Cue Health Privacy Policy
Updated: October 6, 2023About Us
Cue Health Inc. is a healthcare technology company that uses diagnostic-enabled care to empower people to live their healthiest lives. The Cue Health platform offers individuals and healthcare providers convenient and personalized access to lab-quality diagnostic tests at home and at the point-of-care, as well as on-demand telehealth consultations and treatment options for a wide range of health and wellness needs.
About this Privacy Policy
Personal data is any information that can be used to identify you (“Personal Data”). This Privacy Policy (“Policy”) describes how we process your personal data when you use our products, services, websites, mobile apps, or otherwise interact with us. We encourage you to read this Policy since it has important information.
Changes to this Privacy Policy
We will update this Policy if there is a change in our privacy practices or privacy laws. Please check this Policy regularly to understand our current practices. We will list the date of change above, next to “Last Updated” when we make changes to the Policy.
How to Contact Us
- By email at legal@cue.me, to our Privacy Officer and Legal Department
- By U.S. postal mail at the following address: Cue Health Inc., 4980 Carroll Canyon Rd., Suite 100, San Diego, CA 92121,
- By telephone toll-free at 833.CUE.TEST or 833.283.8378.
When You Act on Behalf of Another Person
There may be times where you share another individual’s personal data with us. An example is where you create a profile for someone other than yourself within an account. To protect their privacy, please have their permission before you share their personal data with us.
Cue Health Concierge
The Cue Health Concierge uses artificial intelligence to help you navigate our website. We contract with a third party who provides the artificial intelligence. Cue Health Concierge will never ask for your name, email address, phone number or any identifiable data from you and you should never provide us with any identifiable data.
Cue Health Concierge is not intended to provide healthcare advice, diagnosis information, or treatment-related services and is not intended for nor directed to anyone under the age of 18.
Health Information and HIPAA
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects health information (known as Protected Health Information or PHI) if it is used by a covered entity or a business associate. Covered entities include healthcare providers, health plans, and organizations called healthcare clearing houses. Business associates work on behalf of covered entities. Cue is not a covered entity or a healthcare clearing house.
We sometimes act as a business associate to covered entities. Examples of this are when a doctor is treating you through Cue Virtual Care, or our services are offered to you as part of your employee benefit plan.
f we act as a business associate, this Policy does not apply. Instead, you should review the “HIPAA Notice of Privacy Practices” from the covered entity we act on behalf of. We will treat your health information in accordance with this Policy and privacy laws that apply to us.
Personal Data We Collect
The types of personal data we collect from you depends on how you interact with us. We collect information that helps us contact you or to provide our services to you. We also use your personal data to carry out certain business purposes.
The types of personal data we collect can fall into one or more of the following categories:
| Category | Description |
|---|---|
| Identifiers | Information that identifies you, like your name, address, phone numbers, or IP address. |
| Customer records | We collect and maintain your personal data in our customer records. This includes your birth date, test results, and any individuals you add to your account, and the contents of your service requests when you are a customer of Cue. We also collect any photographs, audio, or video files depending on the settings of your device. |
| Protected class and demographic information | We may collect information about your age, gender, or other demographics or protected classifications if you apply for employment with us. |
| Commercial information | We collect information about your purchases, memberships, subscriptions, payment history, and the services that you’ve shown interest in. |
| Internet or other electronic network activity information | We may collect information about your use of our websites, apps, or devices. Examples include browsing history, search history, device IDs, and browser information. We also collect Bluetooth® data and service set identifiers (which are unique identifiers that provides the name of the network you are using to connect to our services). |
| Geolocation data | We may collect the geolocation of your device if you connect with it to use our Services. This can include precise geolocation depending on the settings in your app. Precise geolocation means your location can be identified within a circle radius of 1,750 feet. |
| Audio, electronic, visual, thermal, olfactory, or similar information | We collect camera, audio, images, and video you take and submit via your mobile device’s camera and microphone. If you have a Cue Reader or other Cue hardware, we also collect information about that device, such as run time data, serial number, and status data (such as battery level), cartridge serial number, and the date and time you took a Cue test. |
| Professional or employment related information | We may collect information about your current employment and your employment history, such as your job title, employer, business contact details, and reference information if you apply for employment with us. |
