Effective date: 3/7/2023
What information does Luna collect?
Categories of sources of Personal Information:
We receive and store any information you knowingly provide to us. For example, through the registration process and/or through your account settings, we may collect Personal Information such as your name, home address, email address, and phone number. Certain information may be required to register with us or to take advantage of some of our features. We may communicate with you if you’ve provided us the means to do so. For example, if you’ve given us your email address, we may send you promotional email offers on behalf of other businesses, or email you about your use of the Services. If you do not want to receive communications from us, please indicate your preference by unsubscribing from those types of emails or by replying to received text messages that you wish to unsubscribe from such notifications. Whenever you interact with our Services, we may automatically receive and record information through Cookies.
- Service providers/Analytics partners: We may use third parties may help us provide you with customer support, or analytics providers to analyze how you interact and engage with the Services. We may use vendors to obtain information to generate leads and create user profiles.
- Advertising partners: We receive information about you from some of our vendors who assist us with marketing or promotional services related to how you interact with our websites, applications, products, Services, advertisements or communications
- Public records: From the government or other sources.
Our business purposes for collecting or disclosing Personal Information:
Providing, customizing, and improving the Services:
- Creating and managing your account.
- Personalizing the Services, website content and communications based on your preferences.
- Processing orders or other transactions; billing.
- Providing you with the products, services or information you request.
- Meeting or fulfilling the reason you provided the information to us.
- Providing support and assistance for the Services.
- Improving the Services, including testing, research, internal analytics and product development.
- Doing fraud protection, security and debugging.
- Carrying out other business purposes stated when collecting your Personal Information or as otherwise set forth in applicable data privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CPRA”).
Marketing the Services:
- Marketing and selling the Services.
- Showing you information and/or advertisements, including interest-based or online behavioral advertising.
Corresponding with You:
- Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Luna or the Services.
- Sending emails, text messages, and other communications according to your preferences or that display content that we think applies to you and/or will interest you.
Meeting legal requirements and enforcing legal terms:
- Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
- Protecting the rights, property or safety of you, Luna or another party.
- Enforcing any agreements with you.
- Responding to claims that any posting or other content violates third party rights.
- Resolving disputes.
We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated or incompatible purposes without providing you notice. If you are a California resident, please note that we only use or disclose your sensitive personal information for the purposes set forth in section 7027(m) of the CPRA regulations and we do not collect or process sensitive personal information with the purpose of inferring any characteristics about California residents.
Additional information may be found at this page describing more details on categories and examples of Personal Information we collect.
What are my rights with respect to my PHI specifically?
Electronic copy of your medical record: You may request an electronic copy of your medical record and other PHI we have about you by contacting us at firstname.lastname@example.org. We will provide you with a copy or summary of your health information within 15 days of your request or as required by law. Your record will be sent via email to the address specified in your account details.
Correct your medical record: You may request that we correct PHI about you that you think is incorrect or incomplete by contacting us at email@example.com. We may say “no” to your request, but we will tell you why in writing within 60 days of your request or as required by law.
Request confidential communications: You may request that we contact you in a specific way (for example, at your home or office phone) or send email/mail to a different address. We will say “yes” to all reasonable requests.
Restrict access to certain PHI: You may request that we not use or share certain PHI for treatment or payment purposes. We are not required to agree to your request, and we may say “no” if it would affect your care. If you pay for the Services out-of-pocket in full, you may request that we not share that information with your health insurer. We will say “yes” unless a law requires us to share that information.
Request a list of when and with whom we’ve shared your PHI: You may request for a list of when, with whom, and why we shared your PHI for six years prior to your request date (an “Accounting”). We will include all the disclosures except we will not disclose information specifically pertaining to treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We will provide one Accounting each year at no cost to you, however if you request an additional Accounting within such year we will charge a reasonable fee.
Assign an individual medical power of attorney: You may indicate by contacting us at firstname.lastname@example.org if you would like to assign an individual medical power of attorney or indicate an individual as your legal guardian. If you have so indicated, such individual may exercise your rights and make choices about your PHI. We will make sure the person has this authority and can act for you before we take any action.
