California Consumer Privacy Act Notice
Brio Inc. DBA Brio-Medical
11000 N. Scottsdale Rd. Suite #115
Arizona, United States
(480) 536-7708
Effective Date: 06/23/2023
Updated: 06/23/2023
This California Privacy Notice (“Notice”) applies to “Consumers” as defined by the California Consumer Privacy Act (CCPA”) as a supplement to other Brio Inc. (“Brio-Medical”, “we,” “us,” “ours”) privacy policies or notices. In case of a conflict between any other Brio-Medical policy, statement, or notice, this Notice will prevail as to California Consumers and their rights under California law.
Section 1 of this Notice covers our collection, use, disclosure, and sale of California Consumers’ “Personal Information” or “PI” as defined by the CCPA for 2021, except to the extent the PI is exempt from the CCPA’s notice obligations and will be updated annually. Section 2 of this Notice describes the rights of California Consumers.
This Policy does not apply to workforce-related personal information collected from California-based employees, job applicants, contractors, or similar individuals. See the Privacy Policy for California-based job applicants.
To aid in readability, we have abbreviated or summarized CCPA terms or language in some places in this Notice, and we cite specific CCPA sections for your reference. Terms defined in the CCPA used in this Notice shall have the same meaning as in the CCPA.
1. Collection, Use, and Sharing of PI
In 2022, we collected, retained, used, and disclosed PI about California Consumers as set forth below. This also serves as our pre-collection notice unless supplemented by another notice at collection.
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. | Yes |
| B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. | Yes |
| C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | Yes |
| D. Commercial information. | Records of personal property, products or services purchased, obtained, considered, or other purchasing or consuming histories or tendencies. | No |
| E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | No |
| F. Internet or similar network activity. | Browsing history, search history, and information on a consumer’s interaction with a website, application, or advertisement. | Yes |
| G. Geolocation data | Physical location or movements. | Yes |
| H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information | No |
| I. Professional or employment-related information. | Current or past job history or performance evaluations. | No |
| J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | No |
| K. Inferences drawn from other personal information. | The profile reflects a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes. | No |
The chart above reflects those categories of PI required to be addressed by the CCPA. There may be additional information that we collect that meets the CCPA’s definition of PI but is not reflected by a category, in which case we will treat it as PI as required by the CCPA but will not include it when we are required to describe our practices by category of PI.
As permitted by applicable law, we do not treat de-identified data or aggregate Consumer information as PI, and we reserve the right to convert, or permit others to convert, your PI into de-identified data or aggregate Consumer information and may elect not to treat publicly available information as PI. We have no obligation to re-identify information or keep it longer than we need it to respond to your requests.
Purposes for PI Collection:
- Performing services: (§1798.140(d)(5))
- Managing interactions and transactions: (§1798.140(d)(1))
- Security: (§1798.140(d)(2))
- Debugging to repair errors: (§1798.140(d)(3))
- Processing interactions and transactions: (§1798.140(d)(4))
- Quality/safety maintenance: (§1798.140(d)(7))
Additional business purposes include i.) sharing PI with third parties for purposes other than a sale, or ii) one of the foregoing business purposes as required or permitted by applicable law (such as to the vendors that perform services for us, to the government or private parties to comply with law or legal process, and to the Consumer or other parties at the Consumer’s request) (“Other Business Purposes”).
Subject to restrictions and obligations of the CCPA, our vendors may also use your PI for some or all of the above-listed business purposes. Our vendors may themselves engage services providers or subcontractors to enable them to perform services for us, which sub-processing is, for purposes of certainty, other Business Purposes for which we are providing you notice.
Do We Sell Any of Your Personal Information?
A common understanding of “selling” information involves a company taking information it has learned about you and exchanging that information with an unrelated third party for money, who will then use that data for a new purpose you did not intend. Brio-Medical never does this with your information.
We use our users’ information to help people seek treatment at one of our centers. However, the CCPA has a much broader definition of “sell” than this, which encompasses activities beyond the traditional common understanding of “selling” for money, such as disclosing, disseminating, making available, transferring, or otherwise communicating by electronic or other means, a consumer’s personal information. Brio-Medical strives to live up to the law, and your wishes, as it relates to this right.
- We don’t sell data to data brokers.
- We don’t exchange information about you with a third party for money
2. California Privacy Rights
If you are a California resident, you have the following rights in relation to the categories of PI described above, as provided under California law:
Subject to legal limitations, certain California residents have the following rights:
- Right to Know. You have the right to request information about the categories of PI we have collected about you, the categories of sources from which we collected your PI, the purposes for collecting your PI, the categories of third parties with whom we have shared your PI, and the purpose for which we shared your PI (“Categories Report”). You may also request information about the specific pieces of PI we have collected about you (“Specific Pieces Report”).
