Cerebral, Inc. Privacy Policy

Last Revised: May 16th, 2022

1. Introduction

This Privacy Policy (“Privacy Policy”) describes the types of information Cerebral Inc. and its affiliates (collectively, “Cerebral,” “we,” “our,” or “us”) may collect, how we use such information, and with whom we share it. Except as explicitly provided herein, this Privacy Policy applies only to information that we collect and use about you from our websites located at www.cerebral.com and www.getcerebral.com, any other U.S. websites on which we post this Privacy Policy, and the affiliated Cerebral mobile software application (the “Platform”), and when you otherwise interact with us (collectively, the “Services”). This Privacy Policy is incorporated into our Terms and Conditions of Use (the “Terms of Use”). All capitalized terms used in this Privacy Policy but not defined herein have the meanings assigned to them in the Terms of Use.

This Privacy Policy applies only to the Services. Except as provided herein, this Privacy Policy does not apply to information collected by us outside of the Services, including on any other website operated by Cerebral or any third party, or data collected outside of the Services by Providers, the Medical Groups, the Labs, or the Pharmacies. It also does not apply to the information practices of any third party, including third parties you may communicate with off the Services, or third parties you connect with through any application or content (including advertising) that may link to or be accessible from or on the Services.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. By accessing or using the Services, you accept the practices and policies outlined in this Privacy Policy and you hereby consent that we may collect, use, and disclose your information as set forth in this Privacy Policy. If any term in this Privacy Policy is unacceptable to you, do not use the Services. This Privacy Policy may change from time to time, and your continued use of the Services after we make changes is deemed to be acceptance of those changes, so please check the Privacy Policy periodically for updates.

Note: Cerebral operates the Platform but does not provide medical services and is not a medical group. Any telehealth consults obtained through our Services are provided by independent medical provider groups, including, but not limited to, Cerebral Medical Group, P.A. (collectively, the “Medical Groups”), which engage with a network of United States-based health care providers, including licensed therapists, nurse practitioners and doctors (each, a “Provider”). The Medical Groups and all Providers are required by law to maintain the privacy of your health information in accordance with federal and state law. The Medical Groups and their associated Providers process your health information in accordance with the Medical Group Notice of Privacy Practices. In the event of a conflict between this Privacy Policy and the Medical Group Notice of Privacy Practices, the Medical Group Notice of Privacy Practices shall prevail.

If you do not agree with our Privacy Policy or the Medical Group Notice of Privacy Practices, you may not use or otherwise access the Services.

2. Information We Collect and How We Collect It

We may collect the following information from and about users of our Services:

  • Information you provide to us. We may collect information you provide to us directly – for example, when you create a User Account, submit feedback, answer research questions, interact with Cerebral customer support, or use the Services. This includes contact information, such as name, home and billing address, email address, and telephone number; demographic information such as date of birth, gender, race/ethnicity; payment details like billing address and credit or debit card number (for payment purposes only); identity-verification information; health-related information, such as information about your medical history, medical conditions, treatment options, physician referrals, prescriptions, lab results, lifestyle and personal preferences, health insurance information, or other related health information, such as your physical and emotional characteristics; other information, such as Social Security Number, audio, images, and video of you; log-in credentials (if you create a User Account); and any other information you choose to provide to us about yourself or others. Note: if you choose to allow other apps on your device to share information with our Services, we may collect information from those other apps (for example, photos, health information, and/or audio clips). 

  • Information about your use of the Services. We may collect information related to your use of and interaction with the Services, such as communications with Providers through the Services, whether you are a current user, product interests, User Materials, and information related to your inquiries or requests.

  • Information we collect automatically. When you interact with the Services, we may automatically collect information such as traffic data, logs, referring/exit pages, web page requests, location data, frequency and/or date and time of your activities on the Services, error information, clickstream data, IP address, usage data, and information about your Internet connection, device (such as a mobile device ID), connection speed, operating system, and/or browser. We may also collect information about your online activities over time and across third-party websites or other online services. Some of this data is collected using cookies and similar technologies. To learn more about these technologies and your choices regarding them, please see the section below titled “Your Data Choices”.

