Privacy Policy

Effective Date: 01.19.2024

Thank you for visiting Willow Health Services, Inc. (“Willow Health Services”) website https://startwillow.com/ (the “Site”), contacting Willow Health Services, and/or using any Willow Health Services mobile and online applications or services (the “Services”). This Privacy Policy is intended to describe how Willow Health Services handles information that you provide, or that we learn about the individuals who: visit our website, use our Services, contact us by mail, email or telephone or in person, or who provide us with information through any other means. We recommend that you carefully review this notice before providing us with any information. By accessing and using this Site or the Services, you agree to this Privacy Policy and our Terms of Service.

BY VISITING OR USING THE SERVICES, YOU EXPRESSLY CONSENT TO THE PROCESSING OF YOUR PERSONAL INFORMATION ACCORDING TO THIS PRIVACY POLICY.  IF YOU DO NOT AGREE WITH OUR POLICIES AND PRACTICES, YOUR CHOICE IS TO NOT USE THE SERVICES.  THE SERVICES ARE INTENDED FOR USERS LOCATED IN THE UNITED STATES AND YOUR INFORMATION WILL BE PROCESSED AND STORED IN THE UNITED STATES.  WE MAKE NO REPRESENTATION THAT THE SERVICES ARE APPROPRIATE OR AVAILABLE FOR USE OUTSIDE THE UNITED STATES.  ACCESS TO THE SERVICES FROM COUNTRIES OR TERRITORIES OR BY INDIVIDUALS WHERE SUCH ACCESS IS ILLEGAL IS PROHIBITED.  THE SERVICES MAY ONLY BE USED WITHIN CERTAIN STATES WITHIN THE UNITED STATES AS DESCRIBED IN OUR TERMS OF SERVICE.

Willow Health Services IS NOT A MEDICAL PROVIDER.  Willow Health Services CONNECTS USERS WITH MEDICAL PROVIDERS WHO PROVIDE MEDICAL CONSULTATIONS AND PHARMACIES THAT FILL PRESCRIPTIONS ISSUED BY THE MEDICAL PROVIDERS.  THE MEDICAL PROVIDERS INCLUDE Willow Health Services MEDICAL OF CALIFORNIA, INC, (“MEDICAL PRACTICE”) AN INDEPENDENT MEDICAL GROUP WITH A NETWORK OF MEDICAL PROVIDERS (EACH, A “PHYSICIAN”).  Willow Health Services IS NOT RESPONSIBLE FOR THE USE OR DISCLOSURE OF YOUR INFORMATION BY PHYSICIANS.  We Do Not Sell Your Personal Information

Willow Health Services does not, to the best of our knowledge, sell or rent personal information that we have collected or retained about you to any other third-party for any purpose. Accordingly, we do not offer individuals the ability to “opt-out” of the selling or renting of personal information because we do not engage in those practices. Children’s Privacy

The Willow Health Services website and Services are not intended for children under the age of 18 years, and Willow Health Services does not knowingly collect any information from children under 18 years old through its website. If the parent or guardian of a child under 18 believes that the child has provided us with any information, the parent or guardian of that child should contact us if they want this information deleted from our files. If Willow Health Services obtains knowledge from any source that it has information about a child under 18 in retrievable form in its files, we will delete that information from our existing files.What Information Does Willow Health Services Collect and How Is It Used?

Registration Information
Willow Health Services will only collect personal information that you voluntarily provide to us or our service providers. When you register to use the services, we may collect information from you that includes, among other things, your name, mailing address, birthdate, e-mail address, telephone number, image of your photo ID and the information contained thereon, and your interest in specific types of products and/or services.  You may also voluntarily provide us with personal information when you contact us with a question or comment or otherwise interact with the Services.