- Right to Delete. You have the right to request that we delete the PI we collected from you.
- Right to Opt-Out (Do Not Sell My Personal Information). We do not “sell” PI as such a term is defined under the CCPA.
a. How to Submit a Request
To exercise your right to know or your right to delete, please email us at info@brio-medical.com and include “Request under CCPA” in the subject line or call us toll-free at (480) 536-7708 and clearly state your name, contact information, and nature of your inquiry.
We recommend making your request by email to ensure we accurately capture your contact details and other information. Please include the following in your request:
- Your full name and address
- Former names (if applicable)
- Former addresses (including dates of change) (if applicable)
- Contact information (phone number or email address)
- Your relationship to us (e.g., former or existing patient)
- Type of request that you are making (e.g., Categories Report, Specific Pieces Report).
We will typically not charge a fee to respond to your requests fully; however, we may charge a reasonable fee or refuse to act upon a request if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we charge you for responding to your request. There may also be reasons to limit our response to your request. For instance, retention exceptions may limit a right to delete. If so, we will explain the retention purposes and limit our use to those purposes only so long as the retention purpose continues. Consistent with the CCPA’s requirements, to protect your security, we will not deliver certain high-risk PI like your social security number to you, but we will describe the PI types not provided for that reason. We also will not provide PI where disclosure would infringe on the rights or privileges of others. Whenever we limit a response for reasons the law permits, we will explain that in our response.
b. Verification
For us to look into your request, we first need to verify your identity, meaning that we need to make sure that you are the Consumer we may have collected PI about or a person who has been duly authorized to request on behalf of the Consumer (“Verifiable Consumer Request”). We will not fulfill your Right to Know or Right to Delete request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI.
Right to Know – Categories Request:
We are required to verify a Consumer’s request to know categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by the Consumer with data points maintained by us, which we have determined to be reliable to verify the Consumer. If we cannot verify you sufficiently to honor your request, we will refer you to Section 1 of this Notice for our categories disclosure regarding Consumers generally.
Right to Know – Specific Pieces Request:
We are required to verify a Consumer’s request to know specific pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by the Consumer with data points maintained by us, which we have determined to be reliable to verify the Consumer together with a signed declaration under penalty of perjury that the requestor is the Consumer whose PI is the subject of the request. If we cannot verify you sufficiently to honor your request, we will consider if you can be verified sufficiently to receive a Categories Report.
Right, to Delete Request:
We are required to verify a Consumer’s request to delete to a reasonable degree of certainty, which may include matching at least two data points provided by the Consumer with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by the Consumer with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized deletion.
Some PI we maintain about Consumers is not sufficiently associated with enough PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA, we do not include that PI in response to those requests. If we cannot comply with a request, we will explain the reasons in our response. We will use the PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses unless you also gave it to us for another purpose.
Do not send us identification documents unless requested by us. In this case, they should be transmitted to us through the secure means of communication we specify or approve and should be photocopies or scanned images (do not send the originals).
c. Authorized Agents
Authorized agents may exercise rights on behalf of California Consumers, but we reserve the right also to verify the Consumer directly as described above. Authorized agents may email us at info@brio-medical.com to exercise rights on the Consumer’s behalf. We will require the agent to demonstrate authority to act on behalf of the Consumer by providing, for example, evidence of the agent’s identity and proof of registration with the California Secretary of State (if the agent is a business). At least one of the following evidencing proof of the agent’s legal authority to act on behalf of the individual Consumer:
- Presenting a Power of Attorney granted under the Probate Code that we can reasonably verify, or
- Signed permission by the Consumer. We may also require the Consumer to verify their identity directly with us and confirm that they provided the authorized agent permission to submit the request.
d. Timing
We will respond to requests to delete and demands to know within 45 calendar days unless we need more time, in which case we will notify you and may take up to 90 calendar days total to respond to your request.
e. Non-Discrimination
California residents cannot be discriminated against for exercising their rights under the CCPA. We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.
f. Other California Privacy Rights
We do not share “personal information” subject to California Civil Code §1798.83 (the “Shine the Light law”) with third parties for the third parties direct marketing purposes absent your consent. If you are a California resident, you may request information about our compliance with the Shine the Light law by emailing us at info@brio-medical.com. Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through this email address.
How to Contact Us
For general questions about this Notice, you may contact us as follows:
Jason DeMartino
11000 N. Scottsdale Rd. Suite #115
Arizona, United States
Telephone: (480) 536-7708
Email: info@brio-medical.com
Changes
From time to time, we may modify and/or update this Privacy Policy, so we encourage you to check back regularly to determine if any changes have been made.
