Revised Date: July 28, 2021
DrLullaby provides services for individuals over the age of 18 or parents or legal guardians signing up on behalf of individuals who are under the age of 18. We believe in the importance of taking additional measures to protect children’s privacy. We do not knowingly collect personal data from individuals under the age of 18 unless a parent or legal guardian has registered on the individual’s behalf. If we learn that we have collected the personal information of an individual under the age of 18 without consent from a parent or legal guardian, we will take steps to delete such information as soon as possible. Parents or legal guardians who believe that their child who is under the age of 18 has submitted personal information to us and would like to have it deleted may contact us at email@example.com.
Please note that you must read and agree to the terms and conditions of this Policy before you use the System. If you do not agree to the terms and conditions of this Policy, then you may NOT use any part of the System or engage with the Self-Help Service, the Telehealth Service, or the Coaching Service. The Telehealth Service is further subject to our HIPAA Notice of Privacy Practices.
2. What data do we collect?
We collect and use information like your name, age, gender, email address, phone number, username, and password to personalize your experience on the System, give you access to the System, and communicate with you. If you are using the System as a parent seeking services on behalf of a child, we also collect information such as the child’s first name, gender, and age group. We use information such as your or your child’s age and gender to assist our interpretation of your or their sleep patterns, as sleep patterns can vary based on these variables. You provide this information to us.
Appointment and purchase history
We retain information about your history of appointments with Telehealth Providers and Sleep Coaches, if any, as well as information about bundles or subscriptions you may have purchased in the past. We collect this information from you, or we generate this information based on your bundles and subscriptions or meetings with Telehealth Providers and Sleep Coaches. We also keep a record of your communications with the System, which is information that either you generate or we collect.
The System may contain functionality that allows you to upload User Content, as further described in our Terms and Conditions of Use. You provide this information.
Information from third parties
Information you provide to or through third parties (as described below) when using the System may be provided to DrLullaby by the third party, including login information for the third-party services. See below as well as our Terms and Conditions of Use for more information about how the System interacts with third parties.
We collect information about your sleep (including, and related to, the time you spend in bed and the time you spend asleep, the number of interruptions in your sleep, and self-reported sleep distress) in order to deliver our sleep improvement program. We may collect information about pre-existing medical conditions in order to inform you that you should see a doctor, as the Self-Help Service and the Coaching Service are not a medical treatment. We also collect general information about your mental and physical wellbeing in order to evaluate progress towards your self-defined goals. You may also choose to email a Sleep Coach if you have questions between coaching sessions, using G Suite or Google Workspace, and Sleep Coaches will respond to those questions, which communications may contain information about your health. This is information that you provide to us or that the Sleep Coaches provide to you and to us. Any information emailed to a Telehealth Provider in between sessions may be considered PHI. If you choose to send your PHI by email, you acknowledge and agree that email is an insecure means of communication. DrLullaby and the Telehealth Providers will not communicate PHI via unsecure platforms. You should use such platforms as directed by your Telehealth Provider(s) to transmit PHI.
User behavior and electronic identifiers
We may collect information about your behavior while using the System and the devices you use to access the System, including mobile device UDID and IMEI numbers, operating system, browser type, screen size, or similar types of data. Our servers generate this information automatically when you use our App, WebApp, or Website. DrLullaby will use this information to provide you with customer support, to enhance system administration, to tailor your experience with the System, and to assist communication (e.g., push notifications). In addition, we store any metadata and user analytics associated with your account. Metadata you may create on the System can include your geolocation, the type of content you consumed while using the System, time you spent using the System or any component thereof, and when you accessed the System. You provide this information, and/or we collect this information about your behavior using the above stated electronic identifiers and similar technologies.
We may store cookies (small text files managed by your web browser) on your computer or mobile device in order to improve your experience with the System. Examples include: recognizing you when you return to the System, maintaining data you have entered across multiple sessions, and storing information about your personal preferences. Cookies may include pixel tags, web beacons, local storage, and similar tracking technologies.
3. How do we use your data?
In order to minimize any required disclosures of your identifiable information, we limit the data we collect to that which is necessary to deliver and improve our services. We have policies, procedures, and other safeguards in place to help protect it from improper use and disclosure. The following categories describe the ways in which we may use your identifiable information.
