Privacy Policy
Last Updated:15 December 2020

Welcome to BROOK (the “Service” or the “App“). We at Brook Inc. (“we“, “us“, “our“) respect your privacy. This policy (the “Policy“) explains our privacy practices for the Service. It describes the ways your personal data is processed, the purposes for which it is processed, what we do with it, and the rights and options available to you with respect to your personal data.

This Policy is incorporated into the Service’s Terms of Use (the “Terms“) and consitutes an integral part of the Terms.
 

Please note that unless you change the App settings when you first sign up for the Service, or at any time after that, our Service will continue to operate in the background of your mobile device. You can always turn off our Service through the “settings” menu of your mobile device.
 

The following are key points of the Policy, highlighted to you for your convenience. They do not substitute the full Policy, which we encourage you to read.

Key Points

Introduction

The App is a powerful machine learning real-time healthy lifestyle management tool that uses our innovative analytics tools to collect and combine personal data from user input and Third Parties, together with clinical knowledge, to create insights and recommendations to help users stay as healthy as possible. By accessing or using the Service in any way, or by registering as a user, you agree to be bound by these Terms.

Personal Data we collect

We collect your full name, email and other personal information including your date of birth, gender, height, weight, and information related to your health, medical conditions and wellness. We also ask for permission to access information through Third Party Platforms (such as the Apple Health Kit and other fitness apps you may use). If you give us permission, we collect your geographical location as well as information pertaining to your day-to-day activities and other activities on the App.

 
Use of collected information

We use the information we collect to provide and operate our proactive healthy lifestyle management solution, to operate all other aspects of the Service and to send you push notifications to enhance the Service and prevent misuse, if you agree to receive push notifications.

 
 
Sharing collected information

Your personal data may be shared with our contractors or data analysis service providers for the purpose of providing you with the Service. Your personal data may also be shared with third- party professionals (“Professionals”) who are listed on the App and with whom you choose to communicate. Your personal data may also be accessed, with your permission, through Third Party Platforms. Your personal data may also be shared with your health insurance provider (your “Insurer”) if your Insurer has partnered with us to provide services to the Insurer’s members, and you have opted to link your user account with your Insurer’s account. We may also share aggregated and de-identified data with others for the purpose of operating, maintaining and enhancing the Service.

 
Choice

It is your choice whether to let us access Third Party Platforms that contain your personal data. If you give us permission to do so, you may then opt-out of sharing with us certain, or all information generated from Third Party Platforms. You may also revoke your permission for us to access Third Party Platforms at any time.

 
Information Security

We implement measures to reduce the risks of damage and unauthorized access or use of information, but they do not provide absolute information security.

 
Changes to this Privacy Policy

We may change this Policy, by notifying you of such changes. Your continued use of the Service after the changes take effect indicates your acceptance of the amended Policy.

Note: The term “App” refers to the platform through which you access the Service.

 

Full Policy

1.- Personal Data we collect

Although the full Service is available only to registered users, registration is not required and unregistered users who do not create a profile and a user account may use basic portions of the Service that are available to all users. To sign-up, you must provide us with certain contact and personal details, such as your full name and an active e-mail address and to enter a username and password. By using the Service and/or signing up we may ask you to actively provide us with other Service-related personal data such as your age, gender, height, weight, food intake or other attributes that define you as a user.


If you give us permission to do so, we may also collect your geographical location, including position coordinates provided by your mobile device. We essentially use your location-based information to provide the Service and to enhance its capabilities.


We may collect additional information to enhance the Service’s capabilities, such as information regarding your day to day behavior (sleep, location, movement, system clock etc.), if you give us permission to do so, as well as other activities on the App, such as the content you viewed or searched for on the App, and your session durations.


As part of the Device Program, the Device(s) may also collect physiologic data (e.g., ECG, blood pressure, glucose monitoring) of you that it will transmit to us and your Provider.


Keep in mind that personal data that you actively provide, allow us to access through Third Party Platforms, or other geographical location or behavioral content (collectively, the “Content”), may contain or be indicative of, your personal and health condition (depending on the particulars of the Content).


