Privacy Policy

Last revised April 17, 2024

1. Introduction.

We respect your privacy, and we are committed to protecting it. This Privacy Policy describes how Rise Healthcare Tech, Inc., doing business as both “Ostro” and “RxDefine”, and any of our affiliates (collectively, “Ostro”, “we” and “us”) collects, uses, and protects information about you in connection with your use of the Digital Services, as such term is defined in our Terms of Use. You acknowledge and agree that we rebranded from RxDefine to Ostro in November 2022, and all references in this Privacy Policy and elsewhere across the Digital Services to RxDefine, Ostro, Ostro Health or similar terms refer, in each case, to us.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Digital Services. By accessing or using our Digital Services, you agree to this Privacy Policy, as well as to our Terms of Use.

2. Where this Privacy Policy applies.

This Privacy Policy applies to information, including information about you, that we collect as part of our Digital Services, including via e-mail, text, chat, phone, or other forms of communication between you and us.

Sections 3-6 of this Privacy Policy describe how we collect process information on our own behalf, and subject to our contractual obligations with our clients, they also describe how we collect and process personal information when we act as a “processor” or “service provider” (as such terms are defined by applicable law) to our clients, including with respect to any information collected via cookies and other similar technologies included in or provided as part of our Digital Services. While this Privacy Policy may describe how personal information is treated when you use the Digital Services we provide on behalf of our clients, when we act as a processor or service provider, our handling of information is ultimately governed by our contract with our client and not by this Privacy Policy. We do not control how our clients use information that we process on their behalf, and you should consult with the applicable client – and their own privacy policy, which is typically accessible from the website, application or other channel from which you accessed our Digital Services – to understand how they use information they receive from us.

Where we process information on our own behalf, Rise Healthcare Tech, Inc. is the data controller, and our contact information can be found in the section titled “How to contact us” at the end of this Privacy Policy.

This Privacy Policy also does not apply to information collected by any third party website, application, or service that is not part of the Digital Services, including those that may be linked to or accessible from the Digital Services.

3. Information we collect about you and how we collect it.

We collect different types of information about you, including information that may identify you either directly or when combined with other information, information that is about you but does not identify you, and information that we combine with information about our other users. 

Examples of the types of information we collect from and about users of our Digital Services:

  • information that is about you as a person, such as, where relevant to the Digital Services, name, address (e.g., home, office, billing), date of birth, gender, contact information (e.g., e-mail, phone), professional information (e.g., if you are a Clinician, including license information and NPI number), insurance information, medical history, and other health information or other information supplied by you; and
  • information that is about your usage of the Digital Services, including:
    • technical information, such as IP address data, traffic data, logs, referring/exit pages, date and time of your visit to or use of our Digital Services, error information, clickstream data, session recordings, location data, and other communication and interaction data and the resources and equipment (e.g., device, browser and other software information, operating system, Internet connection) that you access and use on or through our Digital Services; and
    • interaction information, such as information you provide when communicating to us (e.g., including to request a service or report a problem), information about the resources, content, materials, information, and other aspects of the Digital Services that you request or access, information about how you access and use the Digital Services (e.g., information and documentation about how you navigate and use the Digital Services, such as session recordings), and records and copies of your correspondence and other interactions with the Digital Services.

    We collect this information:

    • directly from you when you provide it to us, such as through e-mail, phone calls, text messages, website forms, and our webchat function on our Digital Services, including via the use of third party applications, services, and products that we integrate into our Digital Services;
    • automatically as you navigate through or use our Digital Services; and
    • from third parties, for example, our clients, service providers, and business partners.

