Privacy Policy

Last revised: March 2, 2022

The purpose of this Privacy Policy is to describe how Rupa, Inc. (“Rupa”,“we” or “us”) collects, uses and shares information about you through our website located at www.rupahealth.com, content.rupahealth.com, labs.rupahealth.com and any other online services that link to this Privacy Policy (collectively this “Site”) and in email, text, and other electronic messages between you and this Site and written documents, phone calls and other offline activities between you and Rupa. 

For certain information provided to us through the Site, we have entered into the Rupa Terms of Use and Sale  (“Terms”) with physicians or other health care practitioners (or their entities) that use Rupa services (collectively, “practitioners”), and the Terms govern our use of that information. This Privacy Policy supplements the Terms. If you are visiting this Site as a patient of a practitioner who is (directly or through a Covered Entity) subject to HIPAA (as each capitalized term is defined below), this Privacy Policy does not govern our use of Protected Health Information (as defined below) provided to us through the Site. Our use of Protected Health Information is governed by applicable law and the Business Associate Terms for Practitioners (“BA Terms”) included in the Terms with your practitioner. Your practitioner’s collection, use, disclosure, and transfer of Protected Health Information is governed, in turn, by your practitioner’s own terms and conditions and notice of privacy practices. If you do not know whether your practitioner (directly or through a Covered Entity) is subject to HIPAA, you should check with your practitioner. 

HIPAA” means Health InsurancePortability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time. “Protected Health Information” is individually identifiable health information that is protected by HIPAA and that we receive on behalf of practitioners subject to HIPAA. “Covered Entity”refers to a practitioner, lab or other entity subject to HIPAA.

Please read this notice carefully to understand what we do. If you do not understand any aspect of our Privacy Policy, please feel free to contact us (our contact information is at the end of this document). This Privacy Policy is not a contract and does not create any contractual rights or obligations. Your use of this Site is governed by our Terms.

Will Rupa ever change this Privacy Policy?

We’re constantly trying to improve our services offered through the Site (the “Services”), so we may need to change this Privacy Policy from time to time as well, but we will try to alert you to changes by placing a notice on our Site and applications, by sending you an email, or by some other means. Note that if you’ve opted not to receive legal notice emails from us, changes to this Privacy Policy will still govern your use of the Services, and you are still responsible for reading and understanding the changes.If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes.

What Information does Rupa Collect?

Information You Provide to Us:

We collect information you provide to us through the Site and offline, for example when you create or modify your account, register to use our Site, purchase products or services from us, request information from us, contact customer support, fill out any form on the Site, or otherwise communicate with us. If you are a patient, this information may include:

  • Name
  • Address
  • Email address
  • Telephone number
  • Payment information (credit card or debit card number, expiration date and credit card security code – solely for payment purposes)
  • Date of birth
  • Username and password
  • Any other information requested or provided through a contact form, email, text or other message with the Site.

If you are practitioner or other user, in addition to information we collect for a patient, this information may also include:

  • Zip code
  • Desired medical testing
  • Title / Role
  • Referring colleague
  • Shipping address
  • Associated company name
  • Other professional information
         

Please note if you are a practitioner and signup to use our Services, we will handle your patients’ lab work. We will use and disclose patients’ Protected Health Information in accordance with the BA Terms with your Covered Entity. If you are a practitioner who is not subject to HIPAA, this Privacy Policy governs our use of medical testing information and other health information provided to us through the Site.

If you are a patient of a practitioner, we may share the information described above with your practitioner, our service providers, marketing and advertising companies and with third parties who may acquire some or all of our assets. We may also share information with third parties with your consent or as required by law.

Information Collected Automatically:

Whenever you interact with our Services, we automatically receive and record information on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, “cookie” information, the type of browser and/or device you’re using to access our Services, and the page or feature you requested. “Cookies” are a text file that we, or an included third party service, embed within the Site, and that may be transferred to your browser or device to allow us or the third-party service to recognize your browser or device and tell us or the third-party service how and when pages and features in our Services are visited and by how many people. The third-party service providers may aggregate that information across their sites and other sites that have the same services installed. You may be able to change the preferences on your browser or device to prevent or limit your device’s acceptance of cookies, but this may prevent you from taking advantage of some of our Site’s features. 

