Privacy Policy

01Scope of this Policy

SwitzerHealth, LLC ("SwitzerHealth," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information in connection with your visit to switzerhealth.com, our subdomains, and any online feature, web form, web portal, or digital marketing channel that links to this Policy (collectively, the "Site"). It also explains the rights that may be available to you under applicable privacy laws, including the Utah Consumer Privacy Act, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and comparable state privacy laws.

This Policy applies to information collected through the Site. It does not apply to information collected offline, through clinical systems used in the course of healthcare services, or through platforms that are governed by a separate business associate agreement or patient facing notice. For information about our handling of protected health information, see our HIPAA Notice of Privacy Practices.

02Relationship to HIPAA

The personal information we collect through the Site is generally not protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"). The Site is a marketing and informational website. It is not a patient portal, an electronic health record, or a clinical communication channel.

Where SwitzerHealth processes PHI on behalf of a covered entity, we do so as a business associate under a written business associate agreement. PHI handled in that capacity is governed by HIPAA, by the applicable business associate agreement, and by our HIPAA Notice of Privacy Practices, not by this website Privacy Policy.

03Information we collect

We collect information in three ways: information you provide directly, information collected automatically when you use the Site, and information we receive from third parties.

Information you provide

• Contact details such as your name, employer or organization, job title, email address, and phone number when you complete a form or request a demo.
• The content of the messages, notes, or questions you choose to submit through a form or send to our email inboxes.
• Business context such as the state or region in which you operate, the facility type you represent, and the services you are evaluating.
• Records of your interactions with our team, including notes from phone calls, meetings, and correspondence when you initiate contact.

Information collected automatically

• Device and browser information such as IP address, device identifier, browser type and version, operating system, language preference, and referring URLs.
• Usage information such as the pages you view, the links you click, the time and duration of your visit, and the approximate geographic location inferred from your IP address.
• Cookies and similar technologies as described in Section 6.
• Aggregated and de identified analytics.

Information from third parties

• Information from business information providers, data enrichment services, and publicly available sources used to validate the business contact information you submit and to help prepare for conversations with your organization.
• Information from service providers that host the Site, deliver email, manage customer relationships, or provide security and fraud prevention support.
• Information from partner organizations, referral sources, and event sponsors when you interact with us through their platforms and have agreed to share your information with SwitzerHealth.

We do not intentionally collect sensitive categories of personal information through the Site. We do not collect Social Security numbers, payment card numbers, biometric identifiers, precise geolocation, or information about your health or immigration status through public web forms.

04How we use information

We use the information we collect for the following purposes:

• to respond to your inquiries, requests, and questions;
• to provide information about our services, schedule demonstrations, and follow up with you;
• to evaluate fit with prospective clients, partners, and referral sources;
• to administer and improve the Site, monitor performance, diagnose technical issues, and protect against abuse, fraud, and unauthorized access;
• to conduct product, market, and customer research, including de identified or aggregated analytics;
• to send administrative communications such as service related notices, updates to this Policy, or information about our company;
• to send marketing communications about our services where permitted by law and, where required, with your consent, subject to your right to opt out at any time;
• to establish, exercise, or defend legal claims, comply with legal process and government requests, and enforce our agreements; and
• for other purposes for which we obtain your consent or as disclosed at the time of collection.

05How we share information

We do not sell personal information in the ordinary sense of the word. We share information in the following circumstances:

• Affiliates. With affiliated entities under common ownership or control, including affiliated professional corporations, for purposes consistent with this Policy.
• Service providers. With third party service providers that perform services on our behalf and are contractually required to use personal information only for the services they provide to us. This includes website hosting, form handling, email delivery, customer relationship management, analytics, security, and professional services.
• Business partners. With partners, referral sources, or co marketing organizations with whom we are working on a specific opportunity you have requested, such as when you ask us to introduce you to a partner or vendor.
• Compliance and protection. When required by law, subpoena, court order, regulatory request, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business transactions. In connection with a merger, acquisition, reorganization, financing, sale of assets, or similar corporate transaction, subject to customary confidentiality protections and applicable law.
• With your consent. When you have otherwise directed us to share your information or we otherwise disclose the purpose at the time of collection.

06Cookies and similar technologies

The Site uses cookies and similar technologies, including pixel tags, web beacons, local storage, and session identifiers. A cookie is a small text file placed on your device by a website you visit. We use cookies and similar technologies for the following purposes:

• Strictly necessary. To operate the Site, maintain session state, load balance, and secure the Site against attacks.
• Performance and analytics. To understand how visitors use the Site, measure traffic, and improve usability. We configure analytics to limit personally identifiable fields where feasible.
• Functionality. To remember your preferences and provide enhanced features.
• Marketing and conversion. Where enabled, to understand the performance of our marketing channels and, in limited circumstances, to reach business audiences with information about our services.

