Privacy Policy

Carda Website Privacy Policy
Version 2.0.1.3
Last Update:
February 2023 

This notice describes how Personal Data (defined below) about you may be used and disclosed and how you can obtain access to this information. Please review it carefully. 

INTRODUCTION
We at Carda Health, Inc. (“we”, “us”, “the Company”, or “Carda”) value your privacy and are committed to keeping your personal data confidential. This Privacy Policy describes how we collect, use, and disclose your information in the context of providing the Carda website including all relevant content and functionality associated with the Website (collectively, the “Website”). 
Privacy Policy Applicability

This Website Privacy Policy applies to personal data that Carda collects from users of the Carda Website (“Personal Data”). The term “Personal Data” includes any information that can be used on its own or with other information in combination to identify or contact one of our users. 

We believe that privacy and transparency about the use of your Personal Data are of utmost importance. In this Website Privacy Policy, we provide you detailed information about our collection, use, maintenance, and disclosure of your Personal Data. The Website Privacy Policy explains what kind of information we collect, when and how we might use your Personal Data, how we protect Personal Data, and your rights regarding your Personal Data. This Website Privacy Policy does not describe how we collect, use, and disclose your Personal Data in the context of providing you the Carda Platform or Mobile Application.
For additional information related to how we use and disclose your Personal Data please contact our Privacy Officer at support@cardahealth.com. 

Note regarding third-party sites: Our Website may contain links to other sites that are not operated by Carda. If you click a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy policy(ies) of every site you visit. Carda has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party sites or services. This Website Privacy Policy does not apply to your use of or access to any third-party sites or services.

Agreement to Website Privacy Policy Terms
By accessing and/or using the WEBSITE, you are acknowledging that you have read and agree to the terms of this WEBSITE Privacy Policy. If you do not agree, you must immediately cease using the WEBSITE. 

Website Privacy Policy Updates

Please note that we occasionally update this Website Privacy Policy, and it is your responsibility to stay up to date with any amended versions. Any revisions to the Website Privacy Policy will be posted on the landing page(s) of the Website. Any changes to this Website Privacy Policy will be effective immediately upon providing notice via the Website landing page(s) and will apply to all Personal Data that we maintain, use, and disclose. If you continue to use the Website following such notice, you are agreeing to those changes. 

Questions or Concerns

If you have any questions or concerns after reading this Website Privacy Policy, please do not hesitate to contact us at privacy@cardahealth.com We appreciate your feedback. 

COLLECTION AND USE OF PERSONAL DATA

What Personal Data Does Carda Collect?
We collect three types of information from our Website users: (i) contact data; (ii) support data; and (iii) technology data. Each category of data is explained in depth below. 
Contact Data: Carda collects contact data from users, which may include, but not be limited to, your name, job title, company name, organization type, phone number, and e-mail address. The collection of this demographic data is primarily used to contact you and provide consultations or demos of Carda products and services.  
Support Data: If you contact us for support or to lodge a complaint, we may collect technical or other information from you through log files and other technologies, some of which may qualify as Personal Data (e.g., IP address). Such information will be used for the purposes of troubleshooting, customer support, software updates, and improvement of the Website in accordance with this Website Privacy Policy. Calls with Carda may be recorded or monitored for training, quality assurance, customer service, and reference purposes. 
Technology Data: We use common information-gathering tools, such as log files, cookies, web beacons, and similar technologies to automatically collect information, which may contain Personal Data from your computer or mobile device as you navigate our Website or interact with emails or other communications we have sent you. The information we collect may include your IP address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system and system configuration information, and date/time stamps associated with your usage. This information is used to analyze overall trends, help us provide and improve our Website, and ensure the proper functioning and security of the Website. 


How Does Carda Collect Personal Data? 
Website Engagement: Carda collects Personal Data through your engagement with the Website, such as when you sign up to receive information from Carda, schedule a consultation or demo, or sign up for a newsletter. 

Browser or Device Information: Certain information is collected by most browsers or automatically through your device, computer type, screen resolution, operating system name and version, device manufacturer and model, language, and Internet browser type. We use this information to ensure that the Website functions properly. 

Clear GIFs: We employ a software technology called clear GIFs (also known as web beacons, web bugs, or pixel tags) along with other technologies such as e-tags and JavaScript that help us better manage content on our site by informing us what content is effective. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies that are used to track the online movements of web users. In contrast to cookies, which are stored on a user’s computer hard drive, clear GIFs, which are about the size of a period, are embedded invisibly on web pages.  