Right to inspect and copy your health information: You have a right to inspect and copy your own health information upon request. However, we are not required to provide you access to all health information that we maintain. For example, this right does not extend to information compiled in reasonable anticipation on an administrative proceeding. Access may also be denied if disclosure would reasonably endanger you or another person.
Right to verbally object: You have the right to verbally object to certain disclosures that are routinely made for treatment, payment or health care operations or for other purposes without an authorization. For example, you will be given the opportunity to object to the sharing of your health information with a person or family member participating in your treatment.
Right to be notified following a breach of your health information: If you are affected by a breach of your unsecured protected health information by us or our business associates, you have a right to be notified following such breach.
File a complaint if you feel your rights are violated: You may complain if you feel we have violated your rights by contacting us at email@example.com. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting https://www.hhs.gov/ocr/privacy/hipaa/complaints/. We will not retaliate against you for filing a complaint.
Will Luna disclose any of the Personal Information it receives?
We may disclose your Personal Information with third parties as described in this section. Depending on state laws that may be applicable to you, some of these disclosures may constitute a “sale” of your Personal Information. For more information, please refer to the state-specific sections below.
Information that’s been de-identified: We may de-identify your Personal Information so that you are not identified as an individual, and provide that information to our partners or otherwise use that information in connection with our business. We may also provide aggregate usage information to our partners (or allow partners to collect that information from you), who may use such information to understand how often and in what ways people use our Services, so that they, too, can provide you with an optimal online experience. However, we never disclose aggregate usage or de-identified information to a partner (or allow a partner to collect such information) in a manner that would identify you as an individual person.
Affiliated businesses/business partners: In certain situations, businesses or third party websites we’re affiliated with may sell or provide products or services to you through or in connection with the Services (either alone or jointly with us). You can recognize when an affiliated business is associated with such a transaction or service, and we will disclose your Personal Information with that affiliated business only to the extent that it is related to such transaction or service. We have no control over the policies and practices of third party websites or businesses as to privacy or anything else, so if you choose to take part in any transaction or service relating to an affiliated website or business, please review all such business’ or websites’ policies.
Service providers: We employ other companies and people to perform tasks on our behalf and need to disclose your information with them to provide products or services to you; for example, we may use a payment processing company to receive and process your credit card transactions for us. Unless we tell you differently, our service providers do not have any right to use the Personal Information we disclose with them beyond what is necessary to assist us.
User data and submissions: Certain user information, including your name, location, and any video or image content that such user has uploaded to the Services, may be displayed to other authorized users (such as your Luna Physical Therapist and/or the Luna Concierge) to facilitate user interaction within the Services or address your request for our services.
Business transfers: We may choose to buy or sell assets, and may disclose and/or transfer customer information in connection with the evaluation of and entry into such transactions. Also, if we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information could be one of the assets transferred to or acquired by a third party.
Advertising partners: These parties help us market our services and provide you with other offers that may be of interest to you. They include ad networks, data brokers, and marketing providers.
Tracking tools, advertising, and opt-out
Whenever you interact with our Services, we automatically receive and record information on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, “cookie” information, the type of browser and/or device you’re using to access our Services, and the page or feature you requested. “Cookies” are identifiers we transfer to your browser or device that allow us to recognize your browser or device and tell us how and when pages and features in our Services are visited and by how many people. You may be able to change the preferences on your browser or device to prevent or limit your device’s acceptance of cookies, but this may prevent you from taking advantage of some of our features.
We may use this data to customize content for you that we think you might like, based on your usage patterns. We may also use it to improve the Services – for example, this data can tell us how often users use a particular feature of the Services, and we can use that knowledge to make the Services more helpful to as many users as possible.
We use the following types of Cookies:
Essential Cookies. Essential Cookies are required for providing you with features or services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies may make certain features and services unavailable.
Functional Cookies. Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time and recognize you when you return to our Services. These Cookies help us to personalize our content for you, greet you by name and remember your preferences.
Retargeting/Advertising Cookies. Retargeting/Advertising Cookies collect data about your online activity and identify your interests so that we can provide advertising that we believe is relevant to you.
You can decide whether or not to accept Cookies through your internet browser’s settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our website and some of the Services and functionalities may not work. To find out more information about Cookies generally, including information about how to manage and delete Cookies, please visit http://www.allaboutcookies.org.