| Inferences (a characteristic that can be made about you based on personal data we have about you) | We may draft inferences about you based on the categories of information described above, including about your preferences and qualifications. |
| Sensitive personal data | We also collect information that is sensitive in nature, such as your information about your health (including your test results), information about your sexual orientation, race, and ethnicity, and government-issued IDs, and depending on your application or device settings, your precise geolocation which means you can be located within a circle radius of 1,750 feet or less. |
How We Collect Your Personal Data
Most personal data we collect is directly from you. Examples are when you contact us for support or provide information through the website or app. It can also happen when you use our AI chatbot, the Cue Health Concierge. We may also receive personal data from the following sources:
| Source | Description |
|---|---|
| From other individuals | Depending on how you use our products and services, we may receive personal data about you from other individuals or through your use via other individuals’ Cue Health App accounts. This can happen when someone is legally authorized to act on your behalf. This can also happen if you create a user profile under another individual’s Cue Health account. Other examples include employers who secure our products and services for you or when a healthcare provider uses our products and services to treat you. |
| From other businesses | We may collect personal data from other businesses. Examples include service and content providers, our affiliated companies and subsidiaries, business partners, data brokers, social media companies or other parties who interact with us. |
| Through tracking technologies | When you use our digital services (like our website or mobile app), we may automatically collect information or inferences about you. Examples include cookies and other tracking technologies. This may include information about how you use and interact with our digital services, information about your device, and internet usage information. |
| From publicly available sources | We may collect personal data about you from publicly available sources, such as public profiles and websites. |
How We Use Your Personal Data
| Purpose | Description |
|---|---|
| Providing our products and services | We use your personal data to deliver our products and services to you, including to maintain your profile and documents, managing your account, and delivering your test results and other products and services you request. We may pass your personal data within our company in order to provide you with services based on your request. |
| Offering support and customer service | We use your personal data to answer any questions you ask (both on our customer service phone line, via email, or via the Cue Health Concierge) and address crashes or errors associated with the use of our services. |
| Communicating with you | We use your personal data to send you mail, emails, in-app notifications, and text messages to tell you about new opportunities, products, or services that we or our business partners offer. We may also communicate with you regarding updates to our services, to verify your email account, and other administrative or transactional topics. |
| Personalizing your experience | We use your personal data to remember your preferences (such as your communication preferences), save your account credentials, and deliver advertisements that are tailored to your interests or internet browsing behavior. |
| Improving our products and services | We use your personal data to improve and enhance our existing products and services by developing new products, features, and functionality. |
| Conducting research and analysis | We use your personal data to conduct research on what you like and don’t like about our services, which products are easy or difficult to use, and the ways we can make your interactions with us better. |
| Preventing fraud | We use your personal data to verify your identity when you use the Cue Health App to prevent unauthorized access. We also do this when you use Supervised Testing or Virtual Care (in limited situations and with your consent). |
| Complying with our legal obligations | We use your personal data to comply with our legal obligations, such as to maintain records and submit reports to state or federal health agencies to ensure public safety and prevent further spread or infection. |
We may also de-identify your personal data. De-identified data means the data cannot be reasonably linked to you. We will do this in accordance with HIPAA or other privacy laws we are subject to. We commit to only using the information in de-identified form and will not try to re-identify it, except as may be required or permitted by law.
We may also aggregate your personal data. This is different from de-identification. Aggregated data is information relating to a group of persons and has individual identifiers removed. Aggregated data is not reasonably linkable to an individual.
We understand that some of your information is sensitive to you. This sensitive personal data can only be used for the following business purposes: (i) performing services an average person would expect to be provided; (ii) detecting security incidents; (iii) addressing malicious, deceptive, or illegal actions; (iv) ensuring the physical safety of individuals; (v) for short-term, temporary use directly related to our current interaction with you; (vi) performing or providing internal business services; and (vii) ensuring the quality or safety of a service or device.