We use several third-party services, which may include features that track you across websites, such as Google Tag Manager, HubSpot, Facebook Connect, Segment, LinkedIn Analytics and other third-party services. We may update our third-party embedded services from time to time and based on which links in our Site you click.  Each of these services are governed by their own privacy policy found on the associated third-party website. 

The information we collect automatically may include personal information, or we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve the Site and to deliver a better and more personalized service, including by enabling us to:

  • Estimate our audience size and usage patterns.
  • Store information about your preferences, allowing us to customize our Site according to your individual interests.
  • Speed up your searches.
  • Recognize you when you return to our Site.

We may use this data to customize content for you that we think you might like, based on your usage patterns. We may also use it to improve the Services – for example, this data can tell us how often users use a particular feature of the Services, and we can use that knowledge to make the Services more helpful to as many users as possible. 

If you click on a link to a third-party website or service, a third party may also transmit cookies to you. Again, this Privacy Policy does not cover the use of cookies by any third parties, and we aren’t responsible for their privacy policies and practices. Be aware that cookies or other third-party tracking technologies may be placed by third parties and may continue to track your activities online even after you have left our Services, and those third parties may not honor “Do Not Track” requests you have set using your browser or device. We do not control these third parties' tracking technologies or how they may be used by the third parties. If you have any questions about an advertisement or other targeted content, you should contact the responsible party directly.

We may share the information described above with your practitioner, our service providers, marketing and advertising companies and with third parties who may acquire some or all of our assets. We may also share information with third parties with your consent or as required by law.

No Information from Individuals Under the Age of 18

If you are under the age of 18, please do not attempt to register with us at this Site or provide any personal information about yourself to us. If we learn that we have collected personal information from someone under 18, we will promptly delete that information. If you believe we have collected personal information from someone under the age of 18, please email us at hello@rupahealth.com. 

How does Rupa Share or Use the Personal Information it Receives?

To Provide Products, Services, and Information.

We collect information from you and use the information to:

  • present our Services, Site and its contents to you;
  • provide you with information, products, or services that you request from us;
  • improve our Services, Site and its contents;
  • develop new features, functionality and content for our Services and Site;
  • fulfill any other purpose for which you provide it;
  • communicate with lab companies to order and track lab-work either ordered to you or your patients;
  • register and service your online account;
  • provide information that you request from us;
  • contact you about your lab statuses and lab orders;
  • process credit card and debit card transactions;
  • get products shipped to you from lab companies;
  • send you promotional materials or advertisements about     our products and services, as well as new features and offerings;
  • enforce our Terms or other legal rights and remedies;
  • provide interest-based targeted advertising to you;
  • notify you about changes to our Site or any products or Services we offer or provide though it; and
  • any other purposes disclosed to you at the time we collect your information or pursuant to your consent.
     

Sharing among Patients, Healthcare Practitioners and Labs. Rupa acts as a third party between patients and practitioners to get lab work ordered effectively. We share patients’ personal information with the doctor and relevant medical staff as well as the lab company performing the tests and relevant lab personnel in connection with getting orders and lab results in.

Vendors and Service Providers. We may provide information to third-party vendors and service providers that help us operate and manage our Site, process orders, and fulfill and deliver products and Services that you purchase through us. These vendors and service providers will have access to your personal information in order to provide these services, but when this occurs we implement reasonable contractual and technical protections to limit their use of that information to helping us provide the service.

Your Consent. In addition to the sharing described elsewhere in this Privacy Policy, we will share personal information with companies, organizations or individuals outside of Rupa when we have your consent to do so.

Legal Responsibilities and Proceedings. We will share personal information with third party companies, organizations or individuals outside of Rupa if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, subpoena, legal process or enforceable governmental request;
  • enforce applicable Terms, including investigation of potential violations;
  • detect, prevent, or otherwise address fraud, security or technical issues; or
  • protect against harm to the rights, property or safety of Rupa, our users, customers or the public as required or permitted by     law.