You can control cookies through your browser settings. Most browsers allow you to block cookies, delete existing cookies, or receive a warning before a cookie is stored. Blocking strictly necessary cookies may affect Site functionality. The Site responds to Global Privacy Control signals where required by law, as described in Section 17.

07Analytics and advertising

We may use third party analytics services to measure Site performance. These services may set cookies or use similar technologies to collect information about your visit on an aggregated or pseudonymized basis. We do not currently display advertising on the Site. If we begin to use advertising technologies that engage in cross context behavioral advertising or that are treated as a "sale" or "sharing" of personal information under applicable law, we will update this Policy and provide an appropriate opt out mechanism before doing so.

08Third party services and sub processors

We rely on a limited set of trusted vendors to operate the Site and our business. The categories include:

We require our service providers to protect personal information with appropriate technical and organizational safeguards and to process that information only for the purposes we direct. A current list of key sub processors that handle personal information on our behalf is available from our Privacy Officer on request, and we will update that list when a material change occurs, such as the addition of a new sub processor that creates, receives, maintains, or transmits personal information, or the replacement of an existing sub processor. Facility and clinic clients that have signed a Business Associate Agreement will be notified of material sub processor changes before they take effect, consistent with the terms of their BAA, so that they may object prior to the change.

09How we protect information

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. These include encryption in transit, access controls, logging and monitoring, endpoint protection, security awareness training for our workforce, and contractual safeguards with our vendors. No system is impenetrable, however, and we cannot guarantee the absolute security of information transmitted to or from the Site. Please use reasonable care to protect your own credentials, devices, and communications.

10Data retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, to comply with our legal, tax, accounting, or regulatory obligations, to resolve disputes, or to enforce our agreements. The specific retention period depends on the type of information, the purpose for which it was collected, and any legal retention requirements that apply. When personal information is no longer needed, we will delete, de identify, or archive it with appropriate protections.

11Your choices and rights

Depending on where you live and the nature of your interaction with us, you may have the following rights with respect to your personal information:

• the right to request confirmation of whether we process your personal information and access to that information;
• the right to request correction of inaccurate personal information;
• the right to request deletion of personal information, subject to exceptions permitted by law;
• the right to request a copy of your personal information in a portable format;
• the right to opt out of targeted advertising, the "sale" of personal information, or the processing of sensitive personal information, where applicable;
• the right to opt out of marketing communications; and
• the right to not receive discriminatory treatment for exercising any of these rights.

To exercise any of these rights, contact us using the information in Section 21. We may need to verify your identity, typically by matching information you provide against information we already have, before responding. If we cannot verify your identity through reasonable measures, we may request additional information or decline the request. You may also appoint an authorized agent to submit a request on your behalf, in which case we will require proof of authorization and, where applicable, verification of your identity directly.

Consistent with the 21st Century Cures Act information blocking rule at 45 CFR Part 171, SwitzerHealth and the Practice will not engage in practices likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information, except where an exception permitted by that rule applies.

12Utah residents

If you are a Utah resident, the Utah Consumer Privacy Act (UCPA), Utah Code Title 13 Chapter 61, grants you certain rights with respect to the personal data we process about you as a consumer in an individual or household context. These rights include the right to confirm whether we process your personal data, the right to access your personal data, the right to delete personal data you provided to us, the right to obtain a portable copy of your personal data, and the right to opt out of the processing of personal data for targeted advertising or the sale of personal data, where applicable.

To exercise these rights, contact us using the information in Section 21. We will respond within the timeframe required by the UCPA, which is generally forty five (45) days, subject to extension as permitted by law. The UCPA does not provide a right to appeal a decision on a consumer request, but we will nonetheless work in good faith to address any concerns you raise about our handling of your information.

The UCPA does not apply to personal data that is governed by HIPAA, the Gramm Leach Bliley Act, or other federal laws that preempt its requirements. For PHI, please refer to the HIPAA Notice of Privacy Practices.

13California residents

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (together, the "CCPA"), provides specific rights regarding your personal information. The categories of personal information we have collected in the preceding twelve months and the corresponding business or commercial purposes are described in Sections 3 and 4. The categories of sources are described in Section 3. The categories of third parties with which we share information are described in Section 5 and Section 8.

