Privacy Policy

Outfox Health collects personal data such as demographics, interests, preferences, insurance policy details, and health-related information (e.g., lab tests, prescriptions) to provide a tailored healthcare guidance experience. This data helps with price comparison, insurance integration, and personalized suggestions.

Information we collect about you

• Non-Personal Data — information about your internet connection, equipment, web browsers, and pages visited before, during, and after using our Site.
• Cookies & web beacons — used to deliver, communicate, track, and measure performance of our Services.
• Log data — IP address, browser, operating system, pages browsed, time spent, search terms, and links clicked.
• Push notifications — if you opt in, we may collect IP and a persistent device identifier. You can toggle this off in device settings at any time.

Non-Personal Data may become linked to you and your account only after you submit certain Personal Data — for example, by logging into your Site account.

Information you provide

When you register, set up an account, respond to communications, or contact us, we collect Personal Data such as your first and last name(s), mailing address, email, phone, and organization.

Other types we may receive. Geolocation Data when you grant permission (changeable in device settings); and information from third-party social networking services if you choose to access them through our Services.

We do not sell or rent Personal Data to any third parties. We use information collected via clickstream data, web pixels, and cookies to store your preferences, improve site navigation, make personalized features available, generate statistical information, monitor usage, prevent fraud, investigate complaints, and improve our content and Services.

Where you provide registration information, cookies may also identify you when you log in. Except as otherwise stated, we may use information for legitimate business purposes including:

• Respond to requests and provide user support
• Evaluate and improve content of our Services
• Customize the Services to your preferences
• Establish accounts to use the Services
• Communicate information and promotional materials (where you haven’t opted out)
• Maintain account-status records and activity logs
• Notify you of changes to relevant agreements or policies
• Conduct research and analysis
• Enforce our agreements, terms, conditions, and policies
• Work with service providers bound by contractual obligations consistent with this Policy
• Prevent or investigate fraud, comply with legal obligations, or defend legal claims
• Conduct aggregate analysis and develop business intelligence
• Describe our Services to current and prospective business partners
• Other purposes identified to and requested by you (you can withdraw consent at any time)

Performance of a contract

If you’ve created an account, we may also use your information to establish your account, validate your login credentials, respond to your requests, and notify you of changes to relevant agreements or policies. We may use third-party email providers to deliver these communications. This is an opt-in email program; you can opt out at any time.

De-identified & aggregated data

We may anonymize or aggregate data we collect — including de-identified demographic and location data, device information, and market trends — for analysis.

Plan-authorized benefit communications

If you are a Plan Participant, your employer has authorized Outfox Health to send you enrollment invitations, benefit reminders, and educational communications about your employer-sponsored health benefits program (“Benefit Communications”) before and after you activate your Outfox Health account. These communications are made as plan-authorized outreach under HIPAA, 45 C.F.R. §164.506(c)(1), solely in connection with your employer’s health plan and are not marketing. You may opt out of Benefit Communications at any time by following the unsubscribe instructions in any message we send. Opting out does not affect your ability to access the Platform once your account is activated.

We do not sell or rent Personal Data to marketers or unaffiliated third parties. We may share aggregated, de-identified data with our partners. We will not share Personal Data we collect from or about you except as described below:

• Corporate affiliates — including parents, subsidiaries, and other affiliated entities, all required to treat the information per this Policy.
• Service providers — for hosting, infrastructure, and similar functions. They have access only to perform services on our behalf, are contractually required to comply with applicable data privacy laws, and may not use the data for any other purpose.
• Authorized third parties — parties you’ve directly authorized to receive applicable data. Their use is governed by their own privacy policy.
• Business transfers — in any reorganization, merger, sale, joint venture, assignment, or transfer of all or part of our business or assets (including bankruptcy).
• Legal & safety — as we believe necessary under applicable law; to enforce our terms; to protect our rights, privacy, safety, or property; to address fraud or security issues; or to respond to courts and regulators.
• With your explicit approval — prior to disclosure.
• Aggregated, de-identified data — shared with partners to show how many users viewed or interacted with their materials. This does not identify any individual.

We use third-party service providers to help us operate our Services. We use commercially reasonable efforts to engage only with third parties that post a privacy policy governing their use of Personal and Non-Personal Data. You agree that we do not bear responsibility for the actions or policies of third parties.

We take reasonable steps online and offline to safeguard the Personal Data you provide:

• SSL-encrypted connections (HTTPS)
• Secure multi-tiered firewalls
• Encryption of portions of your data on our storage server
• Secure cloud-based environments with server authentication and industry-standard firewalls
• Unique account identifiers, usernames, and passwords required at login

Transmission of information via the internet is not wholly secure. Any transmission of Personal Data is at your own risk. If you suspect a breach, notify us immediately at info@outfoxhealth.com.

