certain third parties in the course of running our business. We will only share such information:

  • With companies that provide services to help us operate our business, subject to strict contractual requirements for them to protect your information;

  • When required by law, including subpoenas and court orders; and

  • In extraordinary circumstances, if Private Access, Inc. reasonably believes the disclosure is needed to respond to an imminent physical threat to you or others, to defend or assert legal rights, or in response to an immediate health risk authenticated by a medical professional.

• De-Identified Data (See Glossary for definition): We may share De-Identified Data internally and with selected third parties, such as patient advocacy groups, business partners, public health authorities, or others, to understand the effectiveness of our operations, improve medical treatments in general, and help us improve our future services. Click here for examples of how we may share De-Identified Data.

We will disclose your information only as described here.

There may be times when you choose to share your personal information held by Private Access, Inc., to learn more about useful products or services. However, unless you clearly, conspicuously, and specifically consent, Private Access will not:

• Use your personal information to market products or services to you;

• Share your personal information with third parties for them to use for marketing.

Private Access, Inc. may post information on its website about products and services and give you the opportunity to request more information.

Private Access, Inc. is committed to protecting the security, integrity, and privacy of your information. We use appropriate technologies and controls that help prevent your information from inappropriate viewing, use, loss, or disclosure. For example, we impose controls that limit internal access to your information, and we maintain an audit log that tracks who has accessed your information. If we share your information with companies that help us operate our business, we impose strict contractual requirements on them to protect your information. When we collect or transmit your personal information via the website, we use SSL (Secure Sockets Layer) encryption. We also use independent information security experts to assess our security controls.

There is always some risk that unauthorized, wrongful, or illegal access to your information could occur or that transmissions over the Internet could be intercepted. If, despite our precautions, we ever experience a breach of the security of your information, we will notify you in accordance with federal and state laws.

Because of the sensitivity of the information that our users submit on the PrivateAccess™ website, we urge you to take similar precautions to protect the security of your user name and password that you use for other user names and passwords that grant access to sensitive information, such as on-line access to a bank account.

To enhance security, Private Access, Inc. may use independent identity verification services to attempt to verify that anyone seeking to establish an account on our system is who they say they are.

Once an account has been created, logging in to our system requires multi-factor authentication (such as a User ID, a password and challenge questions) similar to many online banking sites.

You can view the information you have submitted into your active PrivateAccess™ account on the website. In addition, if you ever submit information to us in another way, such as by telephone, we will make commercially reasonable efforts to make that information available to you.

No. Children under the age of 18 are not permitted to establish or access PrivateAccess.com accounts. Parents or guardians can, however, create custodial accounts for their children under the age of 18.

Yes. Private Access may use cookies, web beacons, and similar technologies to improve your user experience with the site, help us verify your identity, measure the effectiveness of our services, and enhance our products. (Cookies are small bits of data placed on your computer that identify your browser to our server. Web beacons, also known as clear gif tags, are electronic images, data, or code embedded in web pages or emails to track and measure usage and activity.) We may use web beacons in communications with users to keep an accurate audit log that you will be able to view from PrivateAccess.com™ and, where needed, to assure proper operation of the service (for example, to determine if a message to you was delivered and opened).

If Private Access, Inc., were to transfer assets or operations in connection with a merger, sale, bankruptcy, or other transaction, we might transfer your information to the acquiring or merging entity. If we were to do so, we would make good faith efforts to ensure that the acquiring entity be contractually obliged to protect your information as we do. We would also make good faith efforts to modify or notify you in advance of the pending transaction to permit you to close your account prior to the transaction if you chose to do so.

Yes, subject to the following:

• If you delete health information from your account, the deleted health information becomes immediately inaccessible by you and cannot be viewed by anyone through our system. Similarly, if you close your account, all of your health and contact information will become immediately inaccessible to you and cannot be viewed by anyone through our system. In both cases:

  • The deleted information will be securely destroyed.

  • For a limited amount of time, backup systems may still contain the information, although in many cases, such information would be difficult, perhaps impossible, to reconstruct.

• Audit logs and information needed for security and legal purposes and other non-health information about your account will be retained for a commercially reasonable period of time, and then securely destroyed.

Private Access may periodically contact you regarding your account or to notify you of changes to our website or services. These communications will be made via e-mails that contain a link to our secure website but will not contain any sensitive information (click to see examples of e-mails we might send.) If we later add options to have you authorize us to contact you by phone, fax, text messages, or other means, we will follow similar precautions to avoid sending or leaving messages containing sensitive information. When you sign in to your PrivateAccess™ account, you will have access to your messages, which may include messages from researchers who wish to contact you, alerts that need your attention, or updates from us about our services.

However, unless you clearly, conspicuously, and specifically consent, we will not contact you, or allow others to contact you, to market products or services to you.

This Privacy Statement primarily contains information about how we collect, use and disclose information of individual users. Business and professional users of Private Access’ services should review the terms of any contractual requirements applicable to them.

Any updates to this Privacy Statement will be posted here. Most updates are expected to be editorial in nature or reflect ongoing improvements in our services. If, however, we make changes to the Privacy Statement that would materially affect your protections or choices, we will, at least seven (7) days in advance of such change taking effect, send you an e-mail to your e-mail address in our records about the change, in addition to posting the new Privacy Statement on our website.

This Privacy Statement is effective June 25, 2009.

If you have any questions, concerns, or complaints about our privacy protections, please write to us at LegalDept@PrivateAccess.com , and we will attempt to resolve your concerns.

Glossary

As used in this Privacy Statement:

“Personal Information” is information you supply to Private Access, Inc. through its website. It includes (a) identifiable contact information, such as name, address, telephone, and email address, (b) information you provide about yourself, such as your health information, and (c) “anonymized information,” which is the same information as (b), but with your identifiers and contact information removed and a random alphanumeric code assigned to it for search purposes.

“De-Identified Data” means information that does not identify individuals and with respect to which there is no reasonable basis to believe that the information can be used to identify individuals. In de-identifying information, Private Access, Inc. follows the standard set by a federal law called HIPAA (the Health Care Portability and Accountability Act), even though Private Access is not subject to that law. Click here for examples of how we may use and disclose De-Identified Data.

Thank you for reviewing our Privacy Statement.