Privacy Policy
Astronaut Electronic Health Records
Scope and Purpose
This privacy policy (“Policy”) describes how we at Astronaut, LLC and our parent companies, subsidiaries, and affiliated companies (“Astronaut,” “we,” “us,” and/or “our”) may collect, use, and share information about you that we obtain through our electronic health record solution and associated websites (collectively, the “Solution”). This Policy also applies to any information we collect offline, such as when you visit our offices, attend Astronaut events, or interact with our representatives at other events, or in other contexts in which we make this Policy available to you.
Please note that this Policy does not apply to websites of third parties to which we provide links. We do not control and are not responsible for the privacy practices of the websites of other entities and we urge you to review any applicable third-party privacy policies for yourself.
What does Astronaut do?
Astronaut is a provider of an electronic health record solution, headquartered in the United States. For more information about Astronaut, please see the “About Astronaut” section of www.astronautehr.com.
What information does Astronaut collect?
We may collect information from you in the following ways:
- We collect information you provide directly to us, such as when you voluntarily enter information into fields on the Solution, sign up for or request certain services or information, agree to participate in our surveys, or call our customer service. Depending on how you interact with us, we may ask for your name, practice/organization name, address, email address, telephone number, and type of user (patient, provider, or partner).
- When you access our Solution, we may collect information about your visit and your device using automatic data collection technologies as described in the “Cookies and Automated Data Collection” section below. This information may include IP address, geolocation information, browser type and version, device type, mobile device identifiers, and information reflecting how you searched, browsed, and were directed to the Solution, including mouse movement, click, touch, scroll, and keystroke activity.
- We may also collect information from other sources, such as lead generation companies, credit bureaus, social networks, and business partners that offer co-branded services or help us sell or distribute our products. We may also collect information from other users of our services or from available sources.
How do we use your information?
We use your information in ways that you would expect us to based on why we collected it. For example, if you contact us with a request for information about our products or services, we will use your information to respond to your request. Below are some examples of how we use collected information:
- To enhance and improve our services, including to optimize our Solution’s functionality and identify our visitors and users’ areas of interest. For example, when you participate in our surveys, screeners and/or information gathering sessions or otherwise provide feedback, we may use that feedback to develop new products and services.
- To identify and authenticate you, such as to determine and validate whether you are an existing user of our services or products or a prospective client.
- To enable cross-device/cross-context tracking for an account you may have with us. For example, you might use multiple browsers on a single device, or use various devices (such as desktops, smartphones, and tablets), which can result in your having multiple accounts or profiles across various contexts and devices. Cross-device/cross-context technology may be used to connect these various accounts or profiles and the corresponding data from the different contexts and devices so you can more easily use your account(s).
- To communicate with you, such as you send you emails, solicitations, invitations, newsletters, awareness campaigns, and announcements.
- To maintain the safety, security, and integrity of our Solution and services, and for our own internal legal compliance purposes.
- To protect the health and safety of our personnel, clients, guests, and the general public.
- For other purposes explained at the time of collection, or for other business purposes consistent with the context of the collection of your information;
We may use information that does not identify you and could not reasonably be used to identify you (including information that has been aggregated, anonymized, or de-identified) for any purpose except as prohibited by applicable law.
Sharing your information
We share information outside of Astronaut in the following circumstances:1
- With service providers and vendors that provide services to us, such as to provide analytics, manage our content, administer ads, provide insights to us related to marketing needs, for market research purposes, and to analyze our marketing efforts.
- With our related entities for business purposes including, but not limited to, customer support, marketing, technical and business operations. We also may share information with affiliates for commercial purposes.
- When you make your information public or otherwise accessible to others. Please think carefully before posting such information as you are solely responsible for the content you post and the potential use of such information by others. Once you have posted information, you may not be able to edit or delete such information, subject to additional rights set out in the “Your Rights” section below.
- With our customers, when you engage in our surveys as an authorized user, through the onboarding process, through surveys collecting feedback on how we are doing, surveys administered post interaction with us related to support or training, and other surveys, including focus groups and usability design activities such as click tests, card sorts, and other surveys and tests you participate in. We typically notify you in advance that we will share your information with our customers if you complete a survey.2
We also share information with other entities in the following situations:
- Where you have given us your consent to share or use information about you;
- When we believe that we need to share information about you to provide a service that you have requested from us or from others;
- Where we are required by law or other legal process to disclose information, and where required, in response to a lawful request by public authorities, including meeting national security or law enforcement requirements.