We may collect Content and other personal data from third party platforms for which you have provided us permission and access to, such as Apple iOS HealthKit, Google Fit and Fitbit (“Third Party Platforms”). You may, at any time, opt-out of sharing certain service provider or Third Party Platform information with us, as further explained in the section titled “Choice” below. The Service’s functionality may also let you actively submit additional information, whether through using our Service or via Third Party Platforms.


When using the App, Content may be provided in textual, audio or visual form. If you choose to share Content in visual form, the App will request your permission to access your device’s camera (to snap a photo) or memory storage (to let you select an existing photo).


We will use this Content, combined with our analytics tools, to create our real-time health and wellness management solution, and for additional purposes outlined in this Policy.


We may use integration tools such as iOS HealthKit or GoogleFit for purposes of collecting and analyzing health and medical information and we may use third party tools to collect this information.


PLEASE DO NOT SHARE WITH US CONTENT THAT MAY BE INDICATIVE OF PERSONAL OR HEALTH INFORMATION ABOUT YOURSELF OR OTHER INDIVIDUALS, WHICH YOU DO NOT WANT US TO HAVE. YOU ARE SOLELY RESPONSIBLE FOR ANY CONTENT THAT YOU SHARE WITH US.


Brook provides remote patient monitoring and other services under agreements with its health care provider and health plan customers ("Customers") that govern Brook's use and disclosure of protected health information and other personal information through the services (the “Provider Agreements”). This Policy supplements the Provider Agreements. To the extent that a term of this Policy conflicts with any applicable Provider Agreement, the Provider Agreement will control.


If you are a patient of one of our health care provider Customers, or a beneficiary of one of our health plan Customers, who use our services and have questions about your treatment or handling of your protected health information, you should check with your health care provider or health plan. As between Brook and our Customers, our Customers are primarily responsible for determining how we use and disclose the protected health information we collect through our services under the Provider Agreements. Your health care provider’s or health plan's collection, use and disclosure of protected health information about you is governed, in turn, by that entity's notice of privacy practices, privacy policies, and other agreements between you and the entity.


When you engage in certain activities on our Service, such as submitting a customer-service request, you may be asked to provide personal data depending on the activity or request. When we process your inquiries or requests, we may also require additional personal data from you, to verify your account and identity.

2.- Children

We do not knowingly or intentionally collect information about children who are under the age of 16. If you are a minor, you may not use the Service and may not provide any personal details to us.

3.- Third Party Platforms

You may choose to share certain Content, on or through Third Party Platforms. Through the settings of another Third Party Platform account, you may choose to have content that you interact with on the account, transmitted to and shared with the Service. For example, you may “share” and we may access Service-related Content through Third Party Platforms. We can only access the information that your Third Party Platform makes available to us, according to your privacy settings on such Third Party Platform and the authorizations you granted us while completing the registration process. Only you can initiate and control the access to your Third Party Platform accounts and the actions engaged in them through this App. We do not and will not store your Third Party Platform accounts’ password.

By doing so, you agree to share information between us and the Third Party Platforms, for the purposes set forth in this Policy. Note, however, that your use of such Third Party Platform and the Third Party Platform’s use of Content are governed by the Third Party Platform’s respective terms of use and privacy policy, and in no event by this Policy.

4.- Third Party Professionals

You may choose to select a Professional listed on the App and communicate directly with the Professional. If you choose to communicate with a Professional, the Professional will need to receive certain personal information about you in order to provide you with the Professional’s services. By selecting a Professional, you consent to the sharing of your personal information with the Professional.

If your Insurer offers you the option to link your user account with your Insurer’s account and you choose to link the accounts, we will share your personal information with your Insurer. By choosing to link your user account with your Insurer account, you consent to the sharing of your personal information with your Insurer.

5.- Use of collected information

We will use the information outlined above, for the following purposes:

  • Operate and provide our proactive health and wellness management solution, as well as all other aspects of the Service, its features and functionalities;
  • Improve and customize the Service and develop new services;
  • Send you push notifications when we find certain recommendations and other reminders or notifications, as appropriate;
  • Contact you with administrative updates and announcements related to the Service;
  • Provide you with support, handle complaints and contact you when we believe it to be necessary;
  • Enforce the Terms and this Policy and prevent misuse of the Service;
  • Comply with any applicable law and assist law enforcement agencies and competent authorities, if we believe it is necessary or justified; and
  • Take any action in any case of dispute involving you, with respect or in relation to the Service. We may also use your personal data in other ways, in which case we will provide you with specific notice at the time of collection and obtain your consent where required.

