(Last revised April 26, 2022)
As part of offering Ria services within their organizations, some employers or insurance companies (“Ria Benefit Sponsors”) may require or choose to add additional or different limitations or restrictions on data practices related to their Ria offerings (i.e., Ria Benefit Sponsors may add additional privacy restrictions or limitations above and beyond what is described in this Policy). Any such additional restrictions or limitations on data practices that have been agreed to between Ria and Ria Benefit Sponsors will be reflected in written agreements between them, and such terms will control.
This Policy describes how Ria collects, uses, and shares personal information processed by us, including via our website at riahealth.com, any affiliated “micro-sites” set up for our customers, Ria’s internal applications, our mobile applications, sessions and offerings from our Providers, our events, and any other online or offline offering that posts this Policy (“collectively, the Services”).
Please see our HIPAA Notice of Privacy Practices for how Ria and our Providers specifically use and disclose Protected Health Information (PHI).
2. PERSONAL INFORMATION WE COLLECT
The categories of personal information we collect depend on how you interact with us or use our Services and the requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, information from other sources such as your Ria Benefit Sponsor, and third-party services and organizations, as described below.
Registering as a Ria Health Member. If you register as a Ria member, we may collect information from you including your name, postal address, location, email address, phone number, username, password, demographic information (such as your gender and date of birth, as well as race, ethnicity, religious affiliations, sexual orientation and/or pronouns if you choose to share such information), information about your drinking history, mood, mental or physical health, or emotional state, as well as other information you directly give us through the Services.
Using Ria Health Services. Depending on the Ria Health Services you use, you may be asked to complete additional forms (e.g. intake forms, consents) which may ask for personal information such as your name, contact information, information about your current or historical health or mental health and treatment, and information on your lifestyle.
In some cases, you may be asked to provide medical records, for which we will obtain a signed authorization from you. We will maintain a medical record that contains the details of the care you receive. Your Ria Provider may capture clinical and/or coaching notes during your sessions.
Communicating with Us. If you communicate with us such as by email, phone, text, chat, or within our app, we will collect personal information from you, such as your name, contact information, and information you provide within your communication to us. If you are a Ria member, you have the option of using secure chat as described in Section 4 of this Policy. Note that channels outside of the Ria website, such as your personal email, text message, or video chat may be unsecure. Note that calls to Ria’s Care Team may be recorded.
Surveys. We may periodically send you optional surveys to collect your feedback on your experience with Ria. Understanding outcomes is central to our mission of providing effective, evidence-based care, and data can help inform Ria’s approach to treatment and assessment of progress.
Information We Get from Your Ria Benefit Sponsor. We may receive information from your Ria Benefit Sponsor to enable us to confirm your eligibility or the eligibility of your dependents or household member(s); to contact you in order to inform you of the availability of Ria benefits, to help us measure the effectiveness of the Ria benefit, or to better support communications with you, your Provider, or other individuals to support your care as permitted by law.
All Service Users
Information We Get from Interactive Features. We, may collect personal information that you submit or make available through our interactive features (e.g., messaging and chat features, commenting functionalities, forums, blogs, and social media pages). Any personal information you elect to make publicly available on our Services, such as posting comments on our blog page, will be available to others. Any information you provide on the public sections of these features will be considered “public”, unless otherwise required by applicable law, and is not subject to the privacy protections referenced herein.
Voice and Video Information. If you consent, we may collect your voice and video image for ongoing quality improvement and quality assurance of our Services. The consent form you are provided before agreeing to provide video to us will provide additional information on how video data is collected, used, and retained.
Information Automatically Collected. We automatically log information about you and your computer, phone, tablet, or other devices you use to access the Services. For example, when visiting the Services, we log your computer or device identification, operating system type, browser type, browser language, the website you visited before browsing to our website, pages you viewed, how long you spent on a page, access times, and information about your use of and actions on the Services. How much of this information we collect depends on the type and settings of the device you use to access the Services.
Technologies. We, as well as third parties that provide content, advertising, or other functionality on the Services, may log information using cookies, pixel tags, web server logs, web beacons, and other technologies (“Technologies”) to automatically collect information through your use of our Services. This information is collected to make the Services more useful to you and to tailor the experience with us to meet your special interests and needs. Note that advertising technologies are not used on sites where members login to access our services, they are only used on Ria’s corporate website: riahealth.com.