SDKs and Mobile Advertising IDs: Our Website may include third-party SDKs that allow us and our third-party service providers to collect information about your activity. In addition, some mobile devices come with a resettable advertising ID (such as Apple’s IDFA and Google Advertising’s ID) that, like cookies and pixel tag, allow us and our third-party service providers to identify your mobile device over time for advertising purposes. 

Third-Party Plugins: The Website may include plugins from other companies. These plugins may collect information about the pages you visit and share this information with the company that created the plugin even if you do not interact with it. Carda has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise you to review the privacy policy(ies) of every site you visit.

Third-Party Online Tracking: Carda may also partner with certain third parties to collect, analyze, and use some of the information described in this section. For example, we may allow third parties to set cookies or use web beacons on the website or in email communications from us. This information may be used for a variety of purposes, including online website analytics and interest-based advertising. 

What Is Carda’s Cookie Policy?
Cookies are files that hold a small amount of data specific to a web application, which can later be used to help remember information entered, preferences selected, and movement within the application. We use cookies and other technologies to, among other things, better serve you with more tailored information, and to facilitate efficient and secure access to the Website. 
Our cookies do not, by themselves, contain Personal Data. Further, we do not combine the general information collected through cookies with any other Personal Data to identify you. However, we do use cookies to identify that your web browser has accessed aspects of the Website and may associate that information with your User Account (if one exists). 
Presently, Carda uses cookies for Google Analytics, Google Tag Manager, Facebook, Hotjar, and Doubleclick. This information may be used in connection with website pages and HTML formatted email messages to, among other things, track the actions of users and email recipients and compile statistics about usage and response rates. 

How Can Users Opt-Out of Cookies?
If you prefer, you can usually choose to set your browser to remove and reject cookies. If you enable a do not track signal or otherwise configure your browsers to prevent us from collecting cookies, certain features of the Website may not operate correctly, and you may also be unable to take advantage of some of the Website’s features. 

Do Not Track Disclosure
Some web browsers may transmit do not track (“DNT”) signals to websites with which the user communicates. To date, there is no industry standard for DNT and users cannot know how a given company responds to a DNT signal they receive from browsers. Carda is committed to remaining apprised of DNT standards. However, Carda does not support DNT browser settings and does not currently participate in any DNT frameworks that would allow Carda to respond to signals or other mechanisms regarding the collection of your personal information. 

How Will Carda Use Your Personal Data? 
Carda processes your Personal Data based on legitimate business interests, the provision of the Website to you, compliance with our legal obligations, and/or your consent. We only use or disclose your Personal Data when it is legally mandated or where it is necessary to fulfill those purposes described in this Website Privacy Policy. Where required by law, we will ask for your prior consent before disclosing your Personal Data to a third party. 
More specifically, Carda processes your Personal Data for the following legitimate business purposes: 
• To provide the functionality of the Website to you; 
• To respond to your inquiries and fulfill your requests when you contact us via one of our online contact forms or when you send us questions, suggestions, compliments or complaints about our Website;
• To send administrative information to you, such as a change in our terms, conditions, and policies, and to fulfill the terms of any agreement you have with Carda; 
• To provide you with our newsletter and/or other marketing materials, including marketing-related emails with information about Carda services and products that are likely to be of interest to you; 
• To manage and improve our operations and the Website, including the development of additional functionality;• To better understand your interests and preferences, so that we may personalize our interactions with you and provide you with information and/or offers tailored to your interests; 
• To respond to lawful requests from public and government authorities, and to comply with applicable state/federal law, including cooperation with judicial proceedings and court orders; • To protect our rights, privacy, safety, or property, and/or that of you or others by providing proper notices, pursuing available legal remedies, and acting to limit our damages;
 • To handle technical support and other requests from you; and to keep our Website safe and secure.
Carda may aggregate and/or anonymize Personal Data collected through the Website so that it will no longer be considered Personal Data. We do so to generate other data for our use, which we may use and disclose for any purpose, as long as it no longer identifies you or any other individual. 

Does Carda Use Personal Data for Analytics?

Carda uses third party-service providers to monitor and analyze the use of the Website. The analytics services and techniques we may use include, but are not limited to: Google Analytics, Segment, LiveIntent, Datadog, and Meta.

Where Is Personal Data Processed?