  • Information we receive from social media services and other sources. We may collect information about you if you use any of the other websites we operate or the other services we provide. We may collect information from public sources, advertisers, partners, and other third parties (such as third party intermediaries, including Providers and the Pharmacies). We may also collect information about you through a social media or other third-party account, such as Facebook or Google (each, a “Third-Party Account”). For example, if you access the Services or create a User Account through a Third-Party Account, you may allow us to have access to certain information in your Third-Party Account. This may include your name, profile picture, gender, networks, user IDs, list of friends, location, date of birth, email address, photos, videos, people you follow and/or who follow you, and/or your posts or “likes.” Social media sites and other third-party sites, such as Facebook and Google, have their own policies for handling your information. For a description of how these sites may use and disclose your information, including any information you make public, please consult the sites’ privacy policies. We have no control over how any third-party site uses or discloses the personal information it collects about you. We may combine information we receive from social media services and other sources with other information we collect from and about you.

3. How We Use Your Information

We may use the information we collect in the following ways:

  • To provide, maintain, improve, manage and optimize our Services.
  • To facilitate the provision of telehealth services to you by the Medical Groups and its Providers, the Labs, the Pharmacies and/or other health care providers, including for purposes of treatment, case management, patient engagement, medication management, and coordination of care, and to ensure that such Medical Groups, Providers, Labs, Pharmacies and/or other health care providers have the services and support necessary for health care operations.
  • To communicate with you about the Services, your use of the Services, including by responding to your inquiries and requests and providing customer support or by sending you communications on behalf of your Provider and other health care providers to meet your needs.
  • To verify your identity and administer your User Account.
  • To process your payments and fulfill your orders.
  • To research and analyze the effectiveness and functionality of our Services and better understand our user base. If we publish or provide the results of this research to others, such research will be presented in a de-identified and aggregate form such that individual users cannot be identified, unless you give us your consent to be identified.
  • To implement security features.
  • To provide you with technical support and customer service and troubleshoot any technical issues or errors.
  • In accordance with applicable legal requirements, advertise and market our Services and those of our third-party partners to you, including on third-party websites (subject to any opt-out preferences you have communicated to us).
  • To personalize the Services, including engaging in analysis and research regarding use of the Services to better understand your interests and needs and measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you.
  • To comply in good faith with our policies and any procedures, laws, and regulations which apply to us where it is necessary for our legitimate interests or the legitimate interests of others.
  • To protect the safety, rights, property or security of Cerebral, our users, employees, third parties, members of the public and/or our Services.
  • For any other purpose with your consent.

We may aggregate, de-identify and/or anonymize any information collected through the Services so that such information is no longer reasonably capable of being associated with you. We may use aggregated or anonymized information for any purpose, including for research and marketing purposes, and we may also share such information for any purpose with any third parties, at our discretion. 

4. How We Disclose Your Information

We may disclose your personal information under the following circumstances:

  • To our employees and other personnel to provide you with the Services, provide customer support, and for similar purposes.
  • Among our subsidiaries and affiliates, including our ultimate holding company and its subsidiaries, for business purposes.
  • To third party service providers with which we contract to help us deliver our Services and perform certain business and administrative functions, such as customer service, email management, payment processing, analytics, legal services, auditing, hosting the Services, and IT support (“Service Providers”). These Service Providers may also include the Medical Groups and its Providers, and other health care organizations, the Labs, and the Pharmacies.
  • To our vendors that provide services to enable us to promote and advertise the Services and the products and/or services offered via the Services, such as ad platforms or ad-retargeting services, as well as to comply with contact removal requests or requirements, such as mailing list removal services, do not call registries, and similar services.
  • To the Medical Groups and its Providers, the Pharmacies or the Labs to enable them to provide health care and related services to you via the Services, including (i) to schedule and fulfill appointments, (ii) to enable the sending of messages through our Services, and (iii) for other treatment, payment or health care operations purposes, including pharmacy and laboratory services.
  • If we sell, transfer, or otherwise share some or all of our assets with a third party in the event of a merger, sale, divestiture, restructuring, reorganization, dissolution, or other similar transaction, or in the event of bankruptcy, if your information is among the assets transferred. We may also share your information in diligence leading up to a potential corporate transaction.
  • As we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas or any government or regulatory request); enforce or apply our Terms of Use and other policies; protect the rights, property, or safety of Cerebral, our employees and customers, and any third party; prevent an activity that may be illegal, unethical or legally actionable; or otherwise to comply with the law.
  • Where we have your consent or you have otherwise directed us to do so. For example, if you request us to share your information with a third party, you have consented to this disclosure. 