    In addition to collecting data directly from you, we also use the following technologies in connection with certain of our Digital Services:

    • Cookies, Local Storage, Session Storage. We and our service providers and clients may use cookies, local storage, session storage, web beacons, and other data collection and analytics technologies to receive and store certain types of information when you interact with our Digital Services. A cookie is a small file or piece of data sent from a website and stored on the hard drive of your computer or mobile device. Local storage and session storage technologies are an alternative to cookies that store and save data locally only. On your device, you may be able to customize how your device interacts with these technologies, for instance by refusing to accept some or all cookies, by activating the appropriate setting in your browser and/or device settings. However, modifying these settings (for example, by refusing cookies) may cause certain parts of our Digital Services to be unavailable to you or to not work as intended.
    • Analytics Providers. We and our service providers and clients may use analytics service providers, including Google Analytics, a web analytics service provided by Google, Inc. (“Google”) to collect certain information relating to your use of our Digital Services. Google Analytics also utilizes cookies for this purpose. You can find out more about how Google uses data directly from Google, for instance on Google’s website. We may also use Google Analytics Advertising Features or other advertising networks to provide you with interest-based advertising based on your online activity.
    • Pixels and Tags. We and our service providers and clients may use pixels, tags, and similar technologies (i) to help identify what users do after they see or click on an element of our Digital Services and/or an advertisement or other content prior to reaching our Digital Services; (ii) identify users who interact with our Digital Services from different devices; (iii) connect users’ activities across platforms and devices, including enabling online to offline activity connections; and (iv) better understand the effectiveness of our Digital Services and our clients’ and partners’ user initiatives, and improve the content (including advertisements) provided to targeted audiences of interest to us, our clients, and our business partners. Examples of these technologies including (a) Facebook’s pixel and Instagram’s web analytics and advertising service, both provided by Meta Platforms, Inc. (“Meta”) and (b) Adstra tag and matching services provided by Adstra, LLC (“Adstra”). Data provided to Meta, Adstra, and other service providers in connection with your use of the Digital Services is saved and processed by those third parties, and may be used for their own and others’ purposes in accordance with those companies’ policies and applicable laws. For more information, including how to adjust your privacy preferences or exercise your privacy rights with those companies, please visit their website directly (e.g., Meta’s privacy center; Adstra’s privacy center).
    • AI Tools. We may use both internal and externally hosted software, platforms, and applications that utilize data analysis, learning, reasoning, problem solving, perception, prediction, planning or other cognitive functions in an attempt to augment or replicate human intelligence (we refer to these, collectively, as “AI Tools”). Examples of techniques employed by AI Tools include machine learning, deep learning, computer vision, natural language processing, robotics, virtual agents, chatbots, and other emerging technologies that aim to simulate human intelligence. AI Tools with which we share your personal data can be found on our service providers page. We may also share information that does not identify you when we use such AI Tools.
    • Client-Supplied Technologies. In cases where we act as a service provider or processor to our clients, we may permit our clients to customize certain of the technologies used in connection with our Digital Services, including to deploy their own preferred first-party or third-party technologies (for example, technologies like cookies, Meta’s Pixel, and Google Analytics, as described above) within or alongside our Digital Services. In each such case, such client’s collection and use of your information will be governed by that client’s own terms of use and privacy policy, which is typically accessible from the website, application or other channel from which you accessed our Digital Services.

    4. How we use your information.

    We may use information that we collect about you or that you provide to us to:

    • provide you with the Digital Services, including our Website and our other products and services;
    • provide you with other information, products, or services that you request from us or that we believe may be of interest to you;
    • provide services, including Digital Services, to and on behalf of our clients;
    • administer surveys, sweepstakes, promotions, and contests;
    • develop, support, maintain, secure, audit, review, and improve our Digital Services and other products and services that we may develop from time to time;
    • fulfill any other purpose for which you provide such information or otherwise consent to, including as we may describe to you when you provide the information;
    • for recruiting and human resources purposes, in particular with respect to candidates who interact with us through our Website or other Digital Services;
    • carry out our obligations and enforce our rights arising from any contracts entered into between you and us;
    • notify you about changes to our Digital Services or any products or services we offer or provide though them;
    • analyze data and information about the provision, use, activity, and performance of our Digital Services and any other products and services, including those that we may develop or provide in the future, as well as of their users, including you;
    • create Information Assets (as described below) and provide access, sell, disclose, and otherwise use them and related analytics products and services as described above, in whole or in part, including to our clients and other partners as part of the services we offer to them;
    • exercise our rights and discharge our obligations under the law, which may including sharing your information as described in this Privacy Policy;
    • protect the safety, health, rights, property, or security of Ostro, our users, employees and workforce members, third parties, members of the public, and/or the Digital Services.
    • communicate with you about any of the above, including to provide you with notices relevant to your use of or changes in the Digital Services and to respond to your requests of us;