- Where we believe that it is necessary to avoid liability or violations of the law;
- To protect the rights, property, life, health, security and safety of us, the Solution or anyone else;
- To an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of all or any part of our business, provided that we inform the buyer it must use your information only for the purposes disclosed in this Policy;
- At your request or direction; or
- To any other person with notice to you and your consent to the disclosure.
Notwithstanding the above, we may share information that does not identify you and could not reasonably be used to identify you (including information that has been aggregated, anonymized, or de-identified) except as prohibited by applicable law.
Retention and protection of data
While we maintain your information, we protect it using administrative, physical, and technical security safeguards designed to protect your information. Despite these measures, we cannot guarantee the security of the information we maintain about you.
Cookies and automated data collection
Our Solution uses cookies and similar technologies (such as pixels and pixel tags, ad tags, Software Development Kits (“SDKs”) clear GIFs, session replay scripts, and Javascript). Cookies are small text files placed on your device that help the Solution work and help us gather statistical information about how visitors use the Solution, improve your experience, and maintain security.
Cookies also help us deliver advertisements, some of which may be tailored to your behaviors on the Solution. We engage third parties to help us deliver these advertisements, and these third parties may collect your information over time and across our Solution (and third party sites) in order to associate different devices you use and further gain insights into the goods and services that may interest you.
Your rights
You have the following rights and choices for managing the information we collect about you:
- Controlling Cookies with your Browser. Most browsers accept cookies by default. You can instruct your browser, by changing its settings, to decline, or to delete cookies. If you use multiple browsers on your device, you will need to instruct each browser separately. Your ability to limit cookies is subject to your browser settings and limitations. Some features of the Solution may not work properly if you decline the use of cookies. To learn more about cookies, please visit https://www.allaboutcookies.org/.
- Advertising. The companies we work with to provide you with targeted ads may be members of the Digital Advertising Alliance (“DAA”) and/or the Network Advertising Initiative (“NAI”). To learn more about the targeted ads provided by these companies, and how to opt out of receiving certain targeted ads from them, please visit: (i) for website targeted ads from DAA participants, https://www.aboutads.info/choices; (ii) for app targeted ads from DAA participants, https://www.aboutads.info/appchoices; and (iii) for targeted ads from NAI participants, https://www.networkadvertising.org/choices/. Opting out only means that the selected participants should no longer deliver certain targeted ads to you but does not mean you will no longer receive any targeted content and/or ads.3
- Mobile Devices. You may also limit our use of information collected from or about your mobile device for purposes of serving targeted ads to you by going to your device settings and deselecting “Allow Apps to Request to Track” (for iOS devices) or “Opt-out of Interest-Based Ads” (for Android devices).
Please note that if you opt-out using any of these methods, the opt-out will only apply to the specific browser or device from which you opt-out. We are not responsible for the effectiveness of, or compliance with, any opt-out options or programs, or the accuracy of any other entities’ statements regarding their opt-out options or programs.
The Solution does not respond to web browsers’ Do Not Track signals. Thus, your selection of the “do not track” option provided by your browser may not have any effect on our collection of cookie information for analytic and internal purposes. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.
International Transfer
We are based in the U.S. and the information we collect is governed by U.S. law. If you are accessing the Solution from outside of the U.S., please be aware that information collected through the Solution may be transferred to, processed, stored, and used in the U.S. and other jurisdictions. Data protection laws in the U.S. and other jurisdictions may be different from those of your country of residence. Your use of the Solution or provision of any information therefore constitutes your consent to the transfer to and from, processing, usage, sharing, and storage of information about you in the U.S. and other jurisdictions as set out in this Policy.
California residents
This Privacy Notice for California Residents (“Notice”) supplements the information contained in this Policy and included above, and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice.
The disclosures in this notice apply solely to the extent the CCPA applies to the information and data processing activities in question. Please note that the CCPA has a number of exemptions, including for certain personal information that we collect when providing services to our business customers communication (“B2B personal information”). Therefore, you may not have certain rights with respect to your information that we describe below.
Our information practices
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”). Personal information does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA’s scope, like Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data.