Sharing Your Personal Data
We may share or disclose your personal data to third parties who help us operate our business. This allows us to provide our products and services to you. We may also disclose personal data to third parties who use personal data for their own purposes. It is our policy to require these third parties to agree to conditions on how they will use your personal data as required or allowed under applicable laws and this Policy.
Depending on the purpose for disclosing, this may include:
| Third Party Category | Description |
|---|---|
| Service providers | Vendors and service providers help us run our business and provide services to us. It is our policy to enter contracts with these service providers to limit how they may use and disclose your personal data. |
| Healthcare providers and health plans | Healthcare providers or professionals, health plans, or other members of your healthcare team for the diagnosis and treatment need your personal data for conditions you use our services for. |
| Employers and benefits consultants | Employers, benefit consultants, or managers who contract with us to provide you our products and services. We must provide some of your personal data to them to fulfill our contractual obligations (and to provide services to you). |
| Advertising and marketing partners | Partners that help us with advertising and marketing our products and services. Examples are placing advertisements, including ad platforms, networks, and social media platforms, partners who work with us on promotional opportunities (including co-branded products and services), and third parties whose cookies and tracking tools we use. |
| Government agencies | To report to state or federal health agencies when legally required for public safety and related reasons.. An example of this may include required reporting for certain Sexually Transmitted Infections (“STIs”). Other examples include the U.S. Food and Drug Administration’s requirements to report adverse events related to our products and services. |
| Parties involved in a company transaction | To other companies in connection with a transaction involving Cue Health. Examples are if we acquire, or sell or transfer all or a portion of our business or assets including through a sale in connection with bankruptcy and other forms of corporate change. |
| Third parties for legal purposes | Examples of these parties include regulatory authorities, courts, law enforcement, government agencies, consultants, attorneys, and business partners. We may be required to or think it is in our best interest to share your personal data as required by law. Examples include responding to a legal process, or to protect our rights or the rights of others. |
Our Cookie Policy and Do Not Track Disclosures
We may collect information about your device (such as your browser type, operating system, IP address, and domain name) via cookies and other tracking technologies. Please see our Cookie Policy for more information.
Some web browsers use a “Do Not Track” (“DNT”) feature. DNTs make a signal to websites to tell them to not track your online activity and behavior. If the website recognizes the DNT, it will be blocked from collecting some types of tracking information.
Not all browsers have DNTs, and DNTs are not yet set to an industry standard. Because of this, we do not recognize or respond to DNT signals like many other digital service providers.
How Long We Keep Your Personal Data
We keep personal data for the period necessary to provide the products and services you request and to maintain our business relationship with you. We use different criteria to help us determine how long we keep your personal data.
Some examples of the criteria we use include, but are not limited to: to improve our business so we can serve you better, to ensure the ongoing legality, safety, and security of our products and services, to comply with legal and regulatory requirements, to defend potential claims against us or as required or allowed under applicable laws.
You can learn more about retention periods by contacting us in any of the ways listed in the “Contact Us” section of this Policy.
Security Measures We Use to Safeguard Your Personal Data
We use appropriate administrative, physical, and technical safeguards to protect your personal data. We evaluate our safeguards to adapt to new threats to the confidentiality, integrity, and availability of your personal data.
Even with the safeguards we use, we cannot completely guarantee the security of your personal data. Keep your login details in a safe place. Report any suspected security violations or incidents involving personal information by contacting us at legal@cue.me or by calling us at 833.CUE.TEST (833-283-8378).
Rights Over Your Personal Data
Depending on where you live (such as in California, Colorado, or certain other U.S. states), you may have certain rights over the personal data we maintain about you.
You may exercise your rights by emailing us at support@cuehealth.com or calling us at 833.CUE.TEST (833.283.8378).
Please note that you may not be able to use or access certain features of our services if you exercise some rights.