    As a processor or service provider, we use the information we collect about you, including information that you provide to us through your use of the Digital Services, to provide Digital Services to our clients and as otherwise set forth in our contracts with such clients.

    Our use of your information, including as described above, is at all times subject to the limitations and conditions of this Privacy Policy and of the laws applicable to your privacy and personal information in connection with your use of our Digital Services (“Privacy Laws”). As Privacy Laws change over time, we regularly review these changes and our use of your information, and we will update this Privacy Policy accordingly, including to reflect changes in our use of your information and in your rights afforded by these Privacy Laws.

    If you wish to customize or restrict how we use or disclose your information, please see the section of this Privacy Policy entitled “Choices about how we use and disclose your information” for more information on how to do so.

    5. Disclosure of your information.

    We may disclose your information in any of the following circumstances:

    • to our affiliates, contractors, service providers, subprocessors, and other third parties in connection with our business. The services provided by these organizations include:
      • IT and infrastructure support services;
      • information and cybersecurity services;
      • payment processing services;
      • data analytics services;
      • information, product marketing, or content fulfillment services;
      • patient safety, including adverse event or adverse reaction reporting services, including on behalf of our clients;
      • internal infrastructure and support services, including communications, product development, user support, and quality assurance;
      • recruiting and human resources support services; and
      • certain components of our Digital Services and related services, including user communications, user support, and Telehealth Services, as described in our Terms of Use.
    • to our clients, including as part of the Digital Services that we provide and for which we receive financial compensation from our clients. In those instances, we may collect, process, use, and disclose your information on behalf of such clients, and in each case, such client’s use of your information will be governed by that client’s own terms of use and privacy policy, which is typically accessible from the website, application or other channel from which you accessed our Digital Services. Our clients’ use of your information may include, but is not limited to:
      • one or more of the uses described elsewhere in this Section of the Privacy Policy, though as made by or on behalf of the particular client and not by us; and
      • targeted communications and marketing to you, including regarding products and services that our clients or their partners believe that you may find of interest.
    • to a buyer or other successor in interest of our business in the event of an actual or contemplated merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which user information is among the assets subject to such transaction or otherwise part of the due diligence of such a transaction;
    • to fulfill the purpose for which you provide it;
    • for any other purpose disclosed by us when you provide the information; and
    • with your consent.

    We may also disclose your information:

    • to comply with any court order, law, or legal process, including to respond to any government or regulatory request;
    • to you or your designated agent to allow you to exercise your individual choices under applicable laws with respect to your data;
    • to third parties to market their products or services to you;
      • however, data obtained through the SMS short code program will not be shared with any third-parties for their marketing reasons/purposes; and
      • the foregoing limitation does not apply to sharing with our clients on whose behalf we may send SMS communications as part of the SMS short code program.
    • to enforce or apply our Terms of Use and other agreements; and
    • if we believe disclosure is necessary or appropriate to protect the security, health, rights, property, or safety of us, our clients, our users, any member of the public, or others. This includes exchanging information with government agencies and authorities, other companies and organizations for the purposes of fraud protection, information security, credit risk reduction, health and safety, and other lawful purposes.

