Website and Client Services Privacy Policy

Last updated: February 12, 2016
This Website and Client Services Privacy Policy (“Privacy Policy”) covers “Personal Information” collected by Orchestra One from clients, third parties at the direction of users, and client systems as well as through the operation of websites, mobile applications, and software by Orchestra One Inc. and its affiliates and subsidiaries (“Orchestra One,” “we,” and “us”), (collectively “Orchestra One Service”). The Privacy Policy describes how Orchestra One collects, uses, and discloses “Personal Information.”“Personal Information” means information that alone or when in combination with other information may be used to readily identify, contact, or locate you, such as: name, address, email address, phone number, social security number, and insurance-issued ID numbers. “Personal Information” also includes identifiable health information collected about you. We do not consider Personal Information to include information that has been anonymized so that it does not allow a third party to easily identify a specific individual.

About Orchestra One
Orchestra One provides health service providers with the Orchestra One Service to manage appointments, personal health records, communications, and other related activities. Other than information gathered through our website at orchestra.one. Orchestra One acts as a service provider for health service providers and does not own or control the information that is submitted to us through the Orchestra One Service. The information that is submitted through the Orchestra One Service will be held subject to the requirements specified by our health service provider clients and applicable law, such as the Health Insurance Portability and Accountability Act (HIPAA).This Privacy Policy does not reflect the privacy practices of Orchestra One’s health service provider clients and Orchestra One is not responsible for our clients’ privacy policies or practices. Orchestra One does not review, comment upon, or monitor our health service provider clients’ privacy policies or their compliance with their respective privacy policies, nor does Orchestra One review our client’s instructions to determine whether they are in compliance or conflict with the terms of a client’s published privacy policy or applicable law.

Collection of personal information
We may collect information, including Personal Information, about you:when you use the Orchestra One Service;from your health service provider;from third parties when you or your health service provider directs us to gather information from them; andwhen you communicate with us.We also collect information, such as anonymous usage statistics, by using cookies, server logs, and other similar technology as you use the Orchestra One Service.The Orchestra One Website. You may visit the websites of Orchestra One without revealing any Personal Information. However, in some instances, Orchestra One may require certain Personal Information, such as business contact information, so we can respond to your inquiries or provide you with requested information.The Orchestra One Service. The Orchestra One Service may collect information, including Personal Information and health information, about you in three ways: (1) from you directly, (2) from a health service provider, or (3) from a third party as directed by you or a health service provider.Directly from Users. There are several ways you can submit data to the Orchestra One Service. For example, you can:type information into the Orchestra One Service (ie. registering, updating your profile, sending a message to your provider, scheduling an appointment);upload an image, a document, or any other data; orwhen you provide feedback to help Orchestra One improve its operations.You should exercise care in selecting the information that you share in a survey or feedback communication. We strongly recommend against providing Orchestra One any personal health or other sensitive information that could be traced to you or any other individual.Making Payments. When you make payments through the Orchestra One Service, you may need to provide financial account information, such as your credit card number, to our third-party service providers.Customer Support. We may collect Personal Information through your communications with our customer-support team.Cookies, Automatic Data Collection, and Related Technologies. Orchestra One and our third-party partners, such as analytics service providers, may automatically receive and record certain non-Personal Information from users using cookies, web beacons, server logs and other similar tools. For example, Orchestra One may collect information about how you visit and navigate through the Orchestra One Service, when you click on a link or open a web page, use certain elements of the Orchestra One Service, or open an email sent by Orchestra One. Orchestra One may use this information to provide certain functionality, improve the tools and services, and monitor the use of the tools and services. For example, we use these tools to save user preferences, preserve session settings and activity, help authenticate users, allow users to auto-fill sign-in pages of websites they frequently visit, and debug and evaluate the performance of the Orchestra One Service. Our partners also may collect such information about your online activities over time and on other websites or apps. You may be able to change browser settings to block and delete cookies when you access the Orchestra One Service through a web browser. However, if you do that, the Orchestra One Service may not work properly.

