Last Revised: May 16th, 2022
1. Introduction
This Privacy Policy (“Privacy Policy”) describes the types of information Cerebral Inc. and its affiliates (collectively, “Cerebral,” “we,” “our,” or “us”) may collect, how we use such information, and with whom we share it. Except as explicitly provided herein, this Privacy Policy applies only to information that we collect and use about you from our websites located at www.cerebral.com and www.getcerebral.com, any other U.S. websites on which we post this Privacy Policy, and the affiliated Cerebral mobile software application (the “Platform”), and when you otherwise interact with us (collectively, the “Services”). This Privacy Policy is incorporated into our Terms and Conditions of Use (the “Terms of Use”). All capitalized terms used in this Privacy Policy but not defined herein have the meanings assigned to them in the Terms of Use.
This Privacy Policy applies only to the Services. Except as provided herein, this Privacy Policy does not apply to information collected by us outside of the Services, including on any other website operated by Cerebral or any third party, or data collected outside of the Services by Providers, the Medical Groups, the Labs, or the Pharmacies. It also does not apply to the information practices of any third party, including third parties you may communicate with off the Services, or third parties you connect with through any application or content (including advertising) that may link to or be accessible from or on the Services.
Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. By accessing or using the Services, you accept the practices and policies outlined in this Privacy Policy and you hereby consent that we may collect, use, and disclose your information as set forth in this Privacy Policy. If any term in this Privacy Policy is unacceptable to you, do not use the Services. This Privacy Policy may change from time to time, and your continued use of the Services after we make changes is deemed to be acceptance of those changes, so please check the Privacy Policy periodically for updates.
Note: Cerebral operates the Platform but does not provide medical services and is not a medical group. Any telehealth consults obtained through our Services are provided by independent medical provider groups, including, but not limited to, Cerebral Medical Group, P.A. (collectively, the “Medical Groups”), which engage with a network of United States-based health care providers, including licensed therapists, nurse practitioners and doctors (each, a “Provider”). The Medical Groups and all Providers are required by law to maintain the privacy of your health information in accordance with federal and state law. The Medical Groups and their associated Providers process your health information in accordance with the Medical Group Notice of Privacy Practices. In the event of a conflict between this Privacy Policy and the Medical Group Notice of Privacy Practices, the Medical Group Notice of Privacy Practices shall prevail.
If you do not agree with our Privacy Policy or the Medical Group Notice of Privacy Practices, you may not use or otherwise access the Services.
2. Information We Collect and How We Collect It
We may collect the following information from and about users of our Services:
3. How We Use Your Information
We may use the information we collect in the following ways:
We may aggregate, de-identify and/or anonymize any information collected through the Services so that such information is no longer reasonably capable of being associated with you. We may use aggregated or anonymized information for any purpose, including for research and marketing purposes, and we may also share such information for any purpose with any third parties, at our discretion.
4. How We Disclose Your Information
We may disclose your personal information under the following circumstances:
5. Your Data Choices
Cookies and similar technologies. When you interact with the Services, we (and third parties acting on our behalf) may automatically collect certain information about your browser, device, and use of the Services through cookies, pixel tags, web beacons, local storage, and other similar technologies. Cookies are small text files stored on your browser or device, which allow us to provide certain features of the Services, personalize your user experience, and advertise our Services to you. You can find more information about cookies at www.allaboutcookies.org.
You may be able to set your browser to manage cookies and similar technologies, or to alert you when cookies are being sent. Because each browser is a little different, we encourage you to check your browser’s “Help” feature to learn how to manage cookies. For more information about managing cookies, please visit www.allaboutcookies.org/manage-cookies. If you disable or refuse cookies, please note that some parts of the Services may then be inaccessible or not function properly. Because we and third parties may use non-cookie technologies with your browser or device, browser settings that block cookies used in isolation may not affect the functioning of those technologies.
Mobile devices often include settings to help you manage how your device collects and shares information for advertising purposes. For more information on how to manage those devices settings, please visit the Network Advertising Initiative’s mobile choice page at www.networkadvertising.org/mobile-choice.
Tailored advertising. We may engage third parties to serve tailored advertisements for our Services on our behalf on third-party websites and applications. You have certain choices about how your information is used for this purpose. To learn more about tailored advertisements or to opt out of participating companies, see the Digital Advertising Alliance’s opt-out program at www.aboutads.info/choices or the Network Advertising Initiative’s opt-out page at optout.networkadvertising.org. We make no representation about the accuracy or effectiveness of these opt out mechanisms. You can opt out of Google Analytics through its currently available opt-outs for the web. Please note that if you choose to opt out, you will continue to see ads, but they will not be based on your interests. We do not control third parties’ collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way.