    6. Use and disclosure of deidentified and/or aggregated information.

    We collect and create information assets (“Information Assets”) from a variety of sources, including information about and generated by your use of our Digital Services. We may use these Information Assets for any lawful purpose, including to share, sell, or otherwise disclose to our clients and business partners, to support, develop, improve, and enhance our Digital Services and other products and services, and to perform quality assurance and other security testing and monitoring with respect to our Digital Services and our business.

    Your information, including information about you as described in this Privacy Policy, may be incorporated into Information Assets. However, we will only incorporate your information into such Information Assets in such a way that you are not reasonably capable of being individually identified or associated with such information. Where appropriate, we may undertake measures, such as aggregation or deidentification, as well as other technical or security measures, that are designed to reduce the risk that you may be identified in connection with such Information Assets.

    7. Choices about how we use and disclose your information.

    We do not control the collection and use of your information collected by third parties, including our clients and other third parties with which you interact separately from our Digital Services. These third parties may use the information they collect from or about you for their own purposes, which may be different from those described in this Privacy Policy. Please familiarize yourself with the privacy policies and other terms provided by these third parties about their own products and services.

    In addition, we strive to provide you with choices regarding the information that you provide to us, such as:

    • Tracking technologies. On your device, you may be able to choose to be alerted and/or to refuse to accept some or all cookies or other tracking technologies by activating the appropriate setting in your browser and/or device settings. However, refusing these technologies, including cookies, may cause certain parts of our Digital Services to be unavailable to you or to not work as intended.

      Some web browsers permit you to broadcast a signal to websites and online services indicating a preference that they “do not track” your online activities. At this time, while you can disable cookies and/or other tracking technologies as described above, we do not honor or recognize when your browser sends “do not track” signals. We do not modify what information we collect or how we use that information based on whether such a signal is broadcast or received by us.
    • Text message communications (SMS). In connection with the Digital Services you may have the opportunity to provide your phone number, including so that you may interact with Navigators and/or other aspects of the Digital Services via SMS/text message or phone call. By providing your phone number, you are agreeing to be contacted by or on behalf of Ostro at the number you have provided, including calls and text messages, to receive informational or transactional messages and communications relating to the Digital Services. These may include progress tracking, reminders regarding consultations, refills, or other services, logistical communications (e.g., following up to a message you or we have left), and other communications in support of the Digital Services you use or request. You may also have the option to separately consent to the use of your phone number for additional services and communications, including to receive marketing and/or promotional communications from us or our partners or clients, including as described in this Privacy Policy. Voice and text messages may be sent using automated or nonautomated technology. If you are experiencing issues with any text messaging program or service that is part of the Digital Services please reply with the keyword HELP for further assistance. To stop receiving text messages text a reply to us with the word STOP. We may confirm your opt out by text message. If you subscribe to multiple types of text messages from us, we may unsubscribe you from the service that most recently sent you a message or respond to your STOP message by texting you a request to identify services you wish to stop. Please note that by withdrawing your consent some Digital Services may no longer be available to you. Keep in mind that if you stop receiving text messages from us you may not receive important and helpful information and reminders about your services.
    • Email communications. By providing your e-mail address, you are agreeing to be contacted by or on behalf of Ostro at the address you have provided to receive informational, transactional, product or service related, or marketing communications relating to the Digital Services. If you do not wish to have your e-mail address used by us to communicate with you, with respect to marketing or promotional communications, if any, you can opt-out at any time by clicking the unsubscribe link at the bottom of any e-mail or by contacting us at privacy@ostrohealth.com. Please note that this opt out does not apply to transactional communications between you and us regarding your use of the Digital Services. For such communications, you may access your User Account (described below) or contact us at privacy@ostrohealth.com to update your communications settings, including your e-mail address. Please be advised, however, that some Digital Services will not operate fully or as intended if we are unable to communicate with you and we may be restricted by applicable law from disabling certain communications.
    • Third party promotional offers. By using our Digital Services, you consent to our sharing of your information with the third parties as described in this Privacy Policy, including our clients and certain other third party partners. If you wish to unsubscribe from any such third parties’ promotions, you can do so by following the instructions in their communications; in many cases this can be done by clicking the unsubscribe link at the bottom of the applicable e-mail or other marketing communications you receive from them.
    • User account settings. For some Digital Services, you may have created a user account (“User Account”) to allow you to access information, communicate with us, and otherwise access and use certain features of the Digital Services that are available only to registered users. If you have created a User Account, you may also adjust certain communication and privacy preferences and settings directly via your User Account.