5. Your Data Choices 

Cookies and similar technologies. When you interact with the Services, we (and third parties acting on our behalf) may automatically collect certain information about your browser, device, and use of the Services through cookies, pixel tags, web beacons, local storage, and other similar technologies. Cookies are small text files stored on your browser or device, which allow us to provide certain features of the Services, personalize your user experience, and advertise our Services to you. You can find more information about cookies at www.allaboutcookies.org.

You may be able to set your browser to manage cookies and similar technologies, or to alert you when cookies are being sent. Because each browser is a little different, we encourage you to check your browser’s “Help” feature to learn how to manage cookies. For more information about managing cookies, please visit www.allaboutcookies.org/manage-cookies. If you disable or refuse cookies, please note that some parts of the Services may then be inaccessible or not function properly. Because we and third parties may use non-cookie technologies with your browser or device, browser settings that block cookies used in isolation may not affect the functioning of those technologies.

Mobile devices often include settings to help you manage how your device collects and shares information for advertising purposes. For more information on how to manage those devices settings, please visit the Network Advertising Initiative’s mobile choice page at www.networkadvertising.org/mobile-choice.

Tailored advertising. We may engage third parties to serve tailored advertisements for our Services on our behalf on third-party websites and applications. You have certain choices about how your information is used for this purpose. To learn more about tailored advertisements or to opt out of participating companies, see the Digital Advertising Alliance’s opt-out program at www.aboutads.info/choices or the Network Advertising Initiative’s opt-out page at optout.networkadvertising.org. We make no representation about the accuracy or effectiveness of these opt out mechanisms. You can opt out of Google Analytics through its currently available opt-outs for the web. Please note that if you choose to opt out, you will continue to see ads, but they will not be based on your interests. We do not control third parties’ collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. 

“Do Not Track” signals. “Do-not-track” (“DNT”) is a setting offered by some web browsers. DNT signals are not yet uniform, so we, like many other website operators, do not currently recognize or respond to DNT signals.

Marketing communications. If you do not wish to receive marketing communications from us, you can check certain boxes on the forms we use to collect your data or under your User Account page and/or follow the instructions in our marketing emails. You may also send us a return email asking to be omitted from future email distributions. Regardless of your indicated email preferences, we may send you administrative emails regarding the Services, including, for example, notices of updates to our Terms of Use or this Privacy Policy, appointment reminders, and other information related to your User Account.

SMS communications. You can opt out of SMS communications as described in our Terms of Use.

Location information. You can choose whether or not to allow our Services to collect real-time information about your device’s location through the device’s privacy settings. If you do not authorize us to collect location information, some parts of our Services may be inaccessible or not function properly.

Social media and other Third-Party Accounts. To control the information you share with us when you follow us, like our posts, or otherwise interact with us on social media, you can adjust your social media account settings related to how your information is shared. If you access the Services or create a User Account through a Third-Party Account, please consult the settings in the applicable Third-Party Account to control how the provider of the Third-Party Account shares information with us.

Push notifications: If your device is configured to receive push notifications, we may send you push notifications. If you no longer wish to receive these types of communications, you may turn them off through your device settings.

Other choices. You can review and change certain of your information by logging onto our Services and visiting your User Account. Depending on your jurisdiction of residence, you may have certain rights to access, delete, or correct your information. Your rights will be subject to applicable exceptions, and we will need to verify your identity before processing your request. If you would like to submit a request relating to your data, please email us at privacy@getcerebral.com.

Please note that if you delete your User Account, medical providers, including Providers, and other affiliates may still have the right to retain information under applicable law, regulations, or their own retention policy. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. 

6. Protected Health Information

When you set up a User Account with Cerebral, you are creating a direct customer relationship with Cerebral that enables you to access and/or utilize the Services. As part of that relationship, you provide information to Cerebral, including but not limited to, your name, email address, shipping address, phone number and certain transactional information that are not “protected health information” or “medical information.”

However, in using certain components of the Services, some of the information we collect may constitute “protected health information” (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). While Cerebral is not a “covered entity” as defined in HIPAA, one or more of the Medical Groups and its Providers, the Pharmacies, the Labs and/or other health care providers engaging with you through our Services may be a “covered entity” or “business associate” under HIPAA and therefore subject to HIPAA, and Cerebral may in some cases be a “business associate” of a Medical Group, Pharmacy and/or Lab. Please note that HIPAA does not necessarily apply to an entity or person simply because there is health information involved, and HIPAA may not apply to your transactions or communications with Cerebral, the Medical Groups, the Providers, the Pharmacies and/or the Labs. To the extent Cerebral is deemed a “business associate” however, and solely in its role as a business associate, Cerebral, may be subject to certain provisions of HIPAA with respect to PHI. In addition, any medical or health information that you provide that is subject to specific protections under applicable state laws (collectively, with PHI, “Protected Information”), will be used and disclosed in accordance with such applicable laws. However, any information that does not constitute Protected Information under applicable laws may be used or disclosed in any manner permitted under this Privacy Policy. Protected Information does not include information that has been de-identified in accordance with applicable laws.

The Medical Groups and its affiliated Providers have adopted a Medical Group Notice of Privacy Practices that describes how they use and disclose PHI. By accessing or using the Services to interact with a Medical Group and/or Provider, you acknowledge that you have received and agreed to the Medical Group Notice of Privacy Practices from your Medical Group and/or Provider(s). 

Where Cerebral collects, uses, and discloses Protected Information on behalf of your Medical Group or Provider, such processing on behalf of your Medical Group or Provider shall be consistent with the Medical Group Notice of Privacy Practices and as permitted in Cerebral’s agreements with the Medical Groups or Provider, except to the extent you have expressly authorized additional uses and disclosures. We may use PHI for purposes of treatment, payment, and health care operations, including to communicate with you, to provide requested services, to provide information to your Medical Groups or Providers, pharmacies, and insurers, to obtain payments for our services, and to communicate with your Medical Groups or Providers, pharmacies, and benefits program. We may combine your PHI with other information about you, including information from other sources, such as from your Medical Groups or Providers, pharmacies, insurers or benefits program, in order to maintain an accurate record of our users. We may use your PHI to contact you for any services or products offered by Cerebral or the Medical Groups. 

7. Data Retention

We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, as necessary for our legitimate business interests, to resolve disputes, and to enforce our agreements.

8. Data Security

We have implemented measures designed to secure your information from accidental loss and from unauthorized access, use, alteration, and disclosure. We use encryption technology for information sent and received by us. However, transmitting information via the Internet is not completely secure, so although we take steps to protect your information, we cannot guarantee complete security. You share information with us at your own risk.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. 

9. Third Parties

This Privacy Policy does not address and we are not responsible for the practices or policies of any third parties using, accessible through, or linked from the Services, including Providers, the Medical Groups, the Pharmacies, the Labs, the manufacturer of your mobile device and other IT hardware or software, and any third-party app or website to which our Services may contain a link. These third parties may gather information from or about you. We have no control over the privacy practices of these third parties and make no representations about them. We encourage you to review the Medical Group Notice of Privacy Practices and the privacy policies of each website and application you visit and use.

10. Minors’ Information

Our Services are not directed to children under the age of eighteen (18) without parental consent. We do not knowingly collect information for individuals under the age of 18 (including, for children under the age of 13, “personal information” as defined in the U.S. Children’s Online Privacy Protection Act) without the verifiable consent of that child’s parent or guardian. If we learn that we have received any information for an individual under the age of 18, we process and delete that information as required by applicable law. If you are aware of a child providing personal information to us without parental consent, please contact us using the information below.

11. Additional Information for California Residents

This Section 11 supplements the other information contained in our Privacy Policy and applies solely to California residents (“consumers” or “you”). This Section provides additional information on how we collect, use, and share your “personal information” (as defined in the California Consumer Privacy Act of 2018 (“CCPA”)). This Section applies only to the extent required by the CCPA, so some personal information about Californians is not covered by this Section. For example, this Section does not apply to PHI and “medical information” as defined in California’s Confidentiality of Medical Information Act. It does not apply to personal information we collect from our employees and job applicants in their capacity as employees and job applicants. It also does not apply to personal information we collect from employees, owners, directors, officers, or contractors of businesses in the course of our provision or receipt of business-related services. Any terms defined in the CCPA have the same meaning when used in this Section. 