Transfer in the Event of Sale or Change of Control. If the ownership of all or substantially all of our business changes or we otherwise transfer assets relating to our business or the Site to a third party, such as by merger, acquisition, bankruptcy proceeding or otherwise, we may transfer or sell your personal information to the new owner. In such a case, unless permitted otherwise by applicable law, your information would remain subject to the promises made in the applicable privacy policy.

To Create De-Identified Data. We may use your information to create data that is de-identified in accordance with the de-identification standards under HIPAA and other laws. We will use de-identified data only as permitted by applicable law. We will not sell de-identified data.

To Provide Analysis to Health Care Providers. Rupa may combine your information with information from other users of the Site to provide analysis in de-identified form to practitioners and lab companies.  

Do I have access to my information?

You can access and update certain information we have relating to your online account by signing into your account and going to the Account section of our Site. If you have questions about personal information we have about you or need to update your information, you can Contact Us or call us at (669) 294-2703.

Other Sites

This Privacy Policy does not apply to information collected by Rupa through other means, including other websites operated by Rupa, or any third-party (including third-party websites that the Site may link to).  

Your California Privacy Rights

California residents are entitled to the following additional privacy rights listed below.

The right to know. You have the right to request that we disclose what personal information we collect, use, disclose, and sell. Specifically, you have the right to know:

  • The categories of personal information we have collected about you in the last 12 months; 
  • The specific pieces of personal information we have about you;
  • The categories of sources from which your personal information was collected;
  • The categories of your personal information that we sold or disclosed for a business purposes in the last 12 months, if any; 
  • The categories of third parties to whom your personal information was sold or disclosed for a business purpose in the last 12 months, if any; and 
  • The purpose for collecting, sharing, and selling your personal information.

Within the preceding 12 months, Rupa collected the categories of personal information detailed in the “Information You Provide to Us” and the “Information Collected Automatically” sections above. The sources from and purposes for which Rupa collects personal information are also described in the same sections and in the section “How does Rupa Share or Use the Personal Information it Receives?” Rupa does not sell your personal information. In addition, except as set forth in the sections above, Rupa does not disclose your personal information for business purposes to third parties.

The right to deletion. You have the right to request that we delete the personal information that we have collected or maintain about you. Under certain circumstances, we have the right to deny your request, such as if needed to comply with our legal obligations. If we deny your request for deletion, we will inform you of the reason.

The right to opt out of sale. Rupa does not sell your personal information. If that were to change, we would give you the right to opt-out of our sale of your information.

The right to equal service. Rupa will not discriminate against you in any way if you exercise any of your California privacy rights. Please be aware that exercising your rights may result in you being unable to use or access certain features of our Site.

To exercise your right to know and right to deletion, contact us using the email address or phone number provided in the “Questions and How to ContactUs” section below.  You may exercise your right to know twice a year free of charge. You may also contact us with questions or concerns concerning our privacy policies and practices using the information in the “Questions and How to Contact Us” section.

We will take steps to verify your identity before processing your request to know or request for deletion. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected personal information. We may request personal information from you in order to verify your identity, such as your name, email address, and physical address. We will only use the personal information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose. 

You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may require the agent to provide proof that you gave the agent signed permission to submit the request. We may also ask you to verify your identity or to directly confirm with us that you provided the agent permission to submit the request.

California Civil Code Section 1798.83 (also known as the “Shine the Light” law) permits individual California residents to request certain information regarding our disclosure of certain categories of personal information to third parties for those third parties’ direct marketing purposes. To make such a request, please contact us using the information in the “Questions and How to Contact Us” section below. This request may be made no more than once per calendar year, and we reserve our right not to respond to requests submitted other than to the email or mailing addresses specified below. Note that we do not currently share personal information with third parties for those third parties’ direct marketing purposes.

Consent to Processing of Personal Data in the U.S.

This Site are intended for use only in the United States. If you use this Site or contact us from outside of the United States, please be advised that (i) any information you provide to us or that we automatically collect will be transferred to the United States; and (ii) by using this Site or submitting information, you explicitly authorize its transfer to and subsequent processing in the United States in accordance with this Privacy Policy.

Questions and How To Contact Us

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, please email us at hello@rupahealth.com, call us on (669) 294-2703, or contact us by US postal mail at the following address:

Rupa, Inc.
121 2nd St. Unit 5
San Francisco CA 94107