Information about interest-based advertisements:
We may serve advertisements, and also allow third-party ad networks, including third-party ad servers, ad agencies, ad technology vendors and research firms, to serve advertisements through the Services. These advertisements may be targeted to users who fit certain general profile categories or display certain preferences or behaviors (“Interest-Based Ads”). Information for Interest-Based Ads (including Personal Information) may be provided to us by you, or derived from the usage patterns of particular users on the Services and/or services of third parties. Such information may be gathered through tracking users’ activities across time and unaffiliated properties, including when you leave the Services. To accomplish this, we or our service providers may deliver Cookies, including a file (known as a “web beacon”) from an ad network to you through the Services. Web beacons allow ad networks to provide anonymized, aggregated auditing, research and reporting for us and for advertisers. Web beacons also enable ad networks to serve targeted advertisements to you when you visit other websites. Web beacons allow ad networks to view, edit or set their own Cookies on your browser, just as if you had requested a web page from their site.
We attempt to comply with the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising. Through the DAA and Network Advertising Initiative (“NAI”), several media and marketing associations have developed an industry self-regulatory program to give consumers a better understanding of, and greater control over, ads that are customized based a consumer’s online behavior across different websites and properties. To make choices about Interest-Based Ads from participating third parties, including to opt-out of receiving behaviorally targeted advertisements from participating organizations, please visit the DAA’s or NAI’s consumer opt-out pages, which are located at http://www.networkadvertising.org/choices/ or http://www.aboutads.info/choices.
Will Luna share any of the PHI it receives?
We will never (i) rent or sell your PHI; (ii) share your PHI for marketing purposes; or (iii) use or share your PHI other than as described below unless you have given us explicit permission in writing to do so. We may share your PHI with third parties as described here:
Family members, guardians, specified individuals: We may share your PHI with your family member, guardian or other individual, only as specifically requested by you or in those circumstances where such individuals are involved in your care or treatment and you have had the opportunity to agree or object (verbally or in writing) and have been notified in advance of such use or disclosure.
Business associates: With an acknowledgment or proper authorization or as otherwise permitted under HIPAA, we are permitted to disclose your health information to business associates and to allow business associates to receive your health information of our behalf. A business associate is defined under HIPAA as an individual or entity under contract with us to perform or assist us in a function or activity which requires the use of your health information. Examples of business associates include, but are not limited to, consultants, accountants, and third party billing companies.
Physical therapists: We may share your PHI with your Luna Physical Therapist in order to provide you the Services, manage your treatment, and improve your health.
Outpatient clinic and/or hospital partners of Luna: We may obtain, use, and disclose PHI and related health to any physical therapy clinic or hospital partner that is engaged in connection with the provision of physical therapy services to you for purposes of coordinating treatment and payment for services.
Other clinical professionals: If you have communicated to us that you are receiving treatment from a physician, we may share your PHI with that physician’s office.
Emergency: In the event of an emergency or a serious or imminent threat to your health or safety (e.g., you are unconscious), we may share your PHI if we believe it is in your best interest.
Public good and/or research purposes: We may share your PHI if we believe it is for the benefit of public health, such as (i) preventing disease; (ii) helping with product recalls; (iii) reporting adverse reactions to medications; (iv) reporting suspected abuse, neglect or domestic violence; (v) preventing or reducing a serious threat to anyone’s health or safety, or for health research purposes. We will only share your PHI in accordance with the law. To find out more, please go to: https://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
Compliance with law: We reserve the right to access, read, preserve, and disclose any PHI that we believe is necessary to comply with law or court order, including requests from the Department of Health and Human Services to ensure our compliance with federal privacy law.
Address workers’ compensation, law enforcement, mandated reporting and other government requests: We may share PHI about you: (i) for workers’ compensation claims; (i) for law enforcement purposes or with a law enforcement official; (iii) with health oversight agencies for activities authorized by law; (iv) for special government functions such as military, national security, and presidential protective services; (v) for any applicable mandated reporting purposes such as child abuse, sexual assault, intimate partner violence or other mandated reporting.
Treatment payment and healthcare operations. We are permitted to use and disclose your health information in the provision and coordination of your healthcare, in determining coverage, billing, claims management, medical data processing and reimbursement, and as part of Luna’s routine healthcare operations such as utilization reviews, auditing, certification, licensing or credentialing activities.