Health Information‍
When you use the Services to request access to products offered for sale on the Services, you may provide us with additional information related to your general health, medical history, symptoms, pre existing conditions or other information that you may consider sensitive (“Health Information”).  We collect this information for the Willow Health Services  healthcare professional to use for consultation and treatment, and to coordinate the sale and dispensing of prescription medications  by our affiliated pharmacies.  You must truthfully, accurately, and thoroughly answer all of the health questions presented to you in order for the physicians reviewing your case to make an accurate assessment of the suitability of treatment options.

Willow Health Services is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996, and its related regulations (“HIPAA”).  The medical professionals and pharmacies who provide services to you may or may not be covered entities under HIPAA.  Click here for the Notice of Privacy Practices adopted by the Medical Practice, and the Notice of Privacy Practices adopted by the Pharmacies, that describe how the Medical Practice and Pharmacies use and disclose your Health Information.  Willow Health Services is not responsible for the privacy, information or practices of third parties, including the Physicians.  Willow Health Services may be considered a “business associate” of Medical Practice and our affiliated pharmacies.  If we are considered a “business associate,” then we will protect your Health Information and disclose it only in accordance with HIPAA.  However, we may use and disclose any information that does not constitute Health Information in any manner permitted under this Privacy Policy.  This includes, for example, any information you provide to Willow Health Services in order to register and set up an account.  In addition, Health Information does not include information that has been de-identified in accordance with applicable laws.

We may collect your medical information on behalf of the Medical Practice and Pharmacies which may include:Health and medical information that you submit for diagnosis and treatment purposes, including any information in a questionnaire,Images or videos that you share for diagnosis or treatment purposes,Communications with the Physicians.In addition to information that we collect directly from you, we may also collect information from the Medical Practice and/or Pharmacies who provide treatment and other services to you in connection with the Services and enter your medical information in the electronic medical record provided to them on the Website.  This information may include diagnoses and treatment plans (including prescription details).

Willow Health Services and/or Medical Practice may de-identify your information so that it is no longer considered protected health information.  Willow Health Services may disclose, aggregate, sell, or otherwise disclose such de-identified information to third parties for analytics, research, or other purposes.

Purchase Information
Willow Health Services uses “Stripe,” a secure payment provider, to process your payments if you use the Services to make a purchase. Your payment information is subject to the privacy policy and terms of use of Stripe. We recommend you review these policies before uploading any credit card information.  Stripe does not have access to your credit card information and does not store this information on our servers.  

Non-Personal Information
Like most website operators, Willow Health Services collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request when visitors use the Services. Willow Health Services’s purpose in collecting non-personally identifying information is to better understand how Willow Health Services’s visitors use the Services. From time to time, Willow Health Services may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its Services.  Willow Health Services also collects potentially personally-identifying information like Internet Protocol (IP) addresses and may collect statistics about the behavior of visitors to the Services. For instance, Willow Health Services may monitor the Services to help identify spam.  We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking).

In addition to log data, we may also collect information about the device you’re using to access the Services, including the type of device, the operating system, device settings, device identifiers and crash data. Whether we collect some or all of this information often depends on what type of device you’re using and its settings.  To learn more about the information your device makes available to us, please review the policies of your device manufacturer or software provider.
We do not collect personal information automatically, but we may tie this information to personal information about you that we collect from other sources or you provide to us.

In addition, we may use third party services such as Google Analytics that collect, monitor and analyze this type of information in order to increase the Services’ functionality. These third-party service providers have their own privacy policies addressing how they use such information.

How we use your information
We use the information we collect to provide you full access and functionality of the Services.  Accordingly, your information may be used for the following purposes: (i) to provide and improve our services, features and content; (ii) to administer your use of our services and accounts; (iii) to enable users to enjoy and easily navigate the Services; (iv) to better understand your needs and interests; (v) to fulfill requests or to respond to questions or comments you may make; (vi) to personalize your experience; (vii) to provide you with announcements, notifications and advertisements related to your interests and use of the Services and other communications such as electronic newsletters, promotional emails or similar messaging; (viii) to provide service announcements; (ix) to protect against users seeking to hack into the Services; (x) to assess the level of general interest in the Services;  (xi) for any other purpose with your consent.