Use of personal information
We use Personal Information to:facilitate and improve our services,as permitted by our agreements with health service providers and applicable law; andcommunicate with you.We may use anonymized and aggregate information for business purpose.Internal and Service-Related Usage. We use information, including Personal Information, for internal and service-related purposes and may provide it to third parties to allow us to facilitate the Orchestra One Service. We may use and retain any data we collect to provide and improve our services.For example, we may use Personal Information for the following purposes:maintaining and operating the Orchestra One Service (this may include registering you, processing payments, or providing you with customer support);making announcements about features, terms, policies, or other aspects of the Orchestra One Service;responding to questions and communications, which we retain in the ordinary course of business; andprotecting the Orchestra One Service, the information it protects, the rights of third parties and in response to legal process (more fully discussed below).Consents and Authorizations. Orchestra One may request your consent or authorization in connection with the use or sharing of Personal Information about you. In some instances, this will be because this Privacy Policy or applicable law or regulations require us to obtain such consent. In other instances, such consent will be for informational purposes. Any request to obtain your consent does not narrow the scope of this Privacy Policy. By using the Orchestra One Service, you accept and agree to Orchestra One’s information handling practices in the manner described.Surveys and Ratings. The content of feedback you provide to Orchestra One is presumed public. Orchestra One will let you know in advance how it will use survey or rating feedback in any such request for such information.Protect the Orchestra One Service and data it stores. We may use the information collected through the Orchestra One Service to investigate potential or suspected threats to the Orchestra One Service or to the confidentiality, integrity or availability of the information Orchestra One stores and maintains.Communications. We may send email to the email address you provide to us to verify your account and for informational and operational purposes, such as account management, customer service, or system maintenance. We may also send you marketing emails if you request more information about our products and services. Emails are often transactional or relationship messages, such as appointment requests, reminders and cancellations and other notifications. Orchestra One may not offer you the option of opting out of receiving some of these messages although Orchestra One may allow you to modify how often you receive such messages. If you opt-in to receiving marketing announcements from Orchestra One, we will allow you to opt-out of receiving those announcements.Anonymized and Aggregate Data. We may anonymize and aggregate any data collected through the Orchestra One Service, and use it for business purposes. For example, we may use such data for evaluating and profiling the performance of the Orchestra One Service, including analyzing usage trends and patterns and measuring the effectiveness of content, features, or services.

Information sharing and disclosure
We may share your information:with our third-party vendors and service providers;with your health service provider and, at your direction, to others;to comply with legal obligations;to protect and defend our rights and property; andwith your permission.
We do not rent, sell, or share Personal Information about you with other people or nonaffiliated companies for their direct marketing purposes, unless we have your permission.We Use Vendors and Service Providers. We may share any information we receive with vendors and service providers retained in connection with the provision of the Orchestra One Service. When protected health information is shared, such vendors and service providers will be bound by appropriate confidentiality and security obligations which include business associate contract obligations as required by HIPAA.We do not rent, sell, or share Personal Information about you with other people or nonaffiliated companies for their direct marketing purposes, unless we have your permission.Plaid Services Disclosure. Orchestra One uses Plaid Technologies, Inc. (“Plaid”) to gather End User's data from financial institutions. By using our service, you grant Orchestra One and Plaid the right, power and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution. You agree to your personal and financial information being transferred, stored and processed by Plaid in accordance with the Plaid Privacy PolicyDisplaying or Disclosing to Health Service Providers and Others. The content you provide to the Orchestra One Service may be displayed on the Orchestra One Service or disclosed to others at your direction. Your health service provider (including his or her staff) will have access to your account information, including your Personal Information. However, your health service provider will not have access to any payment information, such as your credit card number, through the Orchestra One Service. Your provider may: (i) receive and store your account information; (ii) change your password; (iii) restrict your ability to submit, delete or edit information; (iv) suspend or terminate your account access or (v) access or retain any information you provide or otherwise store as part of your account for any purposes required or permitted under applicable law. When you contact or schedule an appointment with a health service provider, the provider will need your name, contact information, as well as other information. You may also be permitted to share the content of your health records with others. We are not responsible for the privacy practices of the others who will view and use the information you disclose to others.Marketing. We do not rent, sell, or share Personal Information about you with other people or nonaffiliated companies for their direct marketing purposes, unless we have your permission.As Required By Law and Similar Disclosures. We may access, preserve, and disclose collected information, if we believe doing so is required or appropriate to: comply with law enforcement requests and legal process, such as a court order or subpoena; respond to your requests; or protect your, our, or others’ rights, property, or safety.Merger, Sale, or Other Asset Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction as permitted by law and/or contract. We cannot control how such entities may use or disclose such information.With Your Permission. We may also disclose your Personal Information with your permission.

