Privacy Policy

1. Introduction

Procure Healthcare ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our website and services.

2. Information We Collect

Information You Provide

• Contact Information: Name, email address, phone number, and company information when you request a demo, contact us, or create an account.
• Business Data: Healthcare spend data, employee counts, geographic information, and other data you provide for analysis purposes.
• Communications: Information you provide when you communicate with us.

Automatically Collected Information

• Usage Data: Information about how you interact with our Services, including pages visited, features used, and time spent.
• Device Information: Browser type, operating system, device type, and IP address.
• Cookies: We use cookies and similar technologies to enhance your experience and collect usage information.

3. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve our Services
• Process and respond to your requests
• Generate analyses and reports you request
• Communicate with you about our Services
• Ensure security and prevent fraud
• Comply with legal obligations

4. HIPAA Compliance and Protected Health Information

When Procure Healthcare provides services to group health plans, health insurance issuers, or other HIPAA covered entities that involve access to Protected Health Information (PHI), we act as a "Business Associate" as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

Business Associate Agreements

Before we receive, access, maintain, or transmit any PHI on behalf of a covered entity, we will enter into a Business Associate Agreement (BAA) that complies with 45 CFR § 164.504(e). We will not request or accept PHI until a BAA is fully executed.

Permitted Uses and Disclosures of PHI

When acting as a Business Associate, we will only use or disclose PHI:

• As permitted or required by our Business Associate Agreement
• As required by law
• For the proper management and administration of our business, if the disclosure is required by law or we obtain reasonable assurances from the recipient

We apply the "minimum necessary" standard when using or disclosing PHI, limiting our use to the minimum amount needed to accomplish the intended purpose.

PHI Safeguards

We implement administrative, physical, and technical safeguards including:

• Administrative: Workforce training, access management policies, designated privacy and security officers, regular risk assessments
• Physical: Facility access controls, workstation security, device and media controls
• Technical: Encryption of PHI at rest and in transit (AES-256 and TLS 1.2+), access controls and authentication, audit logging and monitoring, automatic session termination

Subcontractors

We require any subcontractors that create, receive, maintain, or transmit PHI on our behalf to agree to the same restrictions and conditions that apply to us as a Business Associate, including entering into appropriate Business Associate Agreements.

Breach Notification

In the event of a breach of unsecured PHI, we will notify the applicable covered entity without unreasonable delay, and in no case later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414). Our notification will include the information required under 45 CFR § 164.410.

Individual Rights Regarding PHI

HIPAA provides individuals with certain rights regarding their PHI. When we receive requests related to these rights, we will assist the covered entity in responding as required by our BAA. These rights include:

• Right to Access: Individuals may request access to their PHI that we maintain
• Right to Amendment: Individuals may request amendment of their PHI that they believe is inaccurate or incomplete
• Right to Accounting: Individuals may request an accounting of certain disclosures of their PHI
• Right to Restriction: Individuals may request restrictions on certain uses and disclosures of their PHI
• Right to Confidential Communications: Individuals may request to receive communications regarding their PHI by alternative means or at alternative locations

De-Identified Data

Where possible, we design our analyses to use de-identified data that does not constitute PHI under HIPAA. Data is considered de-identified when it meets the requirements of 45 CFR § 164.514(b), either through expert determination or safe harbor methods.

Contact for HIPAA Matters

For questions or concerns regarding our HIPAA compliance practices, or to exercise rights related to PHI, please contact us.

5. GDPR and European Data Protection

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable local data protection laws.

Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract: Processing necessary to provide our Services to you or to take steps at your request before entering into a contract.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, marketing, and fraud prevention, where these interests are not overridden by your rights.
• Consent: Where you have given consent for specific processing activities, such as analytics cookies or marketing communications.
• Legal Obligation: Processing necessary to comply with our legal obligations.

Your Rights Under GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data in certain circumstances.
• Right to Restrict Processing: Request that we limit how we use your personal data.
• Right to Data Portability: Request a copy of your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, please contact us. We will respond to your request within one month, as required by law.

International Data Transfers

Your personal data may be transferred to and processed in countries outside the EEA, including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfers to countries with an adequacy decision.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. When determining retention periods, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, and applicable legal requirements.

Supervisory Authority

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.

Contact for GDPR Matters

For questions or concerns regarding our GDPR compliance or to exercise your data protection rights, please contact us.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities and to distinguish you from other users of our website.

Types of Cookies We Use

• Essential Cookies: Required for the website to function properly. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website by collecting anonymous usage data. We use Google Analytics for this purpose.
• Preference Cookies: Remember your settings and preferences, such as language or theme.

Managing Cookies

When you first visit our website, we will ask for your consent before placing non-essential cookies. You can change your cookie preferences at any time by clearing your browser cookies and revisiting the site, or by adjusting your browser settings to block or delete cookies.

Please note that blocking certain cookies may impact your experience on our website and limit the services we can provide.

Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals, but we do respect cookie consent preferences as described above.

7. Information Sharing

We do not sell your personal information. We may share information with:

• Service Providers: Third parties who perform services on our behalf (hosting, analytics, customer support) under appropriate confidentiality agreements.
• Legal Requirements: When required by law, legal process, or to protect our rights, safety, or property.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• With Your Consent: When you have given us permission to share your information.

8. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill the purposes described in this Policy, unless a longer retention period is required by law.

9. Your Rights and Choices

Depending on your location, you may have rights to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information
• Opt out of marketing communications
• Object to or restrict certain processing

To exercise these rights, please contact us. See also Section 5 above for specific rights under GDPR.

10. Security

We implement appropriate technical and organizational measures to protect your information. However, no method of transmission over the Internet or electronic storage is completely secure.

11. Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for the privacy practices of these websites.

12. Children's Privacy

Our Services are not directed to individuals under 18. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on our website with a new "Last updated" date.

14. Contact Us

For questions about this Privacy Policy or our data practices, please contact us.