Your rights may include the following:
| Right | Description |
|---|---|
| Right to know | To request information about the categories of personal data we have collected about you, the categories of sources from which we collected the personal data, the purposes for collecting, selling, or sharing the personal data, and to whom we have disclosed your personal data and why. You may also request the specific pieces of personal data we have collected about you. Some of this information may already be in your Cue account, which you can access upon signing in. |
| Right to delete | To delete personal data that we have collected from you. |
| Right to correct | To correct inaccurate personal data that we maintain about you. You can also correct your personal data by signing into your Cue account and making any necessary updates. |
| Right to opt out of sales and sharing for targeted advertising | To opt out of (i) the sale or sharing of your personal data and (ii) targeted advertising. |
| Right to opt out of profiling | To opt out of being subject to a decision based only on automated means (where there is no human involved). The decision must produce legal effects on you or must impact you significantly in a similar way for this right to apply. |
| Right of no discrimination | To not discriminate against you in any way if you exercise your rights. |
| Right to limit use and disclosure of sensitive personal data | To limit uses to certain business purposes. This does not apply where we provide you products or services you request, or as permitted or required by law. |
Right to Appeal
Certain laws may give you a right to appeal denials of your request to exercise your rights. Please Email us at support@cuehealth.com and include any new information you feel should be considered. If you disagree with the outcome of the appeal, you may file complaint directly with a privacy authority.
Right to File a Complaint Directly with a Privacy Authority
| Privacy Law | Link to contact the privacy authority |
|---|---|
| California | https://oag.ca.gov/contact/consumer-complaint-against-business-or-company |
| Colorado | https://coag.gov/file-complaint/ |
| Connecticut | https://portal.ct.gov/AG/Common/Complaint-Form-Landing-page |
| Utah | https://consumerprotection.utah.gov/complaints.html |
| Virginia | https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint |
Please contact us at legal@cue.me to report any broken links.
Opting Out of Targeted Advertising
To opt out of sales and sharing for targeted advertising, you can:
- Click the “Unsubscribe” link at the bottom of the email you received from us, or
- Email us at legal@cue.me
Nevada residents: Individuals may contact us at support@cuehealth.com to ask about your right to opt out of the sale of your personal data.
Additional Disclosures for California Residents
This section describes our general collection, use, and disclosure practices over the last 12 months. California residents are entitled to the following additional disclosures about our data processing activities:
| Category of Personal Data | Categories of Third Parties to Whom We Disclose Personal Data for a Business or Commercial Purpose | Categories of Third Parties to Whom Personal Data is Sold or Shared for Targeted Advertising |
|---|---|---|
| Identifiers |
| Shared with advertising and marketing partners and not sold |
| Customer Records |
| We do not sell or share for targeted advertising purposes |
| Protected Class and Demographic Information |
| We do not sell or share for targeted advertising purposes |
| Commercial Information |
| We do not sell or share for targeted advertising purposes |
| Internet or other Electronic Network Activity Information |
| We do not sell or share for targeted advertising purposes |
| Geolocation Data |
| We do not sell or share for targeted advertising purposes |
| Audio, Electronic, Visual, Thermal, Olfactory (scent or smell), or Similar Information |
| We do not sell or share for targeted advertising purposes |
| Professional or Employment-Related Information |
| We do not sell or share for targeted advertising purposes |
| Inferences |
| We do not sell or share for targeted advertising purposes |
| Sensitive Data |
| We do not sell or share for targeted advertising purposes |
Note to International Users
Our services are mainly for use within the United States and Canada. We are based in the United States and use service providers that are based in the United States. We also use service providers who can be located anywhere in the world.
This means that there may be different privacy protections than those where you are located. If this happens, we will take appropriate measures to protect your personal data in accordance with this Policy and privacy laws that apply to us.
You understand that your personal data will be processed within the US and countries where our service providers are located when you access or use our products and services or otherwise provide personal data to us.