Information Retention
Orchestra One’s collection, use, and disclosure of information are generally governed by service agreements with our health service provider clients. Information maintained to provide these services to our business clients is retained only for as long as we have a valid business purpose and in accordance with applicable law. Orchestra One may retain archived information for a period of five years (or longer if required by law) as necessary to comply with legal obligations, resolve disputes and enforce our agreements and other authorized uses under this Privacy Policy.Account Deactivation. If you desire to deactivate your account please have your provider contact us. Upon receiving such a request, Orchestra One will deactivate your account and archive your Personal Information, including any health information.Limits to Your Requests for Access, Amendment, or Deletion. You may not be able to access, update, or delete information that you share with another user or other party through the Orchestra One Service. Others may also submit personal information that identifies you (for example, when submitting medical family history). You will also not be able to access, update, or delete that information. Certain users, such as health service providers, may be required under HIPAA and other applicable laws to retain information about patients for extended periods of time. Orchestra One will continue to retain such information on their behalf.Orchestra One indefinitely stores non-personal information, as well as any feedback you provide us.

Access / correction
In most cases, Orchestra One obtains Personal Information on behalf of a health service provider. To request access to, correction, amendment, or deletion of this Personal Information, a patient or end user should make the change using the Orchestra One Service or contact the health service provider to which the data was provided. For other inquiries, please contact us at rob@orchestra.one

Security
While Orchestra One takes its every effort, no data transmissions over the Internet can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information you transmit to us and you do so at your own risk. Once we receive your transmission, we take steps to ensure security on our systems. Please note this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of such safeguards.Orchestra One provides its services to health service providers, and when we process “protected health information” as defined by HIPAA on behalf of such health service providers, we are acting as a “business associate” to them as regulated by HIPAA. Therefore, Orchestra One must adopt and maintain appropriate physical, technical, administrative, and organizational procedures to safeguard and secure the protected health information we process. We also may not access, use, or disclose the protected health information except as permitted by health service provider clients, you, and/or applicable law. Orchestra One strives to protect the privacy of the Personal Information it processes, and to avoid inadvertent disclosure.If Orchestra One learns of a security system’s breach, Orchestra One maintains an incident response policy that includes notifications consistent with applicable law.By using the Orchestra One Service or providing Personal Information to us, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of this website.

International
The Orchestra One Service is intended for use in the United States only. By using the Orchestra One Service, you will transfer data to the United States.Access to the Orchestra One Service is administered in the United States and is intended solely for users within the United States.

Persons under the age of 13
The Orchestra One Service is not intended for or designed to attract persons under the age of 13 (“child” or “children”). Orchestra One does not knowingly collect personal information from children. If Orchestra One learns that it has obtained personal information from a child, Orchestra One will delete that information as soon as practicable. If your child has provided us with personal information without your consent, please contact Orchestra One immediately.Without limiting the above, the Orchestra One Service does allow persons above the age of 18 years—such as health service providers, parents and guardians—to provide, share and store personal information about others, including minors and children. Any user providing, storing or submitting information on behalf of a child assumes full responsibility over the submission, use, and transmission of such information.

Changes and updates to privacy policy
We may revise this Privacy Policy, so review it periodically.Posting of Revised Privacy Policy. We will post any adjustments to the Privacy Policy on this web page, and the revised version will be effective when it is posted. If you are concerned about how your information is used, bookmark this page and read this Privacy Policy periodically.New Uses of Personal Information. From time to time, we may desire to use Personal Information for uses not previously disclosed in our Privacy Policy. If our practices change regarding previously collected Personal Information in a way that would be materially less restrictive than stated in the version of this Privacy Policy in effect at the time we collected the information, we will make reasonable efforts to provide notice and obtain consent to any such uses as may be required by law.

Contacting Orchestra One
If you have any questions, comments, or concerns about Orchestra One or this Privacy Policy, please email us at rob@orchestra.one