Authorization. We can use and disclose your health information for purposes other than treatment, payment or healthcare operations with your written authorization. For example, with your authorization we can provide your name and medical condition to companies who might be able to provide you useful items or services. You may revoke your authorization; however, such revocation will not have any effect on uses or disclosures of your health information prior to our receipt of the revocation.
Is Personal Information about me secure?
Your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.
We endeavor to protect the privacy of your account and other Personal Information we hold in our records, but unfortunately, we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time. We are required by law to maintain the privacy and security of your PHI. If a breach occurs that may have compromised the privacy or security of your PHI, we will promptly inform you by a notice on the website(s) and applications, and follow any applicable laws.
We retain Personal Information about you for as long as necessary to provide you with our Services or to perform our business or commercial purposes for collecting your Personal Information. When establishing a retention period for specific categories of information, we consider who we collected the information from, our need for the Personal Information, why we collected the Personal Information, and the sensitivity of the Personal Information. In some cases we retain Personal Information for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
What Personal Information can I access?
Through your account settings or by contacting us, you may access, and, in some cases, edit or delete the following information you’ve provided to us: Name, password, home address, email address, insurance details, and other related user information.
The information you can view, update, and delete may change as the Services change. If you have any questions about viewing or updating information we have on file about you, please contact us at firstname.lastname@example.org.
Health Insurance Portability & Accountability Act
You understand that as a “health care provider”, Luna must comply with HIPAA and therefore retain data you input/upload to the platform related to (but not limited) with:
- Written or electronic record of a designation of an organization as a covered entity or business associate;
- All signed authorizations and, where applicable, written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgments;
- Medical records and billing records about individuals maintained by or for a covered healthcare provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; and
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals;
- This data may be retained by Luna as required by HIPAA even in the case that your account has been suspended, deactivated, and/or marked for deletion.
California resident rights
If you are a California resident, you have the rights set forth in this section. Note that we may process Personal Information of our customers’ end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Information as a service provider, you should contact the entity that collected your Personal Information in the first instance to address your rights with respect to such data.
You have the right to request certain information about our collection and use of your Personal Information over the past 12 months. In response, we will provide you with the following information:
- The categories of Personal Information that we have collected about you.
- The categories of sources from which that Personal Information was collected.
- The business or commercial purpose for collecting or selling your Personal Information.
- The categories of third parties with whom we have shared your Personal Information.
- The specific pieces of Personal Information that we have collected about you.
If we have disclosed your Personal Information to any third parties for a business purpose over the past 12 months, we will identify the categories of Personal Information shared with each category of third party recipient. If we have sold your Personal Information over the past 12 months, we will identify the categories of Personal Information sold to each category of third party recipient.
Deletion and correction:
You have the right to request that we delete the Personal Information that we have collected about you. Under the CPRA, this right is subject to certain exceptions: for example, we may need to retain your Personal Information to provide you with the Services or complete a transaction or other action you have requested, or if we are required to retain this data by HIPAA, or if deletion of your Personal Information involves disproportionate effort. If your deletion request is subject to one of these exceptions, we may deny your deletion request.
You have the right to request that we correct any inaccurate Personal Information we have collected about you. Under the CPRA, this right is subject to certain exceptions: for example, if we decide, based on the totality of circumstances related to your Personal Information, that such data is correct. If your correction request is subject to one of these exceptions, we may deny your request.
Personal Information sharing opt-out and opt-in:
Under the CPRA, California residents have certain rights when a business “shares” Personal Information with third parties for purposes of cross-contextual behavioral advertising. We may have shared the foregoing categories of Personal Information for the purposes of cross-contextual behavioral advertising:
- Contact data
- Device / Internet protocol data
- Web analytics data
- Geolocation data
As described above, we have incorporated Cookies from certain third parties into our Services. These Cookies allow those third parties to receive information about your activity on our Services that is associated with your browser or device. Those third parties may use that data to serve you relevant ads on our Services or on other websites you visit. Under the CPRA, sharing your data through third party Cookies for online advertising may be considered a “sale” of information. You can opt out of data selling and/or sharing by following the instructions in this section.
We may share Personal Information with the following categories of third parties:
- Advertising partners.