Children’s Privacy Policy
To protect the privacy of children’s Personal Data, we follow requirements from the Children’s Online Privacy Protection Act (“COPPA”). Personal Data is defined as any information that can identify an individual. This Children’s Privacy Policy provides information about our privacy practices regarding children.
The Cue Health App is intended for adult users (18 years or older). However, parents or legal guardians can create accounts for their children. Children are not able to create accounts for themselves without involving a parent or legal guardian.
We will use reasonable efforts to quickly delete any personal data we accidentally collect from a child that does not have parent or legal guardian consent.
Parents and legal guardians can add profiles to their account including for their children and minors aged 17 or under. We collect the following personal data from parents or legal guardians about the children. This personal data allows them to manage the child’s profile, review test results, and use other Services:
- First, middle, and last name, which may be a unique identifier or pseudonym provided at the discretion of the parent or legal guardian,
- Relationship to the authorized account user,
- Date of Birth,
- State of Residence,
- Zip Code,
- Test results, and
- New personal data created by the use of the Services through the Cue Health App.
Any personal data collected will not be used for any other purpose than what is communicated in this section and our Policy.
Parents consent to the collection and use of the child’s personal data. Parents are verified through our trusted privacy partner, PRIVO. To find out more about PRIVO’s adult verification and consent service, click here:
https://www.privo.com/blog/what-is-verifiable-parental-consent .
Personal data is retained for as long as the account is active. If a parent or legal guardian does not complete the registration and consent process, the account will not be activated, and all personal data will be deleted after 30 days. If a parent or legal guardian requests their child’s account be closed, all associated personal data will be deleted within 45 days of the request.
There are specific third parties that handle the personal data of parents, legal guardians, and children.
Click this link to learn about these third parties.
Parents and legal guardians can:
- Refuse to participate in the Cue Health App or Services,
- Request deletion of their child’s profile and their own Personal Information,
- Deny further collection of the personal data of their children, and
- Request information through us about all third parties that handle Personal Information on our behalf related to your child’s data.
We can be contacted in any of the following ways:
- By email at Email us at legal@cue.me, to our Privacy Officer and Legal Department,
- By U.S. postal mail at the following address:
- Cue Health Inc.
- 4980 Carroll Canyon Rd.,
- Suite 100 San Diego, CA 92121, or
- By telephone toll-free at 833.CUE.TEST or 833.283.8378.
Students and Schools
Cue, in its role as a vendor to educational agencies (“EA”), receives disclosures of personal data in student records from EAs. Only data that is needed for Cue to perform Services outsourced to it by the EA is disclosed to Cue. These disclosures are authorized under the Family Educational Rights and Privacy Act (“FERPA”), a federal statute that regulates the privacy of student records by EAs that receive financial assistance from the U.S. Department of Education. Cue, as a contractor to the EA, receives the disclosures as authorized by an EA’s obtaining written consent for such disclosure from a parent, legal guardian, or eligible student prior to an EA’s use of the Services.
If a parent, legal guardian, or eligible student seeks to make changes to the data within our products, parents, legal guardians, or eligible students shall follow the procedures established by the EA in accordance with FERPA. Generally, these procedures establish the right to request an amendment of the student’s education records that the parent legal guardian, or eligible student believes is inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.
In the event of cancellation or termination of a license and/or agreement to use our products, Cue works with the EA, in accordance with the terms of the EA’s contract, to destroy all education records contained in our systems. Cue shall not knowingly retain copies of any education records received from EA once EA has directed Cue as to how such information shall be returned and/or destroyed.
We will share student data with our third-party service providers who have security, privacy, and data retention policies consistent with our policies and solely to the extent necessary for them to perform a business or technology support function for us. This may include data processing, account management or providing us with usage analytics. Cue does not sell student data. Please visit this page for more information on the third-party service providers used in the app
EAs will have direct control of student data at all times. If a school or school district wishes to inspect, review, amend or delete data we have collected from a student, they may submit an authorized request to legal@cue.me. To protect children’s privacy and security, we will take reasonable steps to help verify the school or school district’s identity before granting access to any personal data.