Unless the information is fully anonymized and cannot be used to identify you as an individual, we will only use Health Information as reasonably necessary to provide you with services you directly request.  

With Whom Do We Share Your Information?
Personal Information
In order to provide you with access to the Services, certain third parties that perform services for Willow Health Services, such as hosting, analytical, data management or other similar services or are otherwise acting on our behalf (“Service Providers”) may have access to your personal information, including your Health Information.  Service Providers are authorized to use your information only to perform the service for which they are hired and may not share your information with any third parties. They are required to abide by the terms of our Privacy Policy including taking reasonable measures to ensure your personal information is secure. On occasion, we contract with trusted third-party providers who would receive your personal information or Health Information and conduct anonymized aggregate analyses of the data. Through our contractual arrangements, we require our contracting partners to maintain adequate security of personal information provided to them. We do not permit such third parties to sell your personal information to other third parties.

Other Ways We May Share your Personal Information
We may share the information you provide Willow Health Services, including your personal information and Health Information with the medical professionals and pharmacies that provide services to you to enable them to continue providing services to you via the Services.

We may disclose non-personally identifiable aggregated information about our users without restriction.

Other than to our employees, contractors and affiliated organizations or as described above, we disclose personally-identifying only when required to do so by law, or when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Willow Health Services, third parties or the public at large.  If you send us a request (for example via chat, a support email or via one of our feedback mechanisms), we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users.

In addition, in some cases we may choose to buy or sell assets. In these types of transactions, user information is typically one of the business assets that is transferred. Moreover, if Willow Health Services or substantially all of its assets were acquired, or in the unlikely event that Willow Health Services goes out of business or enters bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of Willow Health Services may continue to use your personal and non-personal information only as set forth in this policy. Otherwise, we will not rent or sell potentially personally-identifying and personally-identifying information to anyone.

We may also disclose your personally-identifying information if you expressly consent to the disclosure.

Security
We are committed to protecting your Personal Information and Health Information. We regularly test our facilities and use a variety of security technologies and procedures to help protect your  information from unauthorized access, use or disclosure.
‍‍‍‍ ‍

Our Data Retention Criteria
The period during which we store your personal information varies depending on the purpose for the processing. For example, we store personal information needed to provide you with products and services, or to facilitate transactions you have requested, for so long as you are a customer of Willow Health Services. We store your personal information for our marketing purposes until you have opted-out of receiving further direct marketing communications in accordance with applicable law. In all other cases, we store your personal information for as long as is needed to fulfill the purposes outlined in this Privacy Policy, following which time it is either anonymized (where permitted by applicable law), deleted or destroyed.  The medical providers may dispose of or delete any such information except as set forth in any other agreement or document executed by the medical providers or as required by law.