6.- Sharing collected information

We may share the information outlined above, with others, in any of the following instances:

  • With our contractors for data analysis and processing, or service-providers such as third party libraries or components for purposes such as bug reporting or user feedback, in order to operate, maintain and enhance the Service;
  • If you are a registered user, with Professionals who you may choose to engage and communicate directly with;
  • With your Insurer, if you are a registered user and a member of an Insurer who offers its members access to our App, and you opted to link your user account with your Insurer account.
  • If you are a registered user, with third party service providers, experts and advisors that you request to connect with and obtain their services using the App’s chat function;
  • If you have breached the Terms, abused your rights to use the Service, or violated any applicable law, Your information may be shared with competent authorities and with any third party, if we believe it is necessary or justified;
  • With attorneys, courts and relevant third parties, in any case of dispute, or legal proceeding of any kind involving you with respect to the Service;
  • If the operation of the Service is organized within a different framework, or through another legal structure or entity (such as due to a merger or acquisition), provided that those entities agree to be bound by the provisions of this Policy, with reasonably necessary changes taken into consideration; and
  • We may share personal data with our corporate group entities (companies that we control, control us, or are under common control with us – whether directly or indirectly), but their use of such information must comply with the Policy.

In any case other than the above, your personal data will only be shared with others if you provide your explicit prior consent.

7.- Aggregated or anonymized information

We may use de-identified, statistical or aggregated information, including information that we process according to this policy, to properly operate the Service, to develop and improve the quality and functionality of the Service, to enhance your experience, to create new services, including customized services, to change or cancel existing features and for other research, development and statistical purposes. We may share, publish, post, disseminate, transmit or otherwise communicate or make available such information to suppliers, business partners, sponsors, developers, affiliates and any other third party, at our sole discretion, provided however, that we will not knowingly, or intentionally share information that can be reasonably used to reveal your identity without your consent.

8.- Choice

It is your choice whether to let us access information from Third Party Platforms. If you give us permission to access your accounts from Third Party Platforms, you may, at any time, opt-out of sharing with us certain, or entire categories of information. You may also revoke your permission at any time.

9.- Transfer of data outside your territory

The personal data we collect (or process) in the context of the Service will be stored in the United States. Some of the data recipients with whom we share your personal data may be located in countries other than the country in which your personal data originally was collected. The laws in those countries may not provide the same level of data protection compared to the country in which you initially provided your data. Nevertheless, when we transfer your personal data to recipients in other countries, including the United States, we will protect that personal data as described in this Policy and in compliance with applicable law. If you reside or are located in the European Economic Area (“EEA”) we take measures to comply with applicable legal requirements for the transfer of personal data to recipients in countries outside of the EEA that do not provide an adequate level of data protection. We use a variety of measures to ensure that your personal data transferred to these countries receives adequate protection in accordance with data protection rules; this includes signing the EU Standard Contractual Clauses, verifying the recipient has adopted Binding Corporate Rules or adheres to the EU-US and Swiss-US Privacy Shield Framework.

10.- Data retention

We retain the information outlined above for as long as is necessary in order for us to provide you with the Service or as required under applicable law.

Generally, as long as you are a user of the Service, we do not delete information related to you, unless there are technical reasons that require us to retain only portions of the data, or if we are required by law to delete it.

Please note that we will retain and disclose information when we deem it necessary to satisfy orders issued by courts and government authorities. We will notify you about the disclosure, only if we are explicitly permitted to do so. In any case, we may keep any aggregated or anonymous information for statistical, development, marketing and other purposes, indefinitely.

Be advised that removing or uninstalling the App from your smartphone or other device to which the App is activated will not automatically cause the personal data or Content to be deleted from the Service. However, we will delete your personal data and Content from the Service upon your request.