    Please note that the above choices may not apply to or affect our activities as a processor or service provider to our clients. Please refer to the relevant client’s privacy policy – which is typically accessible from the website, application or other channel from which you accessed our Digital Services – for the choices that the client may provide to you.

    If you have questions about your choices regarding your information, please contact us at privacy@ostrohealth.com or by using the additional information included in the “Contact us” section at the end of this Privacy Policy. 

    8. Requests regarding your information.

    Please note that we are not obligated to respond to requests regarding information that we handle as a processor or service provider to our clients. The relevant client is responsible for responding to such requests. If you submit a request regarding information for which we are a processor or service provider, we may forward your request to the applicable client so that they may review and, if appropriate, accommodate your request.

    For requests regarding your information for which we are a controller, if a privacy law is in force in your state of residence and we are subject to such law with regard to your information, you may be able to request:

    • Access to information we have about you or a copy of such information.
    • Information about the categories of information we have about you, our purposes for collecting and disclosing this information, and categories of third parties to which we disclose this information.
    • Correction of certain information we have about you 
    • Deletion of certain information we have about you.
    • That we opt you out of certain uses and disclosures of your information. 
    • Restriction or objection to certain uses of your information.

    You may email us at privacy@ostrohealth.com to make these requests. Please note your request and the information regarding which you are making the request. If you have created a User Account, you may also be able to make and/or carry out such requests directly via your User Account.

    These requests are subject to certain limitations and exceptions. For example, we may not be able to accommodate your request, including because:

    • we have deidentified or anonymized the relevant information;
    • we believe that fulfilling your request would violate Privacy Laws or another legal requirement or cause information to be incorrect; and/or
    • your request falls within a specific exception under Privacy Laws.

    If we decline to fulfill your request, certain Privacy Laws may allow you to appeal this decision. If legally required, we will provide instructions for how to appeal when we notify you that we have declined to fulfill your request.

    Finally, we may ask you for additional information in order to better understand and validate your request, including information as reasonably necessary and permitted by Privacy Laws to verify your identity and your right to access and take action with respect to the requested information. If the Privacy Laws applicable to you allow you to authorize an agent to submit requests on your behalf, the agent must provide legally sufficient proof (e.g., power of attorney) that they are authorized to submit the request on your behalf. Before responding to a request by an authorized agent, we may validate the agent’s identity and may also validate your identity directly with you.

    Please note that we reserve the right not to respond to requests related to your information if we are not legally required to respond.

    9. Information for International Users

    Ostro is headquartered in the United States, and we may transfer, store, and/or process your information to or with other entities within the Ostro family of companies or other third parties such as trusted service providers and partners in locations around the world for the purposes described in this Privacy Policy. Wherever your information is transferred, stored, or processed by us, we take appropriate steps to protect your information in accordance with this Privacy Policy and applicable laws. These measures may include implementing Standard Contractual Clauses to govern the transfer of your information, or other means recognized by applicable laws. By providing us with your information, you acknowledge any such transfer, storage, or processing.

    If you have any concerns or complaints about our data processing activities, we urge you to first try to resolve such issues directly with us. However, if applicable, you may make a complaint to the data protection supervisory authority in the country where you are based, or seek a remedy through local courts if you believe your rights have been violated.