The Personal Data we collect through the Website will be stored on secure servers in the United States. Personal Data may be transmitted to third parties, which parties may store or maintain the data on their secure servers. These third parties are not permitted to transfer your Personal Data outside of the United States. 

With Whom Does Carda Share Personal Data? 

We may share your personal information with the following categories of individuals/entities: 
Business Partners and Vendors: We share Personal Data with a limited number of partners, service providers, and other persons/entities who help run our business (“Business Partners”). Specifically, we may employ third-party companies and individuals to facilitate our Website, provide services on our behalf, perform Website-related functions, or assist us in analyzing how our Website is used. Our Business Partners are contractually bound to protect your Personal Data and to use it only for the limited purpose(s) for which it is shared. Business Partners’ use of Personal Data may include, but is not limited to, the provision of services such as data hosting, IT services, and customer services.  
Our Advisors: We may share your Personal Data with third parties that provide advisory services to Carda, including, but not limited to, our lawyers, auditors, accountants, and banks (collectively, “Advisors”). Personal Data will only be shared with Advisors if Carda has a legitimate business interest in the sharing of such data. 
Third Parties Upon Your Direction or Consent: You may direct Carda to share your Personal Data with third parties. Upon your request and consent, we may share such Personal Data with those third parties that you identify. 
Third Parties Pursuant to Business Transfers: In the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Carda’s corporate entity, assets, or stock (including in connection with any bankruptcy or similar proceedings), we may share your Personal Data with a third party. 
Government and Law Enforcement Authorities: If reasonable and necessary, we may share your Personal Data to (i) comply with legal processes or enforceable governmental requests, or as otherwise required by law; (ii) cooperate with third parties in investigating acts or omissions that violate this Website Privacy Policy; or (iii) bring legal action against someone who may be causing intentional or unintentional injury or interference to the rights or property of Carda or any third party, including other users of our Website. 
How Long Does Carda Retain Personal Data?
Carda retains your Personal Data only as long as necessary and as required for our business operations, the provision of the Website, archival purposes, and/or to satisfy legal requirements. The exact period of retention will depend on: (i) the length of time in which you use the Website; (ii) the personal risk of harm for unauthorized use or disclosure; (iii) the purposes for which we process your Personal Data, including whether those purposes can be achieved through other means; and (iv) business operations and legal requirements. 
Except where requested by Carda, we ask that you do not send to us through the Website or otherwise disclose to us any sensitive Personal Data, including social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometric or genetic characteristics, criminal background, or trade union membership. 
At the end of the applicable retention period, we will remove your Personal Data from our databases and will require that our Business Partners remove any identifiable Personal Data from their databases. If there is any data that we are unable to delete entirely from our systems for technical reasons, we will put in place appropriate measures to prevent any further processing of such data. Please note that once we disclose your Personal Data to third parties, we may not be able to access that Personal Data and we cannot force the deletion or modification of such information by third parties.

What Happens to Personal Data Submitted by Minors?
Carda does not knowingly collect Personal Data from individuals under the age of 18. Additionally, our Website is not directed to individuals under the age of 18. We request that these individuals not provide Personal Data to us. If we learn that Personal Data from users under the age of 18 has been collected, we will take reasonable measures to promptly delete such data from our records. If you are aware of a user under the age of 18 accessing the Website, please contact us at support@cardahealth.com. 
If you are a resident of California under the age of 18 and have disclosed Personal Data to us, you may ask us to remove content or information that you have submitted through or to our Website.  

USER RIGHTS

What Rights Do Users Have Concerning Their Personal Data?As a user of Carda’s Website, you have certain rights relating to your Personal Data. These rights are subject to local data protection and privacy laws, and may include the right to:
• Access Personal Data held by Carda; • Erase/delete your Personal Data, to the extent permitted by applicable data protection and privacy laws and to the extent technologically feasible;
 • Receive communications related to the processing of your Personal Data; • Restrict the processing of your Personal Data to the extent permitted by law;
 • Object to the further processing of your Personal Data, including the right to object to marketing; • Request that your Personal Data be transferred to a third party, if possible; 
• Receive your Personal Data in a structured, commonly used, and machine-readable format; and/or
• Rectify inaccurate personal information and, taking into account the purpose of processing the Personal Data, ensure it is complete. 
If you do not want to receive emails from Carda, you may unsubscribe at any time by clicking on the “Unsubscribe” link in each email communication or you may contact us at support@cardahealth.com. Please note that if you opt-out of marketing emails, we may still send you important administrative messages, from which you cannot opt-out. 
Where the processing of your Personal Data by Carda is based on consent, you have the right to withdraw that consent at any time. If you would like to withdraw your consent or exercise any of the above rights, please contact us at support@cardahealth.com.