Disclosure at your request
We may disclose information relating to your use of the System as and when requested by you. This disclosure at your request may require your written authorization.
Services and operations
We may use your identifiable information in connection with providing services for our internal operations, which include administration, eligibility determinations, planning your sleep program, user account maintenance, customer service, analytics, and various activities that assess and improve the quality and efficacy of the service that we deliver to you. Your data may be used to develop new features, update the System on your devices, diagnose and fix technological problems, personalize your experience while using the System, help you efficiently access your information after you log in, and remember your information so you will not have to re-enter it during your visit or the next time you visit the System. If you choose to use DrLullaby’s Telehealth Service or Coaching Service, we may also use your data to match you and schedule an appointment with a Telehealth Provider or Sleep Coach.
We may receive a confirmation when you open an email from us or click on a link in an email, if your computer supports this type of program. We use this confirmation to help us make emails more interesting and engaging. We may also use email communications from you to a Telehealth Provider or Sleep Coach using G Suite or Google Workspace to provide you with responsive communications from a Telehealth Provider and Sleep Coach. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.
Reminders and notifications
We may use your identifiable information to send you notifications to interact with or complete tasks relating to your use of the System. You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications, by logging into your DrLullaby account on the Website or WebApp and/or by accessing the native notification settings on your mobile device when using the App. When you download the App, you will be provided with the option to opt in to receive push notifications from the System on your mobile device in connection with the App. These push notifications may include promotional communications regarding the System. You may, after downloading the App, opt out of receiving push notifications by adjusting the settings on your mobile device. Opting out of push notifications will not affect other communications you receive from DrLullaby, such as email communications. You also may receive alerts and updates within our mobile applications regarding services or your account. To opt out of receiving these alerts and updates, you may uninstall the App from your mobile device and discontinue use of the System.
We may offer you the ability to sign into our App or WebApp via your mobile number. If you elect to provide us a mobile number and consent to receive certain messaging, we may use SMS messaging to contact you when you make account updates, to provide you updates on your customer support tickets, for other System-related reminders, and for account recovery purposes. You may opt out of such messages by removing your mobile number in your account preferences or replying STOP to any incoming messages.
4. Who has access to your data and when do we share it with third parties?
DrLullaby understands that your identifiable information is private and personal and is dedicated to maintaining its confidentiality and integrity. While DrLullaby will never sell or rent your data without your prior consent other than as described in this Policy, we may disclose your data to persons and entities outside of DrLullaby, as described below.
Third-party service providers
We may disclose your information to third-party service providers that contract with us. Each of these contracts will safeguard your identifiable information. Examples of third-party service providers include accounting services, server and email delivery providers, vendors, financial and payment process providers, and other business partners and reputable companies in the industry who subcontract with us.
If you choose to buy products through the System, you acknowledge and agree that we may use certain third-party vendors and service providers to process payments, manage debit and credit card information and detect and prevent fraud, and may also collect ourselves information about that specific purchase such as the purchase date, purchase totals, and product types, as well as your postal address. You provide this information. DrLullaby is a service provider. We are not a bank, credit union, payment processor or other financial institution. Bundles, subscriptions, and products are purchased via a third-party payment vendor, which is Stripe. Transactions processed via the System may be subject to the terms and conditions and privacy policies of the applicable payment vendor. We may share your information with payment vendors to the extent necessary to allow them to process the appropriate payments.
If you access third-party services, such as Facebook, Google, or Twitter, through the System or to share information about your experience on the System with others, these third-party services may be able to collect information about you from us, including information about your activity on the System, and they may notify your connections on the third-party services about your use of the System, in accordance with their own privacy policies. We do not control and are not responsible for the privacy practices of these third parties, and the information practices of these third parties are not covered by this Policy. We encourage you to read the privacy policies of all third parties associated with DrLullaby or that you wish to use to discuss your experience on the System.
If you decide to sign up for the Telehealth Service or Coaching Service, we will connect you with a Telehealth Provider or Sleep Coach, and we will provide that Telehealth Provider or Sleep Coach with your name, the time and date the electronic meeting will take place, and other relevant health information that you have provided to us. The Telehealth Service and Coaching Service are provided online through a secure platform. The information you share orally during your session with the Telehealth Provider or Sleep Coach is confidential between you and the Telehealth Provider or Sleep Coach. DrLullaby does not gather or retain that information.