You can change, edit, update, or delete information through your account settings or by emailing info@outfoxhealth.com. If you reside in certain jurisdictions (such as the EEA or California), you may have additional rights:

• Access — request access to your Personal Data.
• Rectify — request correction of inaccurate data.
• Erase — request deletion of your data, subject to legal exceptions.
• Object & restrict — object to or restrict how we process your data.
• Portability — request a copy of your data in a commonly-used format.
• Withdraw consent — withdraw consent to processing at any time.

Unless otherwise described or requested by you, we retain your data only for the period necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. You may request deletion of your account at any time by emailing info@outfoxhealth.com. Once deleted, your account cannot be recovered.

The following applies to general data processing relationships. For Outfox’s role when handling Protected Health Information on behalf of an employer health plan, see Section 9 (HIPAA, Protected Health Information, and Business Associate Status) below.

When acting as a service provider to other organizations, Outfox Health processes Personal Data per the terms agreed with the organization and its lawful instructions.

We may collect, use, and disclose certain Personal Data about you when acting as a service provider to an organization that uses or provides our Site or Services. These organizations are responsible for ensuring your privacy rights are respected, and should provide information to help you understand how third parties collect and use your Personal Data.

Outfox Health may receive or maintain Protected Health Information (“PHI”) on behalf of an employer’s health plan. When Outfox Health handles PHI in that capacity, Outfox Health acts as a Business Associate to the employer or plan sponsor under the Health Insurance Portability and Accountability Act (“HIPAA”). Outfox Health is not itself a covered entity under HIPAA. Our obligations arise when we act as a Business Associate under an executed Business Associate Agreement (“BAA”) with a covered plan sponsor.

How we handle PHI

We use and disclose PHI only in accordance with the applicable BAA and applicable law. We do not sell PHI. We do not use PHI for marketing except as permitted by HIPAA and the applicable BAA.

Your rights regarding PHI

Your rights to access, amend, restrict, or obtain an accounting of disclosures of your PHI are governed by your employer’s health plan. Requests to exercise those rights should be directed to your employer or plan sponsor. Your employer’s health plan is responsible for providing the Notice of Privacy Practices that describes how PHI may be used and disclosed.

Breach notification

In the event of a Breach of Unsecured PHI, Outfox Health will notify the employer or plan sponsor in accordance with the HIPAA Breach Notification Rule. The employer or plan sponsor will then notify affected individuals as required by applicable law.

For inquiries regarding your Personal Data, contact our Privacy Contact, Beth Ann Lopez, at info@outfoxhealth.com.

Our Services may contain links to other sites that are not operated by us. Such links do not constitute endorsement, and this Privacy Policy does not apply to third-party websites. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.

The Services are not intended for children under 18. Outfox Health does not knowingly collect personal information from children under 18. If you believe a child under 18 has provided us with personal information, please contact us at info@outfoxhealth.com.

California Civil Code Section 1798.100–199 — the California Consumer Privacy Act (“CCPA”) — confers additional responsibilities towards California residents. In the last 12 months, Outfox Health collected:

• Identifiers
• Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §1798.80(e))
• Protected classification characteristics under California or federal law
• Commercial information
• Internet or other similar network activity
• Geolocation data

In the last twelve (12) months, Outfox Health has not sold personal information. Outfox Health may disclose deidentified patient information using the HIPAA safe harbor method under 45 C.F.R. §164.514(b)(2).

California residents may request the list of Personal Data collected and may request deletion. Email info@outfoxhealth.com to make a request.

If you are a Virginia resident, you have the rights set forth under the Virginia Consumer Data Protection Act (“VCDPA”). See “Your Choices & Rights” above. Contact info@outfoxhealth.com with “Virginia Rights” in the subject line.

If you are a Colorado resident, you have the rights set forth under the Colorado Privacy Act (“CPA”). See “Your Choices & Rights” above. Contact info@outfoxhealth.com with “Colorado Rights” in the subject line.

If you are a Texas resident, you have the rights set forth under the Texas Data Privacy and Security Act (“TDPSA”). Subject to certain exceptions, you may exercise the following rights with respect to the Personal Data we process about you:

• Access — confirm whether we are processing your Personal Data and request access to it.
• Correct — request correction of inaccuracies in your Personal Data.
• Delete — request deletion of Personal Data provided by or obtained about you.
• Portability — obtain a copy of your Personal Data in a portable and, to the extent technically feasible, readily usable format.
• Opt out — opt out of the processing of your Personal Data for purposes of targeted advertising, the sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

We will respond to a verified consumer request within forty-five (45) days, subject to any extension permitted by the TDPSA. To exercise these rights, email info@outfoxhealth.com with “Texas Privacy Rights” in the subject line. If we decline to act on your request, you may appeal that decision by replying to our response; you also have the right to contact the Texas Attorney General to submit a complaint.

We reserve the right to modify and update this Privacy Policy at any time by posting an amended version on our Site. Please refer to this policy regularly.

For any concerns or questions about our Privacy Policy, please contact us: