Documo's Privacy Policy

Scope of This Policy

This Privacy Policy applies to:

Website Visitors – individuals who browse our Website or submit inquiries through the forms on the website.

Service Users: For Customers using our Services to process, store, or transmit data (including PHI), this Privacy Policy applies only to the extent not superseded by:

• Business Associate Agreements (BAAs)
• Service Agreements or other contracts
• HIPAA requirements (which we follow regardless of BAA status)

Definitions

Personal Information means information about an identifiable individual, including name, mailing address, email, phone number, billing details, and similar identifiers. Personal information does not include:

• Business contact information used solely in a business context
• Aggregated or anonymized data that cannot reasonably identify an individual

Protected Health Information (PHI) refers to individually identifiable health information, as defined under HIPAA, including any information processed through our Services on behalf of healthcare-related Customers.

Customer Data includes all information uploaded, transmitted, or stored by Customers through our Services, which may contain PHI, personal information, and other sensitive data.

Your Consent to Collection, Use, and Disclosure

For Website Activities: We collect, use, and disclose personal information primarily with your consent, unless otherwise permitted or required by law. Your consent may be express or implied, depending on the circumstances and sensitivity of information.

You may ask that any personal information we have stored related to you be removed by contacting us at privacy@documo.com. You also have the option to use browser settings to limit cookies and tracking. However, please note that:

• Browser settings that block cookies or tracking technologies may also reduce website functionality or cause technical issues

For Service Activities: When you use our Services as a Customer or end user, data processing is governed by:

• Your Service Agreement with Documo
• Any applicable BAA (for PHI)
• HIPAA requirements (which we follow regardless of BAA status)
• This Privacy Policy (for non-PHI personal information)

For Service-related processing, withdrawing consent would significantly impact our ability to provide the Services and may result in the suspension or termination of your account. However, you retain control over specific preferences:

• Browser settings that block tracking technologies may impact Service functionality. 
• You can contact us to discuss particular data processing concerns while maintaining your Service access.

Important: If you choose to provide personal information to us or continue using our Website or Services, we assume consent to the collection, use, and disclosure of your personal information as outlined in this Privacy Policy.

Information We Collect

Website and Account Information

We collect the following for website operations and account management:

• Contact and Account Information: Name, username, email, phone, job title, company information. This is focused on our subscribed services.
• Usage and Technical Information: IP address, device information, browser type, website interaction data, timestamps
• Website Form Data: Information submitted through contact forms, demo requests, and support inquiries
• Cookie and Analytics Data: As described in the Cookies section below

Customer Data Through Services

When Customers use our Services, they may upload, store, or transmit various types of data, including:

• Protected Health Information (PHI): Processed only as directed by Customers under BAAs or Service Agreements
• Personal Information: Individual data processed on behalf of Customers
• Business Data: Non-personal information related to Customer operations, such as company name and mailing address.

Cookies and Similar Technologies

We use cookies and similar tracking technologies on our Website to:

• Facilitate navigation and improve Website functionality
• Analyze Website traffic using services like Google Analytics
• Personalize Website experiences
• Support marketing and advertising efforts

Important: Cookies and tracking technologies are used solely for site activities and to improve the overall website flow and function. You can control cookies through your browser settings, though some Website functionality may be limited if cookies are disabled.

How We Share Your Information

Website and Account Information

We may share this information with:

• Service Providers: Third parties who provide website hosting, payment processing, analytics, marketing services, and other business operations support. No PHI is shared in this manner.
• Legal Requirements: As required by applicable law, regulation, or valid legal process
• Business Transactions: In connection with mergers, acquisitions, or asset sales, subject to confidentiality protections

Customer Data and PHI

• PHI: Shared only as authorized under Customer BAAs, required by HIPAA, or as directed by Customers
• Service Providers: Customer Data may be shared with subprocessors under strict confidentiality and security obligations. Our list of subprocessors can be found HERE.
• Legal Requirements: As required by applicable law or regulation

No Sale of Data: We do not sell personal information or Customer Data. In the past 12 months, we have not sold any personal information.

Google Analytics

Our Website utilizes Google Analytics, a service from Google, Inc. (“Google”) that uses cookies. The information collected by the cookies (which includes your IP address) is transferred to Google, which stores and processes the information in the United States. Google uses the information to provide us with an analysis of your use of our Website, overall use of, and traffic on our Website. You can opt out of Google Analytics by downloading and utilizing the Google Analytics Opt-out Browser Add-on. By using our Website, you understand and acknowledge our use of Google Analytics.

PHI Protection: PHI is never tracked or analyzed via cookies or analytics. Tracking technologies that access any PHI are not deployed within the Service environment. All tracking technology that is present is specifically in use to improve website performance and the overall user experience. 