Threat to health or safety
We may disclose your identifiable information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
As required by law
Certain laws permit or require certain uses and disclosures of identifiable information in order to facilitate, for example, public health activities, health oversight activities, and compliance with law enforcement. In these instances, DrLullaby will only disclose your identifiable information to the extent the law requires. DrLullaby may also disclose your information in order to enforce terms included in this Policy or in our Terms and Conditions of Use.
Personal representatives or persons involved with your care
We must disclose your identifiable information to anyone who has the legal right to act for you (your personal representative) in order to administer your rights. We may also disclose your identifiable information to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to decide if the disclosure is in your best interests. Special rules apply regarding when we may disclose information to family members and others involved in a deceased individual’s care. We may disclose information to any persons involved, prior to the death, in the care or payment for care of a deceased individual, unless we are aware that doing so would be inconsistent with a preference previously expressed by the deceased. We may also share your information amongst various service providers within the System, such as all Telehealth Providers or Sleep Coaches you work with. We also share your information with clinical researchers, referring physicians, and other physicians for whom you have provided appropriate consents and who provide the correct CPT code, subject to our HIPAA Notice of Privacy Practices with respect to PHI.
For research and publicity purposes
DrLullaby reserves the ability to include your data in aggregated data sets shared with or sold to our research partners and readers of our published research. In these sets, your data will not be personally identifiable and would be used for supporting generalized statements (e.g., “children aged 13-18 have the worst sleeping habits in the US”).
Transfer of business assets
In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If DrLullaby or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets. This Policy would continue in effect following the effective date of such transaction, until such time as the prospective buyer changes it, in which case the prospective buyer would be required to notify you of any changes.
To protect the security and integrity of our System
Improving and monitoring the security of our System may involve analyzing our users’ data and how the data interacts with our System. Such use may be conducted by DrLullaby personnel or expert third-party service providers. Protecting the security and integrity of the system includes detection of violations of our Terms and Conditions of Use, detecting fraud or illegal activity, diagnosing or fixing technology problems, or monitoring or improving the overall effectiveness of our System.
5. How do we store your data?
Information you provide to us is stored in encrypted form on secure servers located in the U.S., which are owned and operated by Amazon Web Services (“AWS”). AWS is an industry leader in the provision of hosting services and cloud security. You can learn more about AWS by visiting their webpage here.
All passwords are stored in encrypted form. Your data may be transferred to, and stored at, other destinations by staff who work for DrLullaby. Such staff may be engaged in the provision of support services, among other things. By submitting your personal data, you agree to this transfer, storing, or processing. DrLullaby stores the data collected from you for up to seven years.
6. Your rights
Users of the System have certain specific privacy rights with regard to their information. You make choices with respect to those rights through your settings in your account on the App, WebApp, or Website or by contacting us as directed in this Policy.
There may be times when we are unable to fulfill your request – for example, if providing access to your personal information would reveal confidential commercial or proprietary information or personal information about someone else (and we cannot separate your data), if we are prohibited by law from disclosing the information, or if we have a legal obligation to retain certain data. We may require additional personal information from you for the purposes of verifying your identity and rights.
If you are a resident of California, please see Section 7 below.
Right to access
You have the right to view all personal information that DrLullaby has collected about you. You can view this information through your dashboard at any time while you access DrLullaby.
Right to accuracy
You have the right to ensure that the data we have stored is accurate. In most cases, the System allows you to directly modify your own information. However, if there is incorrect data within the System that you are not able to change, please contact DrLullaby at firstname.lastname@example.org and we will work with you to update this information.
Right to deletion
You have the right to request deletion of all data within the System. While you control how long your account remains active, canceling a subscription, terminating an account, or deleting the DrLullaby App will not automatically delete your information. We will not delete your data unless we elect to in our sole discretion or you affirmatively request that we do so in writing. To request your data be deleted, please contact DrLullaby at email@example.com. In most cases, this request will be completed within 30 days. If circumstances require a delay in this deletion, DrLullaby will notify you and explain the reason for the delay. When you delete your account it will no longer be accessible by you. Note that in some cases, there may be a legal requirement to hold on to your data. DrLullaby will notify you directly if this is the case.
Right to withdraw consent
A user of the System has the right to withdraw their consent at any time by contacting DrLullaby at firstname.lastname@example.org. Please note that without consent to process your data, we will be unable to successfully deliver DrLullaby services to you. As described above, you may also withdraw your consent to receive DrLullaby communications, such as emails, SMS messages, or push notifications.
Right to notification of disclosure and breach
In addition to the right to request notification about disclosures of your data, specified in the “right to access” section above, we will notify you as required by law if there has been a breach of the security of your identifiable information.
Concerns or complaints
If you believe that any of your rights with respect to your or others’ identifiable information have been violated by DrLullaby, our employees, or our agents, please contact DrLullaby at email@example.com.
7. California resident privacy rights
This Section 7 applies only to California residents. Section 2 sets forth the categories of personal information that we collect and process about you, a description of each category, and the sources from which we obtain each category. Under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), you have a right to request information about our collection, use, disclosure, and sale of your personal information over the prior 12 months or, with respect to information collected after January 1, 2022, such other period as you specify. You can make this request twice within a 12-month period, and DrLullaby will respond within 45 days of receiving your request. You can ask that we provide you with the following information with respect to the applicable time period:
- Categories of and specific pieces of personal, including sensitive personal information (as defined under the CPRA), we have collected about you;
- Categories of sources from which we collect personal information or sensitive personal information;
- Purposes or use for collecting, using, or selling personal information or sensitive personal information;
- Categories of third parties with which we share personal information or sensitive personal information;
- The length of time we intend to retain such personal information or sensitive personal information;
- Categories of personal information or sensitive personal information disclosed about you for a business purpose;
- If applicable, categories of personal information or sensitive personal information sold or disclosed about you and the categories of third parties to which the personal information was sold or disclosed, by category or categories of personal information for each third party to which the personal information was sold or disclosed;
- The categories of information we have disclosed to any third party for any third-party direct marketing purposes during the preceding year; and
- The names and addresses of third parties that received such information, or if the nature of their business cannot be determined from the name, then examples of the products or services marketed.
You have the right to request that DrLullaby delete any personal information we have collected from you or maintain about you, subject to certain exceptions, and request that any third parties with whom we have shared that information to do the same. If you request that we delete your personal information, we will do so except to the extent we determine that we need the information for a business purpose and have a legal right to maintain it, in which case we will inform you of that legal exception. You also have the right to request that we correct inaccurate personal information about you, and to cause us to use commercially reasonable efforts to do so. You also have the right, in some circumstances, to opt out of any sharing of your personal information. Finally, you have the right to request that we use your sensitive personal information (as defined under the CPRA) solely as necessary to provide our services to you.
We will not discriminate against you for exercising any of your CCPA or CPRA rights. Unless otherwise permitted by the CCPA or CPRA, we will not do any of the following because you request to know, access, or delete your information or opt out of its sale:
· deny you goods or services;
· charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
· provide you a different level or quality of goods or services; or
· suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
We are not currently subject to CPRA, however, it is our intent to respect California residents’ rights under CPRA as if we were subject to it. In furtherance thereof, our collection, use, retention, and sharing of your personal information is reasonably necessary and proportionate to achieve the purposes for which we collect and process that information, or for other purposes not incompatible with those purposes. We intend to enter into agreements with third parties to ensure that their use of your information, when we share it with them, complies with Section 1798.100(d) of the California Civil Code when required thereunder. We implement reasonable security measures to ensure that your personal information is protected from unauthorized or illegal access, destruction, use, modification or disclosure, however, as further described in our Terms and Conditions of Use, there is no guarantee that these measures will be effective at all times.
You may make such a request by contacting us in writing by email to firstname.lastname@example.org. At this time, DrLullaby does not currently take actions to respond to Do Not Track signals because a uniform technological standard has not yet been developed. We continue to monitor and review new technologies and will modify this policy accordingly in the event of a change.
8. Amending this policy
We reserve the right to revise this Policy at any time. The revised Policy will be effective immediately upon posting to www.drlullaby.com. You will see notification of the change displayed on your account settings page for 7 days. Your continued use of the System constitutes your agreement to abide by the Policy as changed. Under certain circumstances (for example, if we expand the ways in which we use your personal information beyond the uses stated in our Policy at the time of collection), we may also elect to notify you of changes or updates to our Policy by additional means, such as by sending you an email.
Questions relating to revisions to this Policy may be addressed to DrLullaby.