“Do Not Track” signals. “Do-not-track” (“DNT”) is a setting offered by some web browsers. DNT signals are not yet uniform, so we, like many other website operators, do not currently recognize or respond to DNT signals.
Marketing communications. If you do not wish to receive marketing communications from us, you can check certain boxes on the forms we use to collect your data or under your User Account page and/or follow the instructions in our marketing emails. You may also send us a return email asking to be omitted from future email distributions. Regardless of your indicated email preferences, we may send you administrative emails regarding the Services, including, for example, notices of updates to our Terms of Use or this Privacy Policy, appointment reminders, and other information related to your User Account.
SMS communications. You can opt out of SMS communications as described in our Terms of Use.
Location information. You can choose whether or not to allow our Services to collect real-time information about your device’s location through the device’s privacy settings. If you do not authorize us to collect location information, some parts of our Services may be inaccessible or not function properly.
Social media and other Third-Party Accounts. To control the information you share with us when you follow us, like our posts, or otherwise interact with us on social media, you can adjust your social media account settings related to how your information is shared. If you access the Services or create a User Account through a Third-Party Account, please consult the settings in the applicable Third-Party Account to control how the provider of the Third-Party Account shares information with us.
Push notifications: If your device is configured to receive push notifications, we may send you push notifications. If you no longer wish to receive these types of communications, you may turn them off through your device settings.
Other choices. You can review and change certain of your information by logging onto our Services and visiting your User Account. Depending on your jurisdiction of residence, you may have certain rights to access, delete, or correct your information. Your rights will be subject to applicable exceptions, and we will need to verify your identity before processing your request. If you would like to submit a request relating to your data, please email us at privacy@getcerebral.com.
Please note that if you delete your User Account, medical providers, including Providers, and other affiliates may still have the right to retain information under applicable law, regulations, or their own retention policy. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.
6. Protected Health Information
When you set up a User Account with Cerebral, you are creating a direct customer relationship with Cerebral that enables you to access and/or utilize the Services. As part of that relationship, you provide information to Cerebral, including but not limited to, your name, email address, shipping address, phone number and certain transactional information that are not “protected health information” or “medical information.”
However, in using certain components of the Services, some of the information we collect may constitute “protected health information” (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). While Cerebral is not a “covered entity” as defined in HIPAA, one or more of the Medical Groups and its Providers, the Pharmacies, the Labs and/or other health care providers engaging with you through our Services may be a “covered entity” or “business associate” under HIPAA and therefore subject to HIPAA, and Cerebral may in some cases be a “business associate” of a Medical Group, Pharmacy and/or Lab. Please note that HIPAA does not necessarily apply to an entity or person simply because there is health information involved, and HIPAA may not apply to your transactions or communications with Cerebral, the Medical Groups, the Providers, the Pharmacies and/or the Labs. To the extent Cerebral is deemed a “business associate” however, and solely in its role as a business associate, Cerebral, may be subject to certain provisions of HIPAA with respect to PHI. In addition, any medical or health information that you provide that is subject to specific protections under applicable state laws (collectively, with PHI, “Protected Information”), will be used and disclosed in accordance with such applicable laws. However, any information that does not constitute Protected Information under applicable laws may be used or disclosed in any manner permitted under this Privacy Policy. Protected Information does not include information that has been de-identified in accordance with applicable laws.
The Medical Groups and its affiliated Providers have adopted a Medical Group Notice of Privacy Practices that describes how they use and disclose PHI. By accessing or using the Services to interact with a Medical Group and/or Provider, you acknowledge that you have received and agreed to the Medical Group Notice of Privacy Practices from your Medical Group and/or Provider(s).
Where Cerebral collects, uses, and discloses Protected Information on behalf of your Medical Group or Provider, such processing on behalf of your Medical Group or Provider shall be consistent with the Medical Group Notice of Privacy Practices and as permitted in Cerebral’s agreements with the Medical Groups or Provider, except to the extent you have expressly authorized additional uses and disclosures. We may use PHI for purposes of treatment, payment, and health care operations, including to communicate with you, to provide requested services, to provide information to your Medical Groups or Providers, pharmacies, and insurers, to obtain payments for our services, and to communicate with your Medical Groups or Providers, pharmacies, and benefits program. We may combine your PHI with other information about you, including information from other sources, such as from your Medical Groups or Providers, pharmacies, insurers or benefits program, in order to maintain an accurate record of our users. We may use your PHI to contact you for any services or products offered by Cerebral or the Medical Groups.
7. Data Retention
We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, as necessary for our legitimate business interests, to resolve disputes, and to enforce our agreements.