Our Use of Cookies and Analytical Tools
Cookies are text files containing small amounts of information which are downloaded to your hard disk or to your browser's memory when you visit one of our Sites. Cookies are useful because they help arrange the content and layout of our Sites and allow us to recognize those computers or other devices that have been to our Sites before. Willow Health Services does not permit third parties or third-party cookies to access any communications that you have with medical providers or medical information that you submit to medical providers for diagnosis and treatment purposes.  Cookies do many different jobs, such as allowing our Sites to remember your preference settings and helping us to enhance the usability and performance of our Sites and your experience using them. Our Sites also may contain electronic images known as web beacons – sometimes called single-pixel gifs – that allow us to count the number of users who have visited specific pages. We may also include web beacons in promotional e-mail messages or newsletters in order to determine whether messages have been opened and acted upon. The type of cookie or similar technology that may be used on our Sites can be categorized as follows: Strictly Necessary, Performance, Functionality & Profile, and Advertising.Strictly Necessary Cookies. These cookies are essential for basic functionalities of the Site, and they enable you to move around our Sites and use their features, particularly in connection with information searches and order placement. Without these cookies, services you have asked for cannot be provided. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the internet. Examples of strictly necessary cookies are a shopping basket cookie, which is used to remember the products that you wish to purchase when you add products to your shopping basket or proceed to checkout, a login/ authentication cookie which allows and manages your login to the Site and identifies you after logging in for a single session, a session cookie which is required to carry out the data transmission and provide the Site to you, a security cookie that detects repeat failed login attempts or similar abuses of the Sites. These types of cookies are regularly stored only as long as required for their purpose.Performance Cookies. These cookies collect information about how you use our Sites, for example which pages you go to most often and if you get any error messages from certain pages. These cookies collect information that is used to improve how our Sites work. Without these cookies we cannot learn how our Sites are performing and make relevant improvements that could better your browsing experience. Examples of performance cookies that our Sites use include cookies from Google and Adobe Analytics (see further discussion below).Functionality & Profile Cookies. These cookies allow our Sites to store information that you provide, such as preferences, and to store technical information useful for your interactions with our Sites. For instance, they remember your user ID and elements of your user profile. They also ensure that your experience using the Sites is relevant to you. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. These cookies will not be used to track your browsing activity on other websites.  Without these cookies, a website cannot remember choices you have previously made or personalize your browsing experience. For example, we use a cookie to store your language preferences, which allows us to present you with product search results in the correct language, and we use a cookie to store your choice about the appearance of the cookie information banner that we display on our Sites. This cookie will help us remember your choice about the appearance of the cookie information banner when you subsequently visit the same site where you made your choice about the banner and any other Willow Health Services sites with the same domain or the same top-level domain. Advertising Cookies and Similar Technologies. These cookies or similar technologies may be used to deliver advertisements that are more relevant to you and your interests. They may also be used to limit the times you see an advertisement as well as help to measure the effectiveness of the advertising campaign. These cookies may track your visits to other websites. Without these cookies or other technologies, online advertisements you encounter will be less relevant to you and your interests. Setting your cookie preference

You can usually modify your browser settings to decline cookies and you can withdraw your consent at any time by modifying the settings of your browser to reject or disable cookies or by opting out of specific cookies through the opt-out options shared below. If you choose to decline cookies altogether, you may not be able to fully experience the features of the Sites that you visit.

Our use of web analytics
We use different analytic tools which serve the purpose of measuring, analyzing and optimizing our marketing measures and provide you with customized advertisements that could be of particular interest to you. In particular, we use the following tools: Google Analytics uses cookies which enable an analysis of your use of the Sites. The information collected (IP address, browsing activities and other data linked to your usage of the Sites) is usually transferred to a Google server in the USA and stored there.  You can prevent Google Analytics from recognizing you on return visits to the Sites by disabling cookies on your browser. To see how you can opt-out of certain Google features, visit: Google Analytics Opt Out Link. Facebook Pixels allow user behavior to be tracked after they have been redirected to our website by clicking on a Facebook ad.  This enables us to measure the effectiveness of Facebook ads for statistical and market research purposes.  Facebook may link his information in your Facebook account and use it for its own promotional purposes.   Mixpanel analyzes customer-driven event data and creates funnel reports so we can better understand how our users interact with the Services.  Segment collects user events from the Services and provides a data toolkit to allow us to use the data more efficiently.

Your Rights and Responsibilities
You are permitted, and hereby agree, to only provide personal information to Willow Health Services if such personal information is accurate, reliable, and relevant to our relationship and only to the extent such disclosure will not violate any applicable data protection law, statute, or regulation.  
You may have certain rights under applicable data protection law with respect to personal information about you that is collected through the Sites or when you contact or otherwise engage with us. To exercise any of these data privacy rights, please contact us, or have your authorized agent contact us, in accordance with the “Contact Us” section listed below. In the event you submit, or your authorized agent submits on your behalf, a data request, you (and your authorized agent) hereby acknowledge and agree, under penalty of perjury, that you are (or the authorized agent of) the consumer whose personal information is the subject of the request. We will respond to any data requests within the timeframes required by law, and we may charge a fee to facilitate your request where permitted by law.