How Can Users Update, Correct, or Delete Personal Data or Their User Account? 

You have the right to request restrictions on the uses and disclosures of your Personal Data. While we are not required to agree to all restriction requests, we will attempt to accommodate reasonable requests when appropriate. 
If you need to make changes or corrections to Personal Data, you may contact us at support@cardahealth.com. In order to comply with certain requests to limit use of your Personal Data, we may need to terminate your ability to access and/or use some or all of the Website. By requesting to limit use of your personal dATA or delete personal DATA, you acknowledge and agree that CARDA will not be liable to you for any corresponding limitation in the scope of THE Website or termination of WEBSITE ACCESS as necessary to comply with your request. 
You have the right to request deletion of any Personal Data retained by Carda. To request deletion of your Personal Data, please email us at support@cardahealth.com and include a description of the Personal Data you would like removed. We will respond to all requests for data deletion as soon as reasonably possible.
PROTECTION OF PERSONAL DATA
Is Personal Data Secure?Carda understands the importance of data confidentiality and security. We use a combination of reasonable physical, technical, and administrative security controls to: (i) maintain the security and integrity of your Personal Data; (ii) protect against any threats or hazards to the security or integrity of your Personal Data; and (iii) protect against unauthorized access to or use of such information in our possession or control that could result in substantial harm to you. 
While Carda uses reasonable security controls, we cannot guarantee or warrant that such techniques will prevent unauthorized access to your personal DATA. CARDA IS UNABLE TO GUARANTEE THE SECURITY OR INTEGRITY OF PERSONAL DATA TRANSMITTED OVER THE INTERNET, AND THERE IS NO GUARANTEE THAT YOUR PERSONAL DATA WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED BY BREACH OF ANY OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS. ACCORDINGLY, WE DO NOT AND CANNOT ENSURE OR WARRANT THE SECURITY OR INTEGRITY OF ANY PERSONAL DATA YOU TRANSMIT TO US. You assume the risk that unauthorized entry or use, hardware or software failure, and other factors may compromise the security of your personal DATA at any time. 

What Safeguards Does Carda Have in Place to Secure Personal Data?

Carda stores Personal Data on secured servers and uses a combination of safeguards to protect your personal information. Such safeguards include, but are not limited to, authentication, encryption, backups, and access controls. 

How Can Users Protect Their Personal Data? 

Carda has no access to or control over your device’s security settings, and it is your responsibility to implement any device-level security features and protections you feel are appropriate (e.g., password protection, encryption, remote wipe capability). We recommend that you take all appropriate steps to secure any device that you use to access our Website. 
Please note that Carda will never send you an email requesting confidential information, such as account numbers, usernames, passwords, or Social Security Numbers. If you receive a suspicious email from Carda, please notify us at support@cardahealth.com.
Further, if you know of or suspect any other security concern, please notify Carda immediately. 

What If Carda Experiences a Data or Security Breach?

Carda takes the security of your Personal Data seriously. In the event of a data or security breach, Carda will take the following actions: (i) promptly investigate the security incident, validate the root cause, and, where applicable, remediate any vulnerabilities within Carda’s control which may have given rise to the security incident; (ii) comply with laws and regulations directly applicable to Carda in connection with such security incident; (iii) as applicable, cooperate with any affected Carda user or client in accordance with the terms of Carda’s contract with such user or client; and (iv) document and record actions taken by Carda in connection with the security incident and conduct a post-incident review of the circumstances related to the incident and actions/recommendations taken to prevent similar security incidents in the future. Carda will notify you of any data or security breaches as required by and in accordance with applicable law. 

CALIFORNIA PRIVACY RIGHTS
If you are a California resident, the California Consumer Privacy Act (“CCPA”) may apply to you. Please see the CCPA Attachment for an explanation of your rights. 
Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask for and obtain from us an annual list identifying the categories of personal customer information which we shared, if any, with our affiliates and/or third parties in the preceding calendar year for marketing purposes. This list will be provided free of charge. Contact information for such affiliates and/or third parties must be included. If you are a California resident and would like a copy of this notice, please submit a written request to the following address: 

Carda Health, Inc.
8 the Green, Ste 11807
Dover, DE 19901