Over the past 12 months, we may have shared the following categories of Personal Information with the categories of third parties listed for the following purposes:
- Marketing and selling the Services.
- Showing you advertisements, including interest-based or online behavioral advertising.
You have the right to opt-out of the sharing of your Personal Information. You can opt-out using the following methods:
- You can opt-out of the sharing of your Personal Information by updating your Cookie Settings.
- You can use a Global Privacy Control or similar control that is legally recognized by a government agency or industry standard. Please note this does not include Do Not Track signals.
Once you have submitted an opt-out request, we will not ask you to reauthorize the sharing of your Personal Information for at least 12 months.
Under the CPRA, we share the Personal Information of minors under 16 years of age in a way that may be considered sharing or selling. If you are between 13 and 16 years of age, you must authorize us to share your Personal Information. If you are under 13 years of age, your parent or guardian must authorize us to share your Personal Information.
We will not discriminate against you for exercising your rights under the CPRA:
We will not discriminate against you for exercising your rights under the CPRA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CPRA. However, we may offer different tiers of our Services as allowed by applicable data privacy laws (including the CPRA) with varying prices, rates or levels of quality of the goods or services you receive related to the value of Personal Information that we receive from you.
Exercising your rights:
We will work to respond to your Valid Request within the time period required by applicable law. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.
You may submit a Valid Request using the following methods:
- You can submit a request at our Data Rights Request page.
- You can email us at email@example.com.
If you are a California resident, you may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.
Other state law privacy rights
Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Information to third parties for such third parties’ direct marketing purposes; in order to submit such a request, please contact us at firstname.lastname@example.org.
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at email@example.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not sell your Personal Information, per the definition of “sale” as defined in Nevada Revised Statutes Chapter 603A.
If you are a Virginia resident, you have the rights set forth under the Virginia Consumer Data Protection Act (“VCDPA”). Please see the information below for instructions regarding how to exercise these rights. Please note that we may process Personal Information of our customers’ end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Information as a service provider, you should contact the entity that collected your Personal Information in the first instance to address your rights with respect to such data. Additionally, please note that these rights are subject to certain conditions and exceptions under applicable law, which may permit or require us to deny your request.
Access: You have the right to request confirmation of whether or not we are processing your Personal Information and to access your Personal Information.
Correction: You have the right to correct inaccuracies in your Personal Information, to the extent such correction is appropriate in consideration of the nature of such data and our purposes of processing your Personal Information.
Portability: You have the right to request a copy of your Personal Information in a machine-readable format, to the extent technically feasible.
Deletion: You have the right to delete your Personal Information.
Opt-Out of Certain Processing Activities: You have the right to opt-out of the processing of your Personal Information for targeted advertising purposes. We process your Personal Information for targeted advertising purposes. To opt-out of our processing of Personal Information for targeted advertising purposes, please update your Cookie Settings.
We do not currently sell your Personal Information as defined under the VCDPA.
You have the right to opt-out from the processing of your Personal Information for the purposes of profiling in furtherance of decisions that produce legal or similarly significant effects to you, if applicable.
Appealing a Denial: If we refuse to take action on a request within a reasonable period of time after receiving your request in accordance with this section. In such appeal, you must (1) provide sufficient information to allow us to verify that you are the person about whom the original request pertains and to identify the original request, and (2) provide a description of the basis of your appeal. Please note that your appeal will be subject to your rights and obligations afforded to you under the VCDPA. We will respond to your appeal within 60 days of receiving your request. If we deny your appeal, you have the right to contact the Virginia Attorney General using the methods described at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint. You may appeal a decision by emailing us at: firstname.lastname@example.org.
What choices do I have?
You can always opt not to disclose information to us, but keep in mind some information may be needed to register with us or to take advantage of some of our features.
You may be able to add and/or update information as explained above. When you update information, however, we may maintain a copy of the unrevised information in our records. Some information will remain in our records after you suspend (or deactivate, or mark for deletion) use of your account as required by law. We may use any aggregated data derived from or incorporating your Personal Information after you add and/or update it, but not in a manner that would identify you personally.
What if I have questions about this policy?
If you have any questions or concerns regarding our privacy policies, please send us a detailed message to email@example.com, and we will try to resolve your questions or concerns.