- Cookies. Cookies are small data files stored on your hard drive by a website. We may use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on the Services.
- Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about engagement on the Services. The use of a pixel tag allows us to record, for example,
that a user has visited a particular webpage or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.
Our uses of these Technologies fall into the following general categories:
- Operationally Necessary. This includes Technologies that allow you access to the Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity, and improve security or that allow you to make use of our functionality;
- Performance-Related. We may use Technologies to assess the performance of the Services, including as part of our analytics practices to help us understand how individuals use the Services (see Analytics below);
- Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using the Services. This may include identifying you when you sign into the Services or keeping track of your specified preferences, interests, or past items viewed;
- Advertising- or Targeting-Related. We may use first-party or third-party Technologies to deliver content, including ads relevant to your interests, on riahealth.com or on third-party websites. Note that advertising technologies are not used on sites where members login to access our services and/or search for care (e.g., [benefitsponsor].riahealth.com), they are only used on Ria’s corporate website: riahealth.com.
Analytics. We may use Technologies and other third-party tools to process analytics information on the Services. Some of our analytics partners include:
If you register, or are registered by your employer, to use RiaAware, we will collect your name and email address to facilitate your registration.
If you choose to enroll or participate in RiaAware sessions, we will collect information to register you for the sessions, including your name and email address. These sessions are conducted via videoconference, and you may choose whether to display your name in the videoconferencing tool, and whether to have your camera on or image displayed.
3. USE OF PERSONAL INFORMATION
How we use the information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. Below are the specific purposes for which we use the information we collect about you. For more information on how we use clinical information, see our HIPAA Notice of Privacy Practices.
We use your personal information as follows:
- To provide the Services and personalize your experience: We use information about you to provide the Services to you, including to:
- Help establish and verify the identity and eligibility of users;
- Open, maintain, administer, and manage profiles and accounts for registered users;
- Provide search results and notifications that are most relevant for you;
- Recommend Providers and services that may be a good fit for you;
- Provide you with customized products, Services content, offers, or materials;
- Provide, deliver, operate and maintain the services and other products and services that you request, including those from our selected partners;
- Link or combine user information with other personal information, such as when you use services offered by Ria Health P.C. or our other contracted providers of clinical services;
- Respond to comments and questions and provide customer service or technical support;
- Process employment applications;
- Allow you to register for events;
- Communicate with you about your account, including confirmations, notices, notifications, updates, security alerts, and support and administrative messages. If you are communicating with Ria about your care, these communications may contain medical information. Please see Ria’s HIPAA Notice of Privacy Practices for more information about how medical information may be used and disclosed by Ria.
- To understand and improve our Services, provided the agreement we have with your employer permits use of personal information for this purpose, such as to:
- Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and prosecute those responsible for that activity;
- Measure and understand engagement with the Services;
- Research and develop products, Services, marketing, or internal processes;
- Short-term, transient use, such as contextual customization of ads;
- Improve, upgrade or enhance the Services;
- Ensure internal quality control and safety;
- Debug to identify and repair errors with the Services;
- Audit interactions, transactions and other compliance activities.
- To protect our legitimate business interests and legal rights, such as to:
- Enforce our agreements and policies;
- Protect your safety or vital interests, or the safety or vital interests of others; and
- Comply with our legal obligations.
With your consent: We may use information about you in other ways or for other purposes, where you have given us consent to do so for a specific purpose not listed above. Providers may ask you to sign additional consents before receiving services. These agreements are between
you and your Provider; we encourage you to read any such consent carefully and discuss any
questions you have with your provider.
Automated Decision Making. We may engage in automated decision making, including profiling. Ria’s processing of your personal information will not result in a decision based solely on automated processing that significantly affects you unless such a decision is necessary as part of a contract we have with you, we have your consent, or we are permitted by law to engage in such automated decision making. If you have questions about our automated decision making, you may contact us as set forth below.
De-identified and Aggregated Information. We may use personal information and other information about you to create de-identified and/or aggregated information, such as de-identified demographic information, location information, information about the device from which you access the Services, or other data sets we may create. In some cases, we use aggregated, de-identified clinical data to provide our customers with insight into how their employees are coping with stressors and changing over time.