Your California rights

• Right to know. You have the right to request that we disclose to you the categories and specific pieces of personal information we have collected about you, the categories of sources from which that information was collected, the business or commercial purposes for collecting or sharing the information, and the categories of third parties with whom we shared it.
• Right to delete. You have the right to request that we delete personal information we collected from you, subject to exceptions allowed by law.
• Right to correct. You have the right to request that we correct inaccurate personal information.
• Right to opt out. You have the right to opt out of the "sale" or "sharing" of your personal information for cross context behavioral advertising. As stated in Section 7, we do not currently engage in such activities.
• Right to limit use of sensitive personal information. We do not use or disclose sensitive personal information for purposes that would require us to offer this right under the CCPA.
• Right to non discrimination. We will not deny goods or services to you, charge you different prices, or provide a different level or quality of services because you exercised your CCPA rights.

Sale, sharing, and cross context behavioral advertising

The CCPA defines a "sale" as any exchange of personal information for monetary or other valuable consideration, and defines "sharing" as the disclosure of personal information for cross context behavioral advertising. We do not sell personal information and we do not share personal information for cross context behavioral advertising. You may exercise your right to opt out of sale and sharing at any time, including by transmitting a Global Privacy Control signal from a supported browser or extension, which we will treat as a valid opt out request for the device and browser transmitting the signal. If our practices change in the future, we will update this Policy and provide a clear "Do Not Sell or Share My Personal Information" link on the Site before any sale or sharing begins.

Automated decision making

We do not use automated decision making or profiling, including profiling using artificial intelligence, to make decisions about you that produce legal or similarly significant effects without meaningful human review. Monitoring alerts generated by our clinical technology are reviewed by licensed clinicians before any clinical decision is made. Website and sales activities such as form scoring or basic personalization do not produce legal or similarly significant effects. If we introduce a use of automated decision making that is subject to the access, opt out, or appeal rights under the CCPA, Colorado Privacy Act, or other state laws, we will update this Policy, provide the required pre use notice, and offer the rights those laws require.

How to exercise your rights

Submit a verifiable consumer request through the contact information in Section 21 or by sending email to the Privacy Officer. We will confirm receipt of your request within ten (10) business days and respond to your verified request within forty five (45) days, which we may extend by an additional forty five (45) days where reasonably necessary. You may also designate an authorized agent to make a request on your behalf by providing signed written authorization and, where applicable, verifying your own identity.

"Shine the Light" (Cal. Civ. Code § 1798.83). California residents may request a list of the categories of personal information we have disclosed to third parties for their direct marketing purposes in the preceding calendar year. We do not currently share personal information for third party direct marketing purposes covered by this law.

14Colorado, Connecticut, Virginia, Washington, and other state residents

If you are a resident of Colorado, Connecticut, Virginia, or another state with a comprehensive privacy law, you may have rights similar to those described in Sections 11 through 13, including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising or the sale of personal data, where applicable. You may also have the right to appeal a decision on a privacy request. To exercise any of these rights, or to appeal a decision, contact us using the information in Section 21. We will respond within the timeframe required by applicable law. Rights under these laws may be subject to exceptions, including exceptions for data processed under HIPAA.

Washington residents: My Health My Data Act

If you are a Washington resident, the Washington My Health My Data Act (RCW 19.373), known as the "MHMDA," grants additional rights with respect to "consumer health data" that we collect outside the scope of HIPAA. Consumer health data under MHMDA broadly includes personal information that identifies a consumer's past, present, or future physical or mental health status, including precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies. MHMDA does not apply to PHI or to information regulated by HIPAA, HITECH, 42 CFR Part 2, or certain other federal laws; those protections are governed by our HIPAA Notice of Privacy Practices.

For consumer health data that does fall within MHMDA:

• We will not collect, use, or share your consumer health data for any purpose other than to provide the product or service you requested, unless you have given valid, affirmative, opt in consent for that specific purpose, or in the narrow circumstances where MHMDA permits processing without consent (for example, to comply with law or to protect vital interests).
• We will not share consumer health data with a third party without your separate, specific written authorization that meets the requirements of RCW 19.373.060.
• We do not and will not sell consumer health data as defined by MHMDA. MHMDA broadly prohibits the sale of consumer health data without a valid, signed consumer authorization that meets strict statutory content requirements, which we do not solicit.
• You may request confirmation of whether we collect, share, or sell your consumer health data, access a list of third parties and affiliates with which we have shared or sold it, withdraw your consent at any time, and request deletion of your consumer health data, subject to the limited exceptions permitted by MHMDA.
• To exercise any of these rights, contact us using the information in Section 21. We will honor valid deletion requests by deleting the data from our active systems, notifying any third party to which we disclosed the data, and directing any processor or contractor that handles the data on our behalf to do the same.
• You may also file a complaint with the Washington State Attorney General. MHMDA provides a private right of action under the Washington Consumer Protection Act.