11.1. Categories of Personal Information Cerebral Collects 

During the 12 months leading up to the date of this Privacy Policy, we may have collected all of the information described in Section 2 of our Privacy Policy from and about California residents. We collect this information in the ways and from the sources described in Section 2 above, and we may use this information in the ways described in Section 3 above. The information we collect generally falls into the following categories, to the extent that it is personally identifiable:

  • Identifiers such as name, phone number, mailing address, email address, and User Account information (such as username and password), IP address, online identifiers, and device identifiers;
  • Financial information such as payment card number, and insurance information such as insurance policy number, if you use insurance to purchase a Service or product;
  • Health and medical information, such as your medical history and information we derive from health symptoms and health information;
  • Protected characteristics such as your age, gender, religion, race and ethnicity;
  • Commercial information such as purchase history;
  • Internet or other electronic network activity information such as information about domain names, landing pages, browsing activity, content or ads viewed and clicked, dates and times of access, pages viewed, forms you complete, search terms, and uploads or downloads;
  • Professional or employment-related information such as the name and address of the company you work for, in connection with insurance requests;
  • Audio and visual information, such as audio, video, and images of you;
  • Geolocation information such as your precise or approximate location; and
  • Other personal information, such as date of birth and any other personal information you share with us.

11.2. Using and Sharing Personal Information 

We may use any of the categories of personal information for the purposes stated in Section 3 above with the third parties listed below, to provide you with the Services, and to other parties with your consent. We share your personal information with the following affiliated and non-affiliated parties, for any of the purposes in Section 3 above:

  • Our affiliates.
  • Service Providers (as defined above and in the CCPA) that provide us with services to support our operations, such as customer service, email management, analytics, and IT providers.
  • A third party, including another company, during the negotiations for and if we undergo a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part). 
  • Government authorities and law enforcement, if we are required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  • Other third parties, for purposes of fulfilling our legal obligations under applicable law, regulation, court order, or other legal process, such as preventing, detecting, and investigating security incidents and potentially illegal or prohibited activities; protecting the rights, property, or safety of you, us, or another party; enforcing any agreements with you; responding to claims; and resolving disputes.
  • With your consent, or as otherwise directed by you.

The CCPA sets forth certain obligations for businesses that “sell” (as defined in the CCPA) personal information to third parties. Based on our understanding of the definition of “sell,” we do not “sell” your personal information and have not done so in the prior 12 months from the effective date of this Policy. 

11.3. Your CCPA Rights

If you are a California resident, the CCPA allows you to make certain requests about your personal information. Specifically, the CCPA allows you to request us to:

  • Inform you about the categories of personal information we collect or disclose about you; the categories of sources of such information; the business or commercial purpose for collecting your personal information; and the categories of third parties with whom we share/disclose personal information;
  • Provide access to and/or a copy of certain personal information we hold about you;
  • Delete certain personal information we hold about you; and
  • Provide you with information about the financial incentives that we offer to you, if any.

The CCPA further provides you with the right not to be discriminated against (as provided for in applicable law) for exercising your rights. Please note that certain information may be exempt from such requests under California law. For example, we need certain information in order to provide the Services to you. 

For security and legal reasons, we reserve the right to refuse requests that require us to access third-party websites or services. We also reserve the right to verify your identity to our satisfaction before responding to your request. When verifying requests, our verification standards vary depending on the sensitivity of the request. If we cannot verify your identity, we may deny your request. In some cases, we may require additional information, in which case we will contact you.

For more information regarding your legal rights under California law or if you want to exercise any of them, or if you are an authorized agent making a request on a California consumer’s behalf, please call us at 415-403-2156 or email us at privacy@cerebral.com. Please include a detailed description of the right you want to exercise and whether you want to exercise this right with regard to some or all of your personal information.

11.4. “Shine the Light” Disclosure

California Civil Code Section 1798.83 (California’s “Shine the Light” law) gives California residents the right under certain circumstances to request information regarding our disclosure of certain categories of personal information (as defined in the Shine the Light law) to third parties for their own direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.

12. Revisions to Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. It is our policy to post any changes we make to our Privacy Policy posted on this page. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for periodically monitoring and reviewing any updates to the Privacy Policy. Your continued use of our Services after such amendments will be deemed your acknowledgment of and agreement to these changes to this Privacy Policy.

13. Contacting Us

If you have any questions about this Privacy Policy, please email us at privacy@cerebral.com. For general customer support questions, please email us at support@cerebral.com.

Call 911

If you’re having a mental
health emergency

Text Home to 741-741

If you're in emotional distress and
need immediate support

Call 988

For National Suicide
Prevention Hotline