In particular, we have collected the following categories of personal information from its consumers within the last twelve (12) months:
Category | Examples | Collected4 |
A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. | |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. | |
C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | |
D. Commercial information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | |
E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | |
F. Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | |
G. Geolocation data. | Physical location or movements. | |
H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. | |
I. Professional or employment-related information. | Current or past job history or performance evaluations. | |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | |
K. Inferences drawn from other personal information. | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
In addition:
- We obtain the categories of personal information listed above from the categories of sources described in the “What Information Do We Collect” section above.
- We use personal information for business and commercial purposes in accordance with practices described in the “How Do we Use Your Information” section of this Policy.
- We do not “sell” (as defined in the CCPA) personal information in connection with this Policy.
- We disclose the following categories of personal information for commercial purposes: identifiers, demographic information, commercial information, internet activity, geolocation data and inferences.
- We also use and partner with different types of entities to assist with our daily operations and manage our Solution. Please review the Sharing Your Information section for more detail about the parties we have shared information with.
With respect to deidentified patient information, we disclose such deidentified information to third parties only when permissible pursuant to our contractual commitments with customers and in accordance with Health Insurance Portability and Accountability Act (“HIPAA”) requirements or other applicable law. We employ the safe harbor method or the expert determination method, as enumerated under HIPAA. Those third parties to whom the deidentified data is disclosed are third party service providers/vendors with whom we have relationships and/or academic researchers and/or institutions that are contributing to the improvement of healthcare.
Your Rights as a California resident
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
You may have the right to request that we disclose certain information to you about our collection, use, disclosure, and sale of your personal information in the preceding 12 months.
Depending on your request, this may include:
- The specific pieces of personal information we collected about you, including, under certain circumstances, in a portable format.
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- The categories of your personal information that we sold or disclosed for a business purpose.
- The categories of third parties with whom we sold or disclosed that personal information for a business purpose.
- Our business or commercial purpose for collecting or selling that personal information.
You may have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. The CCPA also provides a right to opt out of the sale of your personal information. At this time, we do not sell your personal information, except to the extent that the sharing of cookie information for purposes of targeted advertising constitutes a “sale” under the CCPA.
Exercising Your Rights
To exercise the rights described above, please submit a request to us by either:
- Submitting a request at [_____].5
- Calling our toll-free number at [_____].
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include:
- Name, email address, phone, address (including zip code) and date of birth.
- Description of your request with sufficient detail that allows us to properly understand, evaluate, and respond.
We cannot substantively respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you, except where the CCPA does not require a verifiable request for a response. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
You may only make a consumer request for access or data portability twice within a 12-month period. We will not discriminate against you for exercising any of your CCPA rights.
Response timing and format
We endeavor to respond to a consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding the consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
Other California privacy rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Solution that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes in particular: Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. To make such a request, please write us at: [_____].6 We may require additional information from you to allow us to verify your identity and we are only required to respond to requests once during any calendar year.
Updates to this Privacy Policy
We reserve the right to make updates and revisions to this Policy at our discretion and at any time. When we make changes to this Policy, we will update the effective date below. Any changes will be effectively as of the “Updated” date. Your continued use of our Solution following the posting of changes constitutes your acceptance of such changes.
Contact
If you have any questions or comments about this Policy, the ways in which Astronaut collects and uses your information described here, your choices and rights regarding such use, or you wish to exercise your rights under California law, please contact us:
- Calling us at [_____]
- Or writing to: [_____]
If you have a disability and would like to access this Policy in an alternative format, please contact us at [_____].
Date of last revision: [_____]
1 Note to Draft: To confirm all as applicable.
2 Note to Draft: Does Astronaut carry out surveys with its users?
3 Note to Draft: Please confirm if applicable.
4 Note to Draft: Please confirm for all entries. This information is required by California law. Please note that this legislation undergoes changes from time to time, and so we may need to monitor for any legal changes that would require revision in the future.
5 Note to Draft: The CCPA requires that both an online and telephone point of access are provided to California consumers for most businesses. However, businesses that operate exclusively online and have a direct relationship with the consumer (here, developers, providers) need not provide a toll-free number and may provide an email address instead.
6 Note to Draft: Generally you will want to provide notice address for your compliance officer in this section.