    The laws in some jurisdictions also require us to tell you about the legal grounds we rely on to use or disclose your “personal data” (as such term is defined under applicable law) when we act as a data controller. To the extent that those laws apply, our legal grounds are as follows:

    • To honor our contractual commitments to you: We process personal data to fulfill customers’ requests in anticipation of entering into a contract with them or in the course of providing services to them. For example, we handle business contact information of prospective customers and customers in furtherance of our contracts with the relevant customer.
    • Legitimate interests:  In many cases, we handle personal data on the ground that it furthers our legitimate interests in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals, such as to fulfill customer service requests, market our services to you, protect our users, personnel and property, and analyze and improve our website.
    • Consent: Where required by law, and in some other cases, we handle personal data on the basis of your implied or express consent.
    • Legal compliance: We use and disclose personal data in certain ways to comply with our legal obligations.

    10. Information security.

    We have implemented measures designed to secure your information from accidental loss and from unauthorized access, use, alteration, and disclosure. We use encryption technology, multifactor authorization, and various authentication and identity management tools to safeguard the information sent and received by us.

    The safety and security of your information also depends on you. Where you have chosen a password for the use of our Digital Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. If you believe that your password may have been compromised please access your User Account and reset it immediately. If you believe that your information may have been compromised or misused, please contact us immediately at privacy@ostrohealth.com.

    Unfortunately, the transmission of information via the Internet is not completely secure. Although we do our best to protect your information, we cannot guarantee the security of your information when it is transmitted to, on, or through our Digital Services or otherwise disclosed to us. Any transmission or disclosure of your information is at your own risk.

    11. No medical advice or care.

    Ostro is not a medical group. We do not provide medical advice or care. Information communicated to you through our Digital Services is not a substitute for a discussion with a licensed medical practitioner and should never be applied or interpreted as medical advice or any form of personal treatment plan.

    Any telemedicine or other clinical consults or services obtained or facilitated through our Digital Services are provided by an independent healthcare Clinician (as defined in our Terms of Use). Your Clinician, and not Ostro, is responsible for providing you with a Notice of Privacy Practices that describes its collection and use of your health information. Please contact your Clinician with any questions about your Clinician’s Notice of Privacy Practices.

    12. Not intended for children.

    Our Digital Services are intended for general audiences and are not directed at children. If we become aware that we have collected data without legally valid parental consent from children under an age where such consent is required, we will take reasonable steps to delete it as soon as possible. In some instances, certain products or services may be provided through the Digital Services that are intended for use by the caregivers of children; please see our Terms of Use for additional information.. If you believe we might have any information from a child for which legally required parental consent was not provided, please contact us immediately at privacy@ostrohealth.com.

    13. Changes to this Privacy Policy.

    This Privacy Policy may change from time to time. It is our policy to post any changes we make to our Privacy Policy on this page, and to clearly indicate the date on which this Privacy Policy was last updated. Your continued use of our Digital Services after we make changes is deemed to be acceptance of those changes, so please check this Privacy Policy periodically for updates. Where we make material changes that require notice to you under Privacy Laws, we will use commercially reasonable efforts to directly notify you of such change, including by sending you an e-mail if we have an e-mail address for you and/or taking other steps as may be required by such Privacy Law. If you would like to be notified of such changes and would like to provide us with a current e-mail address, please contact us at privacy@ostrohealth.com or, if applicable, access your User Account to update your contact information.

    14. Ethical conduct.

    We pride ourselves on ethically empowering people like you to navigate their health. If you see or suspect any unethical or illegal activity of any kind in connection with the Digital Services we would appreciate it if you would report it to us immediately so that we may promptly investigate. Please contact us at compliance@ostrohealth.com.

    15. Contact us.

    If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, you may contact us at the contact information below or through any of the various “Contact Us” elements of our Digital Services.

    How to Contact Us:

    Ostro

    382 NE 191st St
    # 71935
    Miami, Florida 33179-3899

    (786) 550-8082

    E-mail: privacy@ostrohealth.com