11.- Accessing, updating or deleting your personal data

If you would like information in relation to your rights or would like to exercise any of them, you may contact us via privacy@brook.health or our postal address provided below. If you reside or are located in the EEA, you may ask us to take the following actions in relation to your personal data that we hold:

  • Opt-out. Stop sending you direct marketing communications. You may continue to receive Service- related and other non-marketing emails.
  • Access. Provide you with information about our processing of your personal data and give you access to your personal data.
  • Correct. Update or correct inaccuracies in your personal data. Subject to the Terms, you may change your basic profile information (that you entered when you registered to the App) at any time.
  • Delete. Delete your personal data.
  • Transfer. Transfer a machine-readable copy of your personal data to you or a third party of your
    • choice.
  • Restrict. Restrict the processing of your personal data.
  • Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal data that impacts your rights.
We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal data or response to your requests regarding your personal data, you may contact us at privacy@brook.health or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here:

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

12.- Information Security

We implement measures to reduce the risks of damage, loss of information and unauthorized access or use of information. However, these measures do not provide absolute information security. Therefore, although efforts are made to secure your personal data, it is not guaranteed, and you cannot expect that the Service will be immune from information security risks.

13.- Changes to this Privacy Policy

We may change this Policy from time to time. Substantial changes will take effect 30 days after you are given notice of such changes through the Service. Other changes will take effect 7 days after you are given notice. However, if the Policy is amended to comply with legal requirements, the amendments will become effective immediately upon their initial posting, or as required. The most up-to-date Policy will always be accessible through the App.

In any event, we will seek your explicit consent if we wish to have substantial changes to the Policy apply to personal data we collected prior to those changes.

Your explicit consent to the amended Policy or continued use of the Service after the changes take effect each indicate your acceptance of the amended Policy. If you do not agree to the amended Policy, you must uninstall the App and refrain from using the Service.

14.- Comments and Questions

If you have any comments, requests or questions about this Policy, please contact us at privacy@brook.health or use or our postal address:

Brook Inc
311½ Occidental Ave South
Seattle, Washington
98104

California Consumer Privacy Act Addendum

This California Consumer Privacy Act Addendum supplements the information contained in the Brook, Inc. (“Brook,” or “we” or “us”) Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this Addendum to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Addendum.

Information We Collect

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information“). Personal information does not include:
  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, including health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA).
In particular, we have collected the following categories of personal information from its consumers within the last twelve (12) months:
Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). YES
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. YES
F. Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. YES
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. YES
I. Professional or employment-related information. Current or past job history or performance evaluations. NO
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
K. Inferences drawn from other personal information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

Collecting, Using, and Sharing Personal Information

Please see our Privacy Policy above for details about how we collect, use, and share and use your personal information.

 

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Brook has disclosed following categories of personal information for a business purpose:

Category A: Identifiers.
Category B: California Customer Records personal information categories.
Category C: Protected classification characteristics under California or federal law.
Category D: Commercial information.
Category E: Biometric information.
Category F: Internet or other similar network activity.
Category G: Geolocation data.
Category H: Sensory data.
Category K: Inferences drawn from other personal information.

We have disclosed your personal information for a business purpose to services providers.

 

Sales of Personal Information

In the preceding twelve (12) months, Brook has not sold personal information.

 

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

 

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see section below titled “Exercising Access, Data Portability, and Deletion Rights”), we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

We do not provide these access and data portability rights for B2B personal information.

 

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see section below titled “Exercising Access, Data Portability, and Deletion Rights”), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We do not provide these deletion rights for B2B personal information.

 

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

  • Calling us at 1-800-266-4407.
  • Emailing us at support@brook.health.
  • Visiting www.brook.health.

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

 

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality ofgoods or services.

 

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to support@brook.health or write us at: Brook Inc, 113 Cherry Street, PMB 30466, Seattle, Washington, 98104

 

Changes to this Addendum

We reserve the right to amend this Addendum at our discretion and at any time. When we make changes to this Addendum, we will post the updated Addendum on the Website and update the Addendum’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

 

Contact Information

If you have any questions or comments about this Addendum, the ways in which Brook collects and uses your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: 1-800-266-4407.
Website: www.brook.health
Email: support@brook.health

Postal Address:
Brook, Inc.
Attn: Customer Support
113 Cherry Street
PMB 30466
Seattle, Washington 98104

CONTACT US

At any time, you may contact us with any question or complaint that you may have with respect to the Service, at: support@brook.health