4. HOW INFORMATION IS STORED AND PROCESSED
We are committed to protecting your privacy and data. We have put in place appropriate safeguards and security measures to help prevent your personal information from being lost, used or accessed in an unauthorized way, altered or disclosed. However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its security. If you have any questions about the security of the Services, you can contact us as described below.
Email Security. Any text, email or other transmission you send unencrypted through the Internet cannot be completely protected against unauthorized interception. In particular, we want to make you aware that personal email may be unsecure, and Ria cannot be responsible for any unauthorized access to information when information is sent to or from your personal email. You are not required to authorize the use of your personal email for purposes of communicating with Ria; a decision not to consent or to opt out of receiving these emails will not restrict your ability to access care from your Provider. You can receive secure communications within the secure chats supported by the Ria app.
Data Retention. We will retain personal information we process pursuant to statutory requirements, for as long as needed to provide the Services, and to comply with our legal and compliance obligations (including those under HIPAA or for auditing purposes), resolve potential or actual disputes, conduct research and development for the Services (provided the agreement we have with your employer permits use of personal information for this purpose), or enforce our agreements.
5. SHARING OF PERSONAL INFORMATION
We will not rent or sell your personal information to others without your consent. We disclose your information to third parties for a variety of business purposes, as described below.
Your Providers. If you seek treatment or other services from a clinical Provider available through the Services, such as Ria Health P.C. in its capacity as a health care provider, your clinical Provider will have access to your personal information in order to provide you with their services. Please note that the use and disclosure of your PHI in connection with such services will be governed by our HIPAA Notice of Privacy Practices.
Your Ria Benefit Sponsor. To the extent permitted under applicable laws including HIPAA, we may provide necessary data to your Ria Benefit Sponsor to enable them to manage, administer and evaluate its health and wellness programs. Unless permitted under HIPAA or authorized by you, we will not disclose PHI to your Ria Benefit Sponsor.
RiaAware. If your employer has registered you in RiaAware content and has enabled completion tracking functionalities, we will share your information with them, including your name, email address, and completion status of required RiaAware
Other Ria Users. Some of Ria’s Services may allow you to share personal information, such as your name, with other Ria users.
Service Providers. For example, we may share your personal information with our third-party service providers. The categories of service providers (processors) to whom we entrust personal information include: IT and related services; information and services; payment processors; customer service providers; and vendors to support the provision of the Services.
De-identified and Aggregated Information: We may share de-identified and aggregated information (such as de-identified usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with third parties who help us understand the usage patterns for certain Services and those of our partners. Ria may also share with your Ria Benefit Sponsor the outcomes and impact of the Services, which would consist solely of de-identified and aggregated data or analytics. To the extent that Ria uses artificial intelligence or machine learning on the data we collect, Ria shall only use non-personally identifiable information for these purposes. Non-personally identifiable information may be stored indefinitely.
Advertising Partners. We may share your personal information with third-party advertising partners. These third-party advertising partners may include Technologies and other tracking tools on riahealth.com to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising” or “personalized advertising.” Note that advertising technologies are not used on sites where members login to access our services, they are only used on Ria’s corporate website.
APIs/SDKs. We may use third-party Application Program Interfaces (“APIs”) and software development kits (“SDKs”) as part of the functionality of the Services. For more information about our use of APIs and SDKs, please contact us as described below.
Disclosures to Protect Us and Others: We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate: to comply with law enforcement or national security requests and legal process, such as a court order or subpoena; when required by health oversight agencies, such as the Secretary of Health and Human Services, for legally authorized health oversight activities; to protect your, our or others’ rights, property, or safety, including to protect the security or integrity of the Services and any facilities or equipment used to make the Services available; to enforce our policies or contracts or HIPAA Notice of Privacy Practices; to collect amounts owed to us or any Ria Provider; or to assist with an investigation or prosecution of suspected or actual illegal activity or in an emergency.
What Happens in the Event of a Change of Control: We may buy or sell/divest/transfer the Company (including any shares in the Company), or any combination of its products, services, assets and/or businesses. Your information such as names and email addresses, and other information related to the Services may be among the items sold or otherwise transferred in these types of transactions. We may also sell, assign, or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of Ria.
6. INTERNATIONAL DATA TRANSFER
By using the Services, you acknowledge and understand that your information will be stored within the United States, where privacy rules differ and may be less stringent than those of the country in which you reside.
7. THIRD-PARTY WEBSITES/APPLICATIONS
The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services/applications are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.