8. Data Security
We have implemented measures designed to secure your information from accidental loss and from unauthorized access, use, alteration, and disclosure. We use encryption technology for information sent and received by us. However, transmitting information via the Internet is not completely secure, so although we take steps to protect your information, we cannot guarantee complete security. You share information with us at your own risk.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
9. Third Parties
This Privacy Policy does not address and we are not responsible for the practices or policies of any third parties using, accessible through, or linked from the Services, including Providers, the Medical Groups, the Pharmacies, the Labs, the manufacturer of your mobile device and other IT hardware or software, and any third-party app or website to which our Services may contain a link. These third parties may gather information from or about you. We have no control over the privacy practices of these third parties and make no representations about them. We encourage you to review the Medical Group Notice of Privacy Practices and the privacy policies of each website and application you visit and use.
10. Minors’ Information
Our Services are not directed to children under the age of eighteen (18) without parental consent. We do not knowingly collect information for individuals under the age of 18 (including, for children under the age of 13, “personal information” as defined in the U.S. Children’s Online Privacy Protection Act) without the verifiable consent of that child’s parent or guardian. If we learn that we have received any information for an individual under the age of 18, we process and delete that information as required by applicable law. If you are aware of a child providing personal information to us without parental consent, please contact us using the information below.
This Section 11 supplements the other information contained in our Privacy Policy and applies solely to California residents (“consumers” or “you”). This Section provides additional information on how we collect, use, and share your “personal information” (as defined in the California Consumer Privacy Act of 2018 (“CCPA”)). This Section applies only to the extent required by the CCPA, so some personal information about Californians is not covered by this Section. For example, this Section does not apply to PHI and “medical information” as defined in California’s Confidentiality of Medical Information Act. It does not apply to personal information we collect from our employees and job applicants in their capacity as employees and job applicants. It also does not apply to personal information we collect from employees, owners, directors, officers, or contractors of businesses in the course of our provision or receipt of business-related services. Any terms defined in the CCPA have the same meaning when used in this Section.
11.1. Categories of Personal Information Cerebral Collects
During the 12 months leading up to the date of this Privacy Policy, we may have collected all of the information described in Section 2 of our Privacy Policy from and about California residents. We collect this information in the ways and from the sources described in Section 2 above, and we may use this information in the ways described in Section 3 above. The information we collect generally falls into the following categories, to the extent that it is personally identifiable:
11.2. Using and Sharing Personal Information
We may use any of the categories of personal information for the purposes stated in Section 3 above with the third parties listed below, to provide you with the Services, and to other parties with your consent. We share your personal information with the following affiliated and non-affiliated parties, for any of the purposes in Section 3 above:
The CCPA sets forth certain obligations for businesses that “sell” (as defined in the CCPA) personal information to third parties. Based on our understanding of the definition of “sell,” we do not “sell” your personal information and have not done so in the prior 12 months from the effective date of this Policy.
11.3. Your CCPA Rights
If you are a California resident, the CCPA allows you to make certain requests about your personal information. Specifically, the CCPA allows you to request us to:
The CCPA further provides you with the right not to be discriminated against (as provided for in applicable law) for exercising your rights. Please note that certain information may be exempt from such requests under California law. For example, we need certain information in order to provide the Services to you.
For security and legal reasons, we reserve the right to refuse requests that require us to access third-party websites or services. We also reserve the right to verify your identity to our satisfaction before responding to your request. When verifying requests, our verification standards vary depending on the sensitivity of the request. If we cannot verify your identity, we may deny your request. In some cases, we may require additional information, in which case we will contact you.
For more information regarding your legal rights under California law or if you want to exercise any of them, or if you are an authorized agent making a request on a California consumer’s behalf, please call us at 415-403-2156 or email us at privacy@cerebral.com. Please include a detailed description of the right you want to exercise and whether you want to exercise this right with regard to some or all of your personal information.
11.4. “Shine the Light” Disclosure
California Civil Code Section 1798.83 (California’s “Shine the Light” law) gives California residents the right under certain circumstances to request information regarding our disclosure of certain categories of personal information (as defined in the Shine the Light law) to third parties for their own direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.
12. Revisions to Our Privacy Policy
We reserve the right to change this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy posted on this page. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for periodically monitoring and reviewing any updates to the Privacy Policy. Your continued use of our Services after such amendments will be deemed your acknowledgment of and agreement to these changes to this Privacy Policy.
13. Contacting Us
If you have any questions about this Privacy Policy, please email us at privacy@cerebral.com. For general customer support questions, please email us at support@cerebral.com.
If you’re having a mental
health emergency
If you're in emotional distress and
need immediate support
For National Suicide
Prevention Hotline