Marketing.
You have the right to opt-out of receiving electronic direct marketing communications from us.  All electronic direct marketing communications that you may receive from us, such as email messages, will give you an option of not receiving such communications from us in the future.

California Privacy Rights.  
California Civil Code Section § 1798.83 permits users of the Sites that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. Pursuant to the California Consumer Privacy Act of 2018, as amended (“CCPA”), California residents may have certain data privacy rights, such as the right to be notified about what personal information categories are collected about you, and our intended use and purpose for collecting your personal information. You may have the right to request access to your personal information and, to the extent feasible, request that it be transmitted in certain forms and formats.  You may have the right to request that we (and any applicable service provider) delete your personal information. You have the right not to be subject to discrimination for asserting your rights under the CCPA.  

If you make, or an authorized agent on your behalf makes, any request related to your personal information, Willow Health Services will ascertain your identity to the degree of certainty required under the CCPA before addressing your request.  Willow Health Services may require you to match at least three pieces of personal information we have previously collected from you before granting you access or otherwise responding to your request.  

Do Not Track.
Some web browsers may transmit “do-not-track” signals to the Sites with which the user communicates. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. We currently do not take action in response to these signals.

European Union (EU) Privacy Disclaimer
Willow Health Services processes personal information in accordance with the legal bases set forth in the EU General Data Protection Regulation (GDPR) or EU Member State law. For example, our processing of Personal Data on individuals (as described above) is justified based on statutory provisions that (1) processing is based on the consent; (2) processing is necessary for Willow Health Services’s  legitimate interests as set out herein; and (3) processing is necessary for the performance of a contract to which you are a party. If you are in the EU or afforded protection under the GDPR, you may have certain rights with respect to the Personal Data. To the extent permitted by applicable data protection laws, you may access the Personal Data we hold about you; request that inaccurate, outdated, or no longer necessary information be corrected, erased, or restricted; and, request that we provide your Personal Data in a format that allows you to transfer it to another service provider. You also may withdraw your consent at any time where we are relying on your consent for the processing of your Personal Data. You may object to our processing of your Personal Data where that processing is based on our legitimate interest. You have the right to lodge a complaint with your competent data protection authority. If you wish to exercise any of these rights, please contact us in accordance with the instructions provided below.

Nevada Privacy Disclaimer
Pursuant to Nevada law, a Nevada “consumer” (as the term is defined therein), may, at any time, submit a verified request through a designated request address to an “operator” directing the operator not to make any sale of his or her personal information that the operator has collected or will collect about the consumer. For clarity purposes, Willow Health Services does not sell or exchange your personal information for monetary consideration to a third party for the third party to license or sell the information to additional persons or parties.

Links to Third-Party Websites
The Services may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.
We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

Changes to This Privacy Policy
We may occasionally update this Privacy Policy. When we do, we will revise the “last updated” date at the top of the Privacy Policy and take such additional steps as may be required by law.  We recommend that you periodically review our Privacy Policy for updates.

Contact Us
If you have questions regarding this Privacy Policy, our handling of your personal information, or would like to request more information or exercise a data right, please contact us using the webpage at hello@startwillow.com  or by telephone at (844) 929-1586


Willow Data Security & Practices
Data Security Compliance
Willow Health Services is committed to upholding the highest standards of data security in relation to Protected Health Information (PHI). In alignment with this commitment, we leverage the Amazon RDS (Relational Database Service) for secure data storage.
Security Measures At Rest:Encryption Standards:
Willow Health Services employs AES-256 encryption, an industry-standard, to fortify the security of data at rest. This encryption protocol is applied comprehensively to the storage volume associated with our database instances, ensuring a formidable barrier against unauthorized access.

Key Management Protocols:
Our key management strategy involves meticulous utilization of the AWS Key Management Service (KMS). We exercise the flexibility to implement AWS's default managed keys or establish and manage our custom keys through AWS KMS. This approach provides us with precise control over our encryption keys.