Geofencing: We do not, and will not, use geofencing to identify or track consumers seeking health care services at a health care facility, to collect consumer health data from consumers within a geofence, or to send messages, notifications, or advertisements to consumers within a geofence related to their consumer health data or health care services.

15International visitors

The Site and our services are directed exclusively at residents of the United States. We do not offer our services to, and we do not intend to collect personal information from, individuals located in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions outside the United States. We do not target our marketing, payment processing, language support, or site functionality at those jurisdictions, and we do not undertake to comply with the General Data Protection Regulation, the United Kingdom Data Protection Act, the Swiss Federal Act on Data Protection, or similar non United States privacy laws.

SwitzerHealth is a United States company, and our servers and service providers are primarily located in the United States. If you access the Site from outside the United States, your personal information will be transferred to, stored in, and processed in the United States. The laws of the United States may differ from the laws of your country and may not provide the same level of protection. By using the Site, you consent to the transfer of your information to the United States and to processing in accordance with this Policy, and you represent that your use of the Site does not violate the laws of the country from which you access it.

16Children's privacy

The Site is intended for adult professionals and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If a parent or guardian believes that we have inadvertently collected personal information from a child under 13, please contact us using the information in Section 21 and we will promptly delete the information in accordance with the Children's Online Privacy Protection Act.

17Do Not Track and Global Privacy Control

Some browsers offer a "Do Not Track" (DNT) signal. There is no industry standard for how companies should respond to DNT signals, and we do not currently respond to browser DNT signals. We do honor Global Privacy Control (GPC) signals as an opt out of sale and sharing for cross context behavioral advertising where required by applicable law.

18Marketing communications and TCPA

With appropriate permission and as permitted by law, we may send you marketing communications about our services by email, phone, or SMS text message. For phone and SMS communications, we rely on your express consent where required by the Telephone Consumer Protection Act and comparable laws, and we apply internal do not call controls.

You may opt out of marketing emails at any time by using the unsubscribe link in any marketing email we send. You may opt out of SMS marketing by replying STOP to any SMS from us, which will trigger a confirmation message, or by emailing us using the contact information in Section 21. Even if you opt out of marketing communications, we may continue to send you transactional or administrative messages, such as replies to your inquiry, service updates, or legally required notices.

19Data breach notification

In the event of a security incident affecting personal information, we will notify affected individuals and applicable regulators as required by law. Notification content, timing, and recipients will comply with the specific requirements of each applicable statute. The laws most likely to apply to us include:

• HIPAA and HITECH breach notification rule (45 CFR Part 164, Subpart D). Applies to breaches of unsecured protected health information ("PHI") handled by the Practice or by SwitzerHealth, LLC acting as a business associate. See the HIPAA Notice of Privacy Practices for details.
• State breach notification statutes. We will notify residents, the attorney general, and, where required, consumer reporting agencies in each state where affected individuals reside. This includes, without limitation, the Utah Protection of Personal Information Act, the California Customer Records Act, the Washington My Health My Data Act, the Texas Business and Commerce Code breach statute, the New York SHIELD Act, and comparable laws in other states where we or our clients operate.
• FTC Health Breach Notification Rule (16 CFR Part 318). The FTC's Health Breach Notification Rule ("HBNR") applies to vendors of personal health records, related entities, and third party service providers that handle consumer health information not covered by HIPAA, such as certain health and wellness apps. To the extent any of our activities fall outside HIPAA and within the scope of the HBNR, as amended by the FTC's 2024 final rule, we will notify affected individuals, the FTC, and, for breaches involving 500 or more individuals, prominent media outlets, within the timeframes required by the rule.

Where more than one breach notification law applies to the same incident, we will follow the most protective rule.

20Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. Material changes will be highlighted through a conspicuous notice on the Site or by another reasonable means. We encourage you to review this Policy periodically. Your continued use of the Site after the effective date of the revised Policy constitutes your acceptance of the revised Policy.

21Contact our Privacy Officer

To exercise any right described in this Policy, ask a question about our privacy practices, appeal a decision, or report a concern, contact our Privacy Officer.

If you believe we have not adequately addressed your privacy concern, you may also contact your state attorney general's office. Utah residents may contact the Utah Division of Consumer Protection. California residents may contact the California Privacy Protection Agency or the California Attorney General. Residents of other states may contact their respective attorneys general.