8. YOUR PRIVACY CHOICES AND RIGHTS
Your Privacy Choices. You have a number of choices you can make regarding your personal information, including as follows:
- Text Messages. You may opt out of receiving text messages from us by following the instructions in the text message/replying “STOP” to a text message you have received from us or by contacting us as described below.
- Mobile Devices. We may send you push notifications through our mobile application. You may opt out from receiving these push notifications by changing the settings on your mobile device.
- Do Not Track. We currently do not support the Do Not Track browser setting or respond to Do Not Track signals. Do Not Track (or DNT) is a preference you can set in your browser to let the websites you visit know that you do not want them collecting certain information about you. For more details about Do Not Track, including how to enable or disable this preference, visit https://termsfeed.com/do-not-track.
- Cookies and Interest-Based Advertising. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your browser or devices preferences, as they permit. However, if you adjust your preferences, the Services may not work properly. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS and others.
The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Network Advertising Initiative, the Digital Advertising Alliance, the European Digital Advertising Alliance, and the Digital Advertising Alliance of Canada. Please note you must separately opt out in each browser and on each device.
Note that advertising technologies are not used on sites where members login to access our services and/or search for care (e.g., [benefitsponsor].riahealth.com), they are only used on Ria’s corporate website: riahealth.com.
Your Privacy Rights. In accordance with applicable law, you may have the right to:
- Access Personal Information about you, including: (i) confirming whether we are processing your personal information; (ii) obtaining access to or receiving a copy of your personal information; and (iii) receiving an electronic copy of personal information that you have provided to us, or (iv) asking us to send that information to another company (the “right of data portability”);
- Request Correction of your personal information where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your personal information;
- Request Deletion of your personal information;
- Request Restriction of or Object to our processing of your personal information; and
- Withdraw your Consent to our processing of your personal information.
You may submit requests about personal information by contacting us as described below or by completing this form.
9. SUPPLEMENTAL NOTICE FOR CALIFORNIA RESIDENTS
This Supplemental California Privacy Notice only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA provides California residents with the right to know what categories of personal information Ria has collected about them and whether Ria disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding 12 months. California residents can find this information below:
|Category of Personal Information Collected by Ria||Category of Third Parties Information is Disclosed to for a Business Purpose|
A real name, alias, postal address, online identifier, Internet Protocol address, email address, or other similar identifiers.
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
A name, address, telephone number, employment, employment history, medical information.
|Protected classification characteristics under California or federal law
Age, race, ancestry, marital status (in relation to how family members are related), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression).
|Internet or other electronic network activity
Browsing history, search history, information on a consumer’s interaction with an internet website, application, or advertisement.
Physical location or movements.
|Audio, electronic, visual, thermal, olfactory, or similar information
Photos and video
|Professional or employment-related information
Current or past job history
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Categories of sources from which we collect personal information and our business and commercial purposes for usingThe categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth above in Section “Personal Information We Collect”.
“Sales” of Personal Information under the CCPA
For purposes of the CCPA, Ria does not “sell” personal information, nor do we have actual knowledge of any “sale” of personal information of minors under 18 years of age.
Additional Privacy Rights for California Residents
Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may designate an authorized agent to make requests on your behalf. You must provide an authorized agent written permission to submit a request on your behalf, and we may require that you verify your identity directly with us. Alternatively, an authorized agent that has been provided power of attorney under Probate Code sections 4000-4465 may submit a request on your behalf. To designate an authorized agent, please contact us as described below.
Verification. To protect your privacy, we will take steps to verify your identity before fulfilling your request. When you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. You may submit a verifiable consumer request to us for disclosure or deletion of personal information by clicking here.
In order to protect your privacy and the security of your information, we verify consumer requests by matching personal information that you provide with information in our possession, in order to confirm your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.
If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as described below. We will process such requests in accordance with applicable laws.
The Services are not directed to children under 18 (or other age as required by local law), and we do not knowingly collect or maintain the personal information of children under 18.
If you believe that Ria has received information about a child under the age of 18, please contact us as described below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it, and terminate the child’s account if applicable.
We may change this Policy, so please check this page occasionally. If we make any changes, we will change the Last Updated date above.
12. CONTACT INFORMATION
We welcome your comments or questions about this Policy.
1390 Market St
San Francisco, CA 94102