This notice supplements the Privacy Policy (“privacy policy”) and applies to personal data defined as “consumer health data” subject to the Washington My Health My Data Act and similar state laws, including for residents of Nevada (“applicable law”). This privacy policy only applies when Persona is acting as a Regulated Entity with respect to consumer health data. In most cases, Persona is acting as a “processor” to other Regulated Entities and is subject to those entities’ instructions.
Consumer Health Data We Collect
As described in the Personal Data We Collect and Process section of the privacy policy, the data we collect depends on how you interact with us, the services you use, and the choices you make. Because consumer health data is defined very broadly, some of the categories of data we collect are or could be considered consumer health data.
Such data may also be categorized as follows:
- Measurements of bodily functions, vital signs, or characteristics, including photographs, which may also be considered biometric information under applicable law; and
- Other information that may be used to infer or derive data related to the above or other health information
Sources of Consumer Health Data
As described further in the Personal Data We Collect and Process section of the privacy policy, we collect personal data (which may include consumer health data) directly from you, from your interactions with our products and services, from third parties, and from publicly available sources
Why We Collect and Use Consumer Health Data
We collect and use consumer health data for the purposes described in the Personal Data We Collect and Process and Facial Scan and Biometrics Information sections of the privacy policy. Primarily, we collect and use consumer health data as reasonably necessary to provide you with the services you have requested or authorized. This may include delivering and operating the services and their features, personalization of certain service features, ensuring the secure and reliable operation of the services and the systems that support them, troubleshooting and improving the services, and other essential business operations that support the provision of the services (such as analyzing our performance, meeting our legal obligations, developing our workforce, and conducting research and development).
We may use consumer health data for other purposes for which we obtain your consent as required by law. See the Your Rights and Choices section of the privacy policy and the How to Exercise Your Rights section below for more details on the controls and choices you may have.
Our Disclosure of Consumer Health Data
We may disclose each of the categories of consumer health data described above for the purposes described in the How We Disclose Personal Data and Facial Scan and Biometrics Information sections of the privacy policy. In particular, we may disclose personal data, including consumer health data, with your consent or as reasonably necessary to complete any transaction or provide any service you have requested or authorized, as described in the previous section above. We disclose data to companies that constitute “processors” under applicable law to help provide our service.
For example, if you use the Persona service to verify your identity as part of our service offered to our business customers (“Customers”), we will disclose information about the transaction as necessary to deliver the Persona service, including protection against fraud. We use service providers or “processors” to help provide the service, for example to provide cloud-based storage. And we may disclose data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process.
Third Parties with Which We Share Consumer Health Data
As necessary for the purposes described above, we share consumer health data with the following categories of third parties:
- Parties to a corporate transaction. We may disclose consumer health data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
- Government agencies. We will disclose consumer health data to law enforcement or other government agencies when we believe doing so is necessary to comply with applicable law or respond to valid legal process.
- Other third parties. In certain circumstances, it may be necessary to provide data to other third parties, for example, to comply with the law or to protect our rights or those of our customers.
How to Exercise Your Rights
MHMDA provides certain rights with respect to consumer health data, including rights to access, delete, or withdraw consent relating to such data, subject to certain exceptions. You can request to exercise such rights using the mechanisms described in the Your Rights and Choices section of the privacy policy.
If your request to exercise a right under the MHMDA is denied, you may appeal that decision by following the process provided in the denial. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington Attorney General at https://www.atg.wa.gov/file-complaint. If you have further concerns or questions regarding the processing of your consumer health data, please email [email protected].
We may update this Consumer Health Data Privacy Policy. If we do, we will notify you by emailing you the updated Policy and, if required under applicable law, ask for your consent prior to making the Policy effective.