Automatic Backup Encryption:
To guarantee the integrity of our comprehensive data repository, we extend encryption to automatic backups, snapshots, and historical data. This methodical application of encryption safeguards against potential breaches and unauthorized access.
Security Measures In Transit:SSL/TLS Encryption Protocols:
Safeguarding the communication channel between our applications and database instances is prioritized through the application of SSL/TLS encryption. This protocol ensures the encryption of data in transit, safeguarding against unauthorized access during transmission.

Certificate Validation Processes:
Our SSL implementation incorporates rigorous certificate validation processes. By validating the server's SSL certificate, we ensure the authenticity of the connection, mitigating the risk of man-in-the-middle attacks and fortifying the overall security of our data in transit.
Access Controls:IAM Integration:
Willow Health Services seamlessly integrates Amazon RDS with AWS Identity and Access Management (IAM). This integration empowers us to manage access to our RDS resources through meticulous IAM roles and policies, offering fine-grained control over user permissions.

Database User Authentication:
Authentication mechanisms within Amazon RDS empower us to create and manage database users with precise privileges. This granular user management enhances access control, ensuring that interactions with sensitive data are limited to authorized personnel.

Network Security Measures:
Placing our database instances within a Virtual Private Cloud (VPC) establishes network isolation. This strategic placement, combined with the meticulous configuration of security groups, enables us to control inbound and outbound traffic based on IP addresses and ports, reinforcing our network security posture.Commitment to Patient Rights
Patient Rights and Protected Health Information (PHI) SafeguardsAt Willow Health Services, we are committed to upholding the highest standards of patient rights and ensuring the privacy and security of Protected Health Information (PHI). In accordance with the Health Insurance Portability and Accountability Act (HIPAA) and other relevant regulations, we have implemented comprehensive measures to safeguard patient information and respect their rights.
1. Right to Access:Willow Health Services ensures that patients have the right to easily access their own health information. Our processes are designed to facilitate prompt and secure access to medical records, test results, and relevant health documents.
2. Right to Amend:Patients at Willow Health Services have the right to request amendments to their health information. We have established procedures to address such requests, allowing patients to ensure the accuracy and completeness of their PHI.
3. Right to Privacy:Our commitment to patient privacy is paramount. Willow Health Services implements robust safeguards to protect the confidentiality of PHI, maintaining a secure environment for sensitive health information.
4. Right to Request Restrictions:Patients can exercise their right to request restrictions on how their health information is used or disclosed. While Willow Health Services evaluates such requests, it is important to note that restrictions may not always be feasible.
5. Right to Confidential Communication:Willow Health Services respects the right of patients to request confidential communication methods and locations. We take steps to accommodate these preferences to ensure the privacy of health-related communications.
6. Right to Accounting of Disclosures:Our patients have the right to receive an accounting of disclosures of their health information. Willow Health Services maintains thorough records and can provide an account of disclosures made for purposes beyond treatment, payment, and healthcare operations.
7. Right to Notice of Privacy Practices:Patients are informed of our privacy practices through a Notice of Privacy Practices. This document outlines how their health information may be used and disclosed, ensuring transparency in our data handling processes.
8. Right to File a Complaint:Willow Health Services respects the right of patients to file complaints if they believe their HIPAA rights have been violated. We prohibit any form of retaliation against individuals who file complaints and work to address concerns promptly.
9. Right to Data Portability:In situations where applicable, Willow Health Services supports the right of patients to receive a copy of their health information in an electronic format for portability.
10. Right to Opt-Out of Marketing Communications:Willow Health Services respects the right of patients to opt-out of marketing communications, ensuring that explicit authorization is obtained before using PHI for marketing purposes.

Willow Health Services remains committed to the principles of patient rights, privacy, and HIPAA compliance. Our dedicated efforts are focused on providing a secure and confidential environment for patient information, fostering trust and transparency in our healthcare practices.

For more Information
For more information on Willow Privacy Policies contact:

Gray Dorsett
Willow Data Security Office
gray@startwillow.com

For patients requesting updates or changes to medical information contact:

patient-services@startwillow.com