Data Retention

Website and Account Information: Retained as long as needed to provide Services, fulfill legal obligations, or as specified in our agreements.

Customer Data and PHI: Retained, returned, or securely destroyed according to:

• BAA requirements (where applicable)
• Service Agreement terms
• HIPAA requirements
• Customer instructions
• Legal and regulatory requirements

Marketing Information: Retained until you opt out or for a reasonable period after last interaction.

Your Rights

Individuals have several rights regarding their personal information under global privacy laws. You may submit a written request to access, correct, or delete any personal information we have collected, used, or disclosed about you. We will provide you with any such information to the extent required by law. You may also challenge the accuracy or completeness of your personal information in our records. If you successfully demonstrate that the personal information in our records is inaccurate or incomplete, we will amend it as required.

We may require that you provide sufficient identification to fulfill your request to access or correct your personal information. Any such identifying information will be used only for this purpose. We will not charge you any fees to access your personal information in our records without first providing you with an estimate of the approximate costs, if any.

For PHI processed under a BAA, please direct requests to the relevant Customer (Covered Entity), as they control PHI access rights under HIPAA.

No Discrimination: We will not discriminate against any consumer for exercising their rights under applicable privacy laws.

Privacy Law Compliance

We comply with applicable privacy laws, including Canada’s Personal Information Protection and Electronic Documents Act and similar regulations. Our practices incorporate key privacy principles, including:

• Accountability for privacy protection
• Clear identification of information collection purposes
• Obtaining appropriate consent
• Limiting collection to necessary purposes
• Restricting use, disclosure, and retention
• Maintaining information accuracy
• Implementing appropriate safeguards
• Providing transparency about our practices
• Enabling individual access to personal information
• Establishing procedures for addressing privacy concerns

Opting Out of Communications

If you no longer wish to receive marketing emails from us, you may unsubscribe by clicking the “unsubscribe” link at the bottom of any email we send you, or by contacting us directly using the contact information on our website.

We will respond to your opt-out request promptly; however, please allow us a reasonable amount of time to process your request. Please note that if you opt out of receiving marketing-related emails, we may still need to send you communications about your use of our products or services, or other matters.

Other Disclosures

We may transfer your personal information and other information to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, brands, affiliates, subsidiaries, or other assets.

PHI Disclosure: Documo does not disclose PHI except as authorized by the Customer’s BAA or as required by HIPAA.

No Sale or Unauthorized Sharing of Personal Information

We do not sell Personal Information for monetary or other value. During the preceding twelve months, we have not sold any Personal Information of consumers, as defined under applicable privacy laws.

Security of Personal Information

We have implemented commercially reasonable physical, organizational, contractual, and technological security measures to protect your personal information from accidental or unlawful destruction, loss, or theft, as well as unauthorized access, disclosure, copying, use, or modification. We implement the following measures:

• Encryption: Personal data is encrypted both at rest and during transmission over public networks.
• Access Controls: Data is restricted based on the principle of least privilege, ensuring access is limited to authorized personnel.
• Compute Devices: Any mobile device containing personal or confidential data must be encrypted and protected by password authentication. Devices will lock after 10 minutes of inactivity.
• Backups: All backups are encrypted and securely stored.
• Physical Security: Paper records containing confidential data are securely stored and disposed of in line with data handling and destruction procedures.

Despite the measures outlined above, no method of information transmission or information storage is 100% secure or error-free, so we unfortunately cannot guarantee absolute security. In the event of a security breach, we will act promptly to mitigate the risks and inform you where there is a real risk of significant harm, or as otherwise required by law.

You are responsible for maintaining the secrecy of your identification, passwords, and/or any personal information in your possession for the use of our Website and/or the Services. Always be careful and responsible regarding your personal information. We are not responsible for, and cannot control, the use by others of any information you provide to them. You should exercise caution when providing personal information to others through our Website or the Services. Similarly, we cannot assume any responsibility for the content of any personal information or other information that you receive from other users through our Website or the Services. We cannot guarantee or assume any responsibility for verifying the accuracy of personal information or other information provided by any third party.

Privacy Policy Updates

This privacy policy is current as of the “updated” date, which appears at the top of this page. We reserve the right to modify this Privacy Policy from time to time. When changes are made to this privacy policy, they will take effect immediately upon publication of a revised privacy policy on our Website, unless otherwise noted.

We may also communicate the changes through our Services or by other means. By submitting your personal information to us, by registering for or using any of the Services we offer, by using our Website, or by voluntarily interacting with us after we publish or communicate a notice about the changes to this privacy policy, you consent to our collecting, using, and disclosing your personal information as set out in the revised privacy policy.

Contact Us

All comments, questions, concerns, or complaints regarding your personal information or our privacy practices should be sent to our Privacy Officer